The traditional email and voice calls in business have been supplanted with an explosion of popular, easy-to-use messaging apps. WhatsApp , Telegram , Send, Line and other apps all offer free text messaging – and that is not even mentioning the options for voice, video and file-sharing to other users.
The finding by 451 Research that messaging apps are more popular than email and voice calls opens up a whole raft of questions for organisations from a security point of view. Here is a list of a few that all security managers should be asking with regard to messaging apps:
This is not an exhaustive list, but it demonstrates that unless properly controlled, staff using messaging apps for business purposes could be opening up the organisation to new uncontrolled risks.
What criteria should organisations use to assess the security of smartphone messaging apps and how can they ensure that only approved apps are used by employees?
First and foremost, an organisation should identify what information it is willing to allow to be communicated using messaging apps. This should be a risk-based decision ensuring that all the risks have been identified and measured, so an informed business decision can be made.
Now for the important part. Once this decision has been made, it needs to be communicated effectively to all staff and reinforced regularly to ensure all employees are aware and understand why the decision has been made.
In my experience, keeping staff informed of decisions and the reasons behind them is a more effective method of changing the culture of an organisation. Here is an example of what to say: “The organisation has made the decision to not use messaging apps for the communication of personal information because many messaging apps store information offshore, which could cause the organisation to be in breach of the UK Data Protection Act.”
Once an organisation has decided what information it is willing to be communicated using messaging apps, it needs to decide which messaging apps to use. The following security controls are recommended for consideration:
The next step is then to decide how staff should interact with the messaging app. This should also be a risk-based decision to ensure all the risks have been identified and measured, so that an informed business decision can be made.
Depending on the level of risk an organisation wants to take, it may wish to allow staff to access the messaging app only via company-issued mobile devices that are controlled using mobile device management software to reduce the risk of the device, and the information contained within it, being compromised. Alternatively, business operations may dictate that staff may use their own personal devices and accept the risk of company data being processed on uncontrolled devices.
In all cases, it is vital to support this with policy and procedure that is properly and effectively communicated from the top down to all staff, informing them of decisions and the reasons behind those decisions. By doing so, the organisation will have the best chance of achieving the objective of ensuring the use of messaging apps for business purposes is carried out in a manner aligned with the organisation’s risk tolerance.