The way we work is changing. We are more mobile. We want immediacy. Email can be too slow. Increasingly, employees are turning to Instant Messaging apps to facilitate corporate communication, be it to liaise with clients, plan meetings or discuss work with colleagues. There are some clear benefits. Communicating through IM is much quicker than writing a formal email. And apps are usually free to use because they rely on data network services as opposed to costly SMS. There is, however, a downside, writes Thomas Fischer, pictured, threat researcher and security advocate at Digital Guardian, a data security software firm.
Despite these productivity benefits, IM apps pose a risk to corporate data security that is often overlooked or – in some cases – sacrificed for the sake of productivity. IM apps have made the headlines this year – often for the wrong reasons. In March, the app used by White House staff – Confide – hit the headlines when it was detailed that the app contained bugs that allowed snooping. There have also been multiple stories about security concerns relating to WhatsApp and Telegram.
It’s not surprising, when security teams are under so much pressure, that the threats from IM get overlooked. Let’s examine exactly how the IM threat maps out.
Third party risk
First, let’s look at the likelihood of a third party intercepting sensitive business messages within popular IM apps. On the one hand, the company behind WhatsApp’s end-to-end encryption has vehemently denied claims of a backdoor, but both Telegram and Confide definitely are susceptible to interception of messages – not just through encryption backdoors but through metadata as well.
Let’s say it was possible to backdoor or break the encryption protocol for one of these apps. Government agencies, competitors or malicious parties would be able to infiltrate and gather valuable data into a company’s business activities. The metadata aspect is also very concerning as it gives away information about when, who and where the messaging is occurring – all information that could be highly valuable in the wrong hands.
Whether metadata is used to identify business activities or the communications are intercepted using a man-in-the-middle attack, the risk is the same – in both cases, important information or data could be divulged.
This is possibly the biggest risk to organisations, as messaging apps can become an unmonitored mechanism for a malicious insider to leak sensitive data. The user could copy email text, capture screenshots of file attachments and exfiltrate them via IM. Some of the voice sharing features could even be used to record and transmit meetings. Stopping this threat is tricky; file transfer over IM is usually beyond the tracing capabilities of the IT department. The lack of search and filtering capabilities and archiving makes it difficult to discover potential breaches of policy, and even harder to hold an individual accountable. Many IM services offer end-to-end encryption, further limiting the ability for IT teams to track and trace data movements.
The IM risk extends beyond data leakage. There are a number of regulatory and legal issues surrounding IM. Information that leaves an organisation without the knowledge and control of the IT department has serious implications from a record-keeping standpoint.
Regulators are interested in sensitive data, regardless of the communication channel via which this data is distributed. IT teams therefore must be able to monitor, capture and keep record of corporate information within these services. This is difficult because IM apps encrypt data end-to-end. Moreover, IT teams may not even know an IM app is being used in the first place. For certain types of data, even the act of sharing via IM could be a violation of the GDPR and other privacy guidelines.
Prohibiting IM is not a solution. Employees like the speed, efficiency and collaborative nature of these channels. IT teams must therefore find a way to allow employees to use these apps, without compromising data security. There are a few ways to do this:
– Best Practices: The proliferation of smartphone usage means that it’s already a challenge for IT teams to control how corporate data is shared by employees. It’s critical that IT teams teach their employees IM best practices. But this isn’t enough – these best practices need to be backed up by effective technology.
– Boundaries: Corporate phones should be managed with a solution such as MDM or MAM. Rules should be put in place on these devices, such as limiting which apps can be installed or controlling the use of the apps when the user is at certain locations, including turning off microphones and cameras.
– Corporate IM Apps: Some vendors are starting to provide ‘corporate versions’ of their solutions (e.g. Slack Enterprise) that could help meet employee messaging needs whilst helping IT teams take back control.
There’s no doubt that IM apps can be a valuable corporate communications tool but if they are not managed effectively they could become a data security nightmare. To achieve data security, IM apps must be monitored consistently, user policies created and enforced and effective technology deployed as back up.