Maksim Kabakou - Fotolia
It is important to remember that employees typically use messaging apps in a corporate environment to perform a work-related task in a manner that they feel is the most efficient; they are not deliberating flaunting company policy.
Processes implemented to manage the use of apps need to find a balance between supporting this objective while ensuring that smartphone messaging is not compromising organisational security or being used inappropriately to make important decisions that need to be evidenced more formally.
Being too permissive may introduce intolerable risk to the corporate environment. Overly restrictive policies will probably lead to employees finding ways to circumvent them using devices or apps that are further out of corporate control.
Achieving this requires consideration of ensuring that: only trusted apps are used for work, encryption is in place as standard, a mobile device management (MDM) system is enforcing the company’s security policy on devices connecting to the network, and employees are educated and aware of the risks to the company.
Organisations need to do their due diligence to ensure that only trusted apps are used for work purposes, and that each one has the right level of security for company use.
Keeping a central register of approved apps, and ensuring this is communicated to employees, reduces the chance that people will go off piste by providing a tool that meets their current needs.
It is also important to take into account the speed at which new apps are developed and provide an easy route for employees to suggest additions to the register.
A standard checklist and policy to govern what security requirements a trusted app needs to meet is also required. The prospective app can then be tested against this standard much more quickly and, if appropriate, ratified for use in the organisation in a timely manner.
Enterprises can also decide to invest in a messaging app, such as Skype for Business, to decrease the likelihood of potentially non-secure tools being used.
Whether choosing a messaging app for use company-wide, or approving apps for the central register, businesses need to consider those that are compliant with many different requirements.
This includes internal policies, local and country legislation, the European Union’s General Data Protection Regulation (GDPR), as well as the ePrivacy regulation that is being introduced in the near future.
It is now commonplace for messaging apps to provide end-to-end encryption, which ensures that information sent by the company’s employees is not read by third parties.
However, as well as checking it is in place, it is worth noting that it is not necessarily switched on as standard, so users need to actively choose to send messages with this level of security.
It is also important to confirm that the preferred level of (strong) encryption is legal in the country in which it is to be used. Where this down to user choice, organisations will need to have additional controls in place to ensure that this behaviour is being monitored.
Mobile device management
Bring your own device (BYOD) is still a popular option because it allows employees to use the device with which they are most comfortable. However, it is also risky because the organisation has very little control over the apps installed and used.
An MDM manages this situation by segregating work and personal communications and ensuring only pre-approved apps, which can then be managed centrally (for example, disabled if the phone is lost or stolen), are used for the former.
Similarly, MDM allows central management of apps on devices that are corporately owned but enabled for some personal use, as well as those that are for business use only.
MDM offers many other security-related benefits, such as two-factor authentication and an auditable conversation history.
Education and testing
Technical solutions prevent jailbreaking, but this ignores the critical human factor in handling data and communications for business. Managing this risk centres around the education of users about their responsibilities.
Organisations can reinforce their employees’ understanding about the risks around using messaging apps with routine testing to identify areas of weakness, which can then be addressed.
Setting up internal, but controlled “phishing scams” and training programmes to assess employee response and knowledge, for example, can provide more control than technical implementation of measures, especially where personal devices – which the enterprise cannot fully control – are in use.
Messaging apps are one of the many areas where the line between consumer and corporate use has blurred. This means they need micro-management to ensure that the benefits in efficiency and productivity they enable are not over-shadowed by data being compromised.