Maksim Kabakou - Fotolia

Security Think Tank: Encourage employees to use an approved messaging app

What criteria should organisations use to assess the security of smartphone messaging apps and how can they ensure only approved apps are used by employees?

Facebook has two billion active users. WhatsApp has more than a billion. WeChat in China has about a billion, Snapchat has nearly 200 million, Skype has just under 100 million and Telegram has more than 50 million. And there are many smaller chat apps, such as Signal, Slack, Hangouts, Send, Line and Kik. Different countries prefer different apps, as do different generations, but the messaging app is ubiquitous – and it is here to stay.

So what does that mean to your organisation? It means that your well-protected perimeter, your security gates and your secure connections to your suppliers and customers can all be subverted by a device that all your employees have in their pockets. They can photograph documents, record meetings and send confidential data to contacts anywhere in the world without restrictions and with no fear of detection.

So how do you ensure they don’t present a risk to your business? For high-risk environments where sensitive customer or financial data is accessible to employees, such as call centres or trading floors, it is not unusual to ban the use of mobile devices during working hours, with staff storing them in lockers before their shift. Bag searches to ensure staff don’t take notepads and pens or try to smuggle out printed copy is also common practice in some organisations.

Although there are now a number of apps that provide end-to-end encryption, thus securing the communication, from an employer’s perspective you generally do not want to provide a channel that subverts your data leakage prevention or surveillance tools. In fact, you may have a regulatory requirement to prevent the possibility of such a channel existing.

So while this may sound counter-intuitive, you need to look at apps that allow you access to the channel. This is usually carried out through a mechanism whereby each user connects securely to a gateway or proxy server, which then encrypts the communication to the endpoint. This proxy is where monitoring, logging and surveillance can take place.

Provisioning an app on corporate devices is relatively straightforward, and mobile device management (MDM) systems exist for all the common platforms used today to control the apps installed and prevent the use of unapproved apps. These enforce not only install permissions, but also connections, the copying of data from one app to another, the saving of screenshots, and so on, so are an essential part of any enterprise control portfolio for mobile devices.

And as long as you only allow your staff to use your corporate-approved messaging app, the problem is solved – right?

There are a few organisations that allow a corporate device while banning staff-owned devices, but it is much more common for staff to bring their own devices in addition to corporate devices, or in mature bring your own device (BYOD) environments, staff-owned devices may be the norm. Think about any meeting in your office – are there more mobile devices, tablets and phones than people round the table? What control does the company have over those?

Read more Security Think Tank articles about securing messaging apps

MDM systems exist for non-corporate devices as well, and can successfully segregate business channels (email, in-house messaging, calendar, browser, and so on) from personal channels. A messaging app within the managed container provides a channel that can be monitored and logged in the same manner as a corporate device.

However, if an individual wants to communicate privately, whether they just want a personal chat with a friend or are a rogue employee stealing intellectual property, the chances are they will use their preferred messaging app installed on the phone outside the MDM container and you have no technical control over that.

There are really only a few mechanisms to encourage usage. The simplest technically, but also the most disruptive, is to block all unapproved connections. This requires not just a set of access controls on the wireless network at your premises, but also the blocking of any non-corporate phone signals. This is not an ideal solution for many reasons, but for some environments it may be necessary.

Secondly, a policy statement requiring that all work-related communication be carried out through the corporate messaging app puts this into the area of staff conduct, which will encourage those who are not actively trying to subvert controls to use the approved app.

Finally, and often the most underrated aspect, I would recommend organisations to ensure the app meets the needs of your user base, which may not be exactly in line with the main aims of your security team. In fact, one of the best ways to ensure uptake of your in-house messaging app is to find out what your staff want. Without acceptance from them, they will most likely stick to their preferred app.

So you had better look at whether your app supports customisable emojis, threaded chat, or integration with YouTube or other applications in order to boost your security around messaging channels. And who would have expected that?

Read more on Hackers and cybercrime prevention