Maksim Kabakou - Fotolia
The traditional email and voice calls in business have been supplanted with an explosion of popular, easy-to-use messaging apps. WhatsApp, Telegram, Send, Line and other apps all offer free text messaging – and that is not even mentioning the options for voice, video and file-sharing to other users.
The finding by 451 Research that messaging apps are more popular than email and voice calls opens up a whole raft of questions for organisations from a security point of view. Here is a list of a few that all security managers should be asking with regard to messaging apps:
- What messaging apps are being used in the organisation?
- What information is being communicated using messaging apps?
- Where is information processed by the messaging apps stored?
- Does the messaging app retain any rights to the information being communicated?
- Do the messaging apps being used have any security controls?
- Does any company information traverse international boundaries and are you in breach of any laws (Data Protection Act and General Data Protection Regulation)?
- What devices are staff using to use these messaging apps?
- Is company data being processed on uncontrolled personal devices? If so, who has access to these devices and the information communicated?
- Does the messaging app provider have access to communicated data?
This is not an exhaustive list, but it demonstrates that unless properly controlled, staff using messaging apps for business purposes could be opening up the organisation to new uncontrolled risks.
What criteria should organisations use to assess the security of smartphone messaging apps and how can they ensure that only approved apps are used by employees?
First and foremost, an organisation should identify what information it is willing to allow to be communicated using messaging apps. This should be a risk-based decision ensuring that all the risks have been identified and measured, so an informed business decision can be made.
Now for the important part. Once this decision has been made, it needs to be communicated effectively to all staff and reinforced regularly to ensure all employees are aware and understand why the decision has been made.
In my experience, keeping staff informed of decisions and the reasons behind them is a more effective method of changing the culture of an organisation. Here is an example of what to say: “The organisation has made the decision to not use messaging apps for the communication of personal information because many messaging apps store information offshore, which could cause the organisation to be in breach of the UK Data Protection Act.”
Once an organisation has decided what information it is willing to be communicated using messaging apps, it needs to decide which messaging apps to use. The following security controls are recommended for consideration:
- End-to-end encryption?
- The ability to verify who you are communicating with?
- Security of communication history?
- Is the messaging app’s code open for external review?
- Has the code been audited?
- Is the security design well-documented?
The next step is then to decide how staff should interact with the messaging app. This should also be a risk-based decision to ensure all the risks have been identified and measured, so that an informed business decision can be made.
Depending on the level of risk an organisation wants to take, it may wish to allow staff to access the messaging app only via company-issued mobile devices that are controlled using mobile device management software to reduce the risk of the device, and the information contained within it, being compromised. Alternatively, business operations may dictate that staff may use their own personal devices and accept the risk of company data being processed on uncontrolled devices.
In all cases, it is vital to support this with policy and procedure that is properly and effectively communicated from the top down to all staff, informing them of decisions and the reasons behind those decisions. By doing so, the organisation will have the best chance of achieving the objective of ensuring the use of messaging apps for business purposes is carried out in a manner aligned with the organisation’s risk tolerance.