Yet Another Security Headache, This Time From Messaging Apps

It seems every week, a new security frontier must be navigated. On the device level, servers were the main threat at first, then PCs, laptops, tablets, and phones. But the bad actors have moved on; now it seems they are in love with messaging apps such as WhatsApp, Signal, and Telegram.

Read more: Top Cyber Security Threats to Organizations

The pandemic has seen a rise in remote enterprise workers using these apps. Many companies have tried to tie employee interaction to approved channels, such as Microsoft Teams. But just as many failed to achieve that. As a result, a large number of users prefer consumer-level messaging apps for keeping the boss updated or interacting with peers.

Blurring the Lines

Remote work’s way of blurring the lines between personal and professional time doesn’t help. If people use WhatsApp to stay in touch with family and friends, for example, you can see why many introduce it into their work-from-home life. Corporate dictates may demand otherwise, but users want an easy-to-use communication channel.

Corporate monitoring moved up to a whole new level during the pandemic.

Further, corporate monitoring moved up to a whole new level during the pandemic. Companies began tracking user logins, keystrokes, time active on devices, websites visited, and other metrics. This created resentment and suspicion in users.

The Shadow IT of Messaging Apps

Alternate channels are sometimes used to avoid management scrutiny, or just to stick it to Big Brother. In creeps a shadow IT of additional messaging channels. Unfortunately, this expands the attack surface of the enterprise. And thus increases the risk of data loss, ransomware, and other security threats.

“Attempting to solve a market demand for communications has led to a range of quickly launched apps that are not business- or enterprise-ready, with many having poor uptime and availability, and suffering from lack of inbuilt security, stability, and basic feature sets,” said Nick Emanuel, Senior Director of Product for Carbonite and Webroot. “Secure messaging protocols are often used by cyber attackers to hide data exfiltration, making it much harder for the company to identify that they are being attacked.”

Read more: VPNs, Zero Trust Network Access, and the Evolution of Secure Remote Work

He added that consumer-level messaging apps may include privacy policies that can run afoul of corporate and regulatory provisions. Thus, end-to-end encryption is recommended for any communications utilizing messaging apps in order to prevent interception during transit.

End-to-End Encryption Isn’t Enough

With WhatsApp having some potentially dodgy privacy policies from an enterprise standpoint, Telegram and Signal emerged with end-to-end encrypted messaging included. “Signal and Telegram have pushed growth, proliferation, and privacy as key business drivers,” said Emanuel.

But even if a messaging app uses encryption, many organizations don’t like the idea of corporate data sitting on unmonitored smartphones. Emanuel recommends prohibition of consumer-grade apps for company business or instituting detailed corporate policies to control them.

Similarly, laptops can be set up to block unapproved communication apps and other services at the firewall or port. Mobile Device Management (MDM) technologies can similarly address Android/iOS devices. “Embrace the free flow of communication, but offer safer ways for it to happen while highlighting the risks,” said Emanuel.

Read next: What Is Fully Homomorphic Encryption (FHE)?

Drew Robb
Drew Robb has been writing about IT and engineering for more than 25 years. Originally from Scotland, he now lives in Florida.

Latest Articles