The security implications for private messaging apps

The security implications for private messaging apps
(Image credit: oatawa / Shutterstock)

The popularity of private messaging apps is proving to be an ongoing headache for IT managers, particularly around data security and privacy.

The blurring of the lines between personal and professional use of messaging has been increasing thereby fueling the fires of shadow IT. Last year’s spike in remote working only solidified this further, making these applications the norm for teams looking to reduce email, stay connected and be productive. The consumerization of IT is nothing new. It’s been the primary driving force for the decentralization of IT for several years and responsible for the acceleration of flexible work and working from anywhere in recent times.

About the author

Steven Wood is EMEA Director at Carbonite.

While individual teams setting up their own messaging channel without the knowledge of IT may sound commonplace and part of modern work, companies such as Microsoft have enticed users to stick with IT approved communication methods in the last year. Additionally, the remote working boom has seen Teams balloon to more than 115 million daily active users. But this surge in product demand has encouraged Microsoft to be more efficient with their security and usability.

However, as applications diversify, cyber resilience becomes harder to implement, and if users are unhappy with their experience, they will look elsewhere, which may lead to them circumventing IT procedures and practices.

Businesses may already have a plethora of different apps in use through shadow IT, whether they know it or not, likely on an ad-hoc basis for either cost reasons or to work around the supposed privacy ‘shortcomings’ in the IT systems organizations normally use. However, what many organizations fail to realize is that shadow IT can result in expanding attack surfaces.

Shadow IT isn’t a new problem, but it’s quickly growing in size. Business changes, cloud migration, shadow IT, and the use of private messaging apps, add complexity to an already varied attack surface. As new ways of working continues to grow, it’s critical for enterprises and small and medium-sized businesses (SMBs) alike to balance their application use with security and access control; otherwise, the benefits they see may quickly turn into regulatory compliance nightmares, data loss disasters and security breaches.

Therefore, for these reasons, its important businesses pay attention to its users’ experiences, evolve applications and monitor use cases within the changing application landscape rather than against it. This way the CIO can get ahead of security implications and help create better protection for the organization against associated threats.

Demand for encrypted messaging

This influence of messaging apps from outside of work has long permeated through offices, particularly those which allow a level of encryption. In some regions of the world, WhatsApp and Signal are so deeply engrained into the workplace, that conducting business transactions over these mediums is quite normal.

With 2 billion global users, WhatsApp is the biggest player in this space, but an incoming update to the service’s privacy policy has caused some to look elsewhere. As well as Telegram, one of the big beneficiaries is Signal, an end-to-end encrypted messaging app built using open source.

Signal has enhanced encryption, and only stores data on an individual’s device, which has proven to be a popular feature as it has since shot to number one in App stores around the world.

For IT managers, it could also be viewed as a big security upgrade.

Weighing up the benefits of Open Source

Being open source developed, Signal is much less opaque around its potential security variabilities when compared to its commercially developed competitors. Security researchers are able to examine its source code and point out vulnerabilities. And because it’s open source, the community behind it is then able to quickly update and fix any issues.

Signal stores all its data on each individual device, rather than on its own servers. And the end-to-end encryption means that messages can’t be intercepted and then exposed. Furthermore, the organization which owns Signal, Signal Technology Foundation, is a not-for-profit. As things stand, it doesn’t make money by targeting you with advertising, or passing on your data to third parties.

But despite these upsides, CIOs and IT managers still need to balance the forces of cyber resilience security and compliance, as well as usability.

Signal is currently a free to air, so support staff is likely to be less of a focus, and there’s no multi-layered approach or back-up tools to recover lost data shared on the platform if it all goes wrong. Equivalent collaboration tools on Office 365, like Teams, can be made completely recoverable.

And while cybersecurity should be a central concern when this type of solution is vetted, often it isn’t. This oversight can have devastating implications, and yet this challenge of managing an application outside of your IT stack is unavoidable. So, a change in mindset is needed.

Win hearts and minds through user education

Ultimately, people are always going to find a way around any fences you put in their way. Whether that’s to make their job easier, concerns about privacy, or because they are attracted to using the latest and greatest applications.

If it isn’t Signal today there will be other tools down the line which individuals or teams will want to use at both work and home.

For CIOs and IT managers, they will have to take a step forward to best manage shadow IT and keep their organizations cyber resilient.

What they can try to influence is the behavior of users to help prevent future occurrences and mitigate security risks. Educating the user to be the first line of defense of a potential breach through training and phishing simulations is one way of doing this.

Business have to get the basics right. Establishing basic security principles like regular user education, multi-factor authentication, proactive threat detection and a solid backup and recovery plan is the minimum. Strong, multi-layered approaches such as password policies and robust back-up and endpoint plans can help mitigate risk and protect sensitive data.

case, there are still ways to properly manage and reduce risk to your organization.

Steven Wood is EMEA Director at Carbonite.