How Notion, Zoom and Dropbox's GTM strategy is increasing your attack surface

How are Zoom, Dropbox and Notion impacting your Security?

You might first think of these companies as places for sensitive data to reside or leak. You’d be right, but they’ve had a much larger impact than just that. 

When we think of the likes of Dropbox and Notion, they are the big dogs. The trend setters. The ones we follow. The ones we want to become. 

Most people in their roles, whether its CEO, Head of Marketing, Customer Success Managers, outbound sales reps or Senior Engineers look at what these companies are doing, and copy. 

So what does this mean for security? 

One of the big trends in recent years has been the shift in Go To Market (GTM) for companies like Notion & Dropbox. 10 years ago we’d have teams of inside sales reps hitting the phones, booking meetings and selling directly to business. 

That was until PLG started getting thrown around. PLG for those who don’t know stands for Product Led Growth. The idea of PLG is that a company focuses on user acquisition, expansion, conversion, and retention. 

As businesses, they move from tracking the number of cold calls, to number of free sign-ups. 

This is where you are impacted as a security professional

The mammoth shift in GTM strategy from trendsetters like Notion and Dropbox trickles down to other businesses. Whether that’s brand new startups with a spring in their step, or beaten up scaleups that are on the cusp of running out of money because they raised at too big of a valuation in 2021 (eek). 

The point is, these companies are targeting your employees and are desperate for them to use their freemium tier. Long gone are the days where employees had to go through procurement to get their hands on a product. 

2-clicks via social login and boom, their account is created. These 2-clicks for employees are a magical, low friction way to use a new product. 

A new product that might help them hit their KPIs, or save them 2 hours or day, or get them that promotion by Christmas so they can finally get that flat which they couldn’t afford due to rising interest rates. 

Trends like bottom-up, PLG or freemium (whatever we want to call the concoction) dramatically change the game for security teams. And as we all know, 80% of breaches are down to human error, and the majority of these have no malice, just people making mistakes or rushing through things. 

So what can you do? 

1. Get visibility into what’s going on!

You can’t secure things you don’t know about (cliche I know). The first thing to do is get visibility into the types of tools employees are using. Map out the known applications vs the unknowns. This will give you a picture of where you need to focus, what due diligence you might need to do and much more!

2. Understand authentication being used

Find out how employees are signing up to these apps. Is it email + pwd, is it social login (thanks “Sign in with Google”). Understanding the user behaviour and the awareness levels your employees have to things like authentication will give you a starting point. 

3. Understand app access to data

How many apps can read your emails, calendar, files, Slack messages. These are metrics you need to understand. Have you got 1-man-band tools that don’t care about their security with intrusive access

4. Update internal policies & educate

Get together with other folks in the business. Each business is different and striking the balance between security and productivity is an important one. Understand your risk appetite to this and re-write your associated policies to reflect this. Don’t stop there, get on a company wide call and communicate this to employees, helping them understand the “why” behind these decisions.

5. Wrap technology around you policies

We can educate as much as we want. The reality is, policy enforcement with tech is often needed. Use something like Ploy and our workflows to receive alerts on high-risk account creations, automatically survey employees via Slack to understand data being shared. 

Interested in finding out how Ploy couple help you tackle this trend? Book some time with us.