October 26, 2018 By Sue Poremba 3 min read

Two decades ago, AOL Instant Messenger (AIM) changed the way we communicate. It was more private than a phone conversation — which was especially great if you worked in a cubicle — and the real-time nature of the conversations was big advantage over email when you needed an immediate answer. Its convenience, at the time, was unparalleled.

AOL officially shut down AIM in 2017, but its basic principles still drive electronic communications through mobile messaging apps. You don’t need to know someone’s phone number or email address; a connection through social media could be enough. Because they are cloud-based, we can use messaging apps anywhere, on any device, with or without IT approval.

However, as our dependence on mobile messaging increases in the workplace, so do the security risks. What IT and security departments don’t know about your messaging use could result in all sorts of cyberthreats, as well as General Data Protection Regulation (GDPR) violations.

Who Is Using Mobile Messaging Apps?

According to the “Mobile Messaging 2016” report from the Mobile Ecosystem Forum, 66 percent of workers have used a chat app to communicate with a business. When you count SMS apps, that number rises to 74 percent. Connections with health providers and financial institutions appear to be the most common consumer-to-business communications, and more than half of mobile users choose Facebook Messenger as their preferred app.

If consumers are using these apps to reach out to organizations, you can assume that your employees are doing the same — and likely on your network. If they’re communicating with other business operations for personal use, they’re likely communicating enterprise information via these same mobile apps.

Unfortunately, this is risky behavior. According to research from Infinite Convergence, 44 percent of employees use an unsecured messaging app during their work day. In fact, workers like the convenience of these apps so much that they convince themselves they are secure: 23 percent of respondents in the finance industry said they believe these apps represent the most secure form of communication, and 33 percent in the legal industry said that messaging apps are their preferred means of sensitive communications. The problem isn’t just that nearly half of users are communicating via unsecured apps, but that these apps aren’t built with security in mind.

How Can You Recognize the Risks?

Despite the rise of mobile messaging as a business communications tool, organizations have been slow to create security policies for the apps. As Computer Weekly reported, even as messaging apps have overtaken other forms of communication such as email and voice calls, 62 percent of companies have not changed their policies regarding employee messaging service usage in the past six month. Furthermore, the vast majority are using these apps on their own devices for business purposes, making security monitoring even more difficult.

At the same time, we’re seeing an uptick in the use of mobile messaging as a way to spread malware. For example, Trend Micro reported that threat actors are using Facebook Messenger to spread the FacexWorm malware, which is designed to steal passwords, and Kaspersky Lab reported a vulnerability in the Telegram messaging app that allows cryptojackers to spread malware and take over devices to mine certain types of cryptocurrency.

On top of everything are persistent GDPR concerns. Enterprises conducting business with European Union (EU) citizens must ensure the messaging apps they use are GDPR compliant. For that reason, many organizations in the EU have simply banned popular commercial messaging apps, according to GDPR.Report.

Why You Should Employ End-to-End Encryption

The harsh reality is that employees will continue to use mobile messaging apps as a favored form of business communication no matter how many policies and regulations forbid it. One possible solution is to implement end-to-end encryption to secure messages between only the sender and intended recipient.

However, encryption technology isn’t foolproof. If an attacker does manage to install keylogger malware, he or she can still pick up the input text from one end or the other. Plus, if the app is used across multiple devices, it dilutes the data security. Encryption works fine during a one-to-one chat, but it breaks down in group chats, as reported by SC Magazine.

In addition, encryption doesn’t address poor human behaviors. When malware and social engineering attacks are spread through messaging apps, we make the same mistakes we make when using email and social media. And individual encryption methods are occasionally cracked; be sure to periodically update organizationally approved end-to-end encryption technologies accordingly.

Chief information security officers (CISOs) and other security executives need to consider security policies that address the risks found in mobile messaging apps, either directly or through bring-your-own-device (BYOD) security policies. The better employees understand the risks to both network security and data privacy — and the options available to mitigate those risks — the safer use of these apps will be.

More from Data Protection

Overheard at RSA Conference 2024: Top trends cybersecurity experts are talking about

4 min read - At a brunch roundtable, one of the many informal events held during the RSA Conference 2024 (RSAC), the conversation turned to the most popular trends and themes at this year’s events. There was no disagreement in what people presenting sessions or companies on the Expo show floor were talking about: RSAC 2024 is all about artificial intelligence (or as one CISO said, “It’s not RSAC; it’s RSAI”). The chatter around AI shouldn’t have been a surprise to anyone who attended…

3 Strategies to overcome data security challenges in 2024

3 min read - There are over 17 billion internet-connected devices in the world — and experts expect that number will surge to almost 30 billion by 2030.This rapidly growing digital ecosystem makes it increasingly challenging to protect people’s privacy. Attackers only need to be right once to seize databases of personally identifiable information (PII), including payment card information, addresses, phone numbers and Social Security numbers.In addition to the ever-present cybersecurity threats, data security teams must consider the growing list of data compliance laws…

How data residency impacts security and compliance

3 min read - Every piece of your organization’s data is stored in a physical location. Even data stored in a cloud environment lives in a physical location on the virtual server. However, the data may not be in the location you expect, especially if your company uses multiple cloud providers. The data you are trying to protect may be stored literally across the world from where you sit right now or even in multiple locations at the same time. And if you don’t…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today