Maksim Kabakou - Fotolia

Security Think Tank: Educate, enforce policy and monitor to ensure messaging security

What criteria should organisations use to assess the security of smartphone messaging apps, and how can they ensure only approved apps are used by employees?

In the recent past, the laptop computer and mobile phone were the domain of a company’s road warrior. The advent of residential always on broadband in the late 1990s and early 2000s meant that remote access to a company’s IT facilities started to filter out into the wider work force. Mobile data arrived in the mid to late ‘90s along with early smartphones. 

Business users started to adopt smartphone technology soon after the launch of 3G in 2003 and with the launch of 4G in 2012/2013 smartphone usage really took hold amongst the general population.

With the improvements in smartphone technology coupled with firms adopting a bring your own device (BYOD) or choose your own device (CYOD) policy there has been an explosion in business usage. Originally, such usage was limited to email, but now includes productivity apps that can reach into and interact with an organisations core IT.

The explosion in smartphone ownership together with fairly ubiquitous 3G/4G coverage (though those in rural areas would disagree) has fueled the growth in social media (Twitter, Facebook, LinkedIn, Pinterest, Google+ etc.).

Social media apps are user friendly and have led the way for social media to replace, for the most part, both voice and email for personal use. This familiarity has naturally started to influence the way people conduct business.

The question is then, would you conduct business by exchanging written plain text messages on a public notice board? For anything other than advertising, the answer is probably a no and therein lies the rub. Social media is not 1-to-1 nor is it (generally) under the control of an employee’s company particularly where BYOD is in place.

How does an organisation get to grips with the security issues associated with messaging/social media apps? Irrespective of whether those apps are installed on a company or personally-owned smartphone, the answer is a combination of clauses included in staff contracts making the posting of company information a disciplinary offence and education to back up the message that social media must not be used for company business. Random audits of social media should also be conducted to identify whether any company information has been posted and if so, by whom.

Where a smartphone is company-provided, social media and other “personal” apps should be installed in a separate partition of the smartphone that is securely separated from the “corporate” environment. Apps that provide this smartphone partitioning include Divide for iPhone and Android based devices.

It is recommended that the use of partitioning should be a requirement to allow the use of personally-owned devices (BYOD) where there is to be access to corporate services such as email. I also recommend that any smartphone (corporate or BYOD) that has accesses to company systems and services (including email) should be under company control so that if the device is lost, data on it can be remotely wiped. 

Can an organisation employ social media type apps for business use?

Yes and there are a number of enterprise specific apps available providing messaging and often other facilities but be aware that some platforms might not support or fully support all Smartphone devices.

A small selection of apps available include Tibbr from Tibco, Jive, Yammer and SocialCast from VMWare to name a few. Again I do recommend that the same security measure outlined above should be followed.

Read more on Security policy and user awareness