Two decades ago, AOL Instant Messenger (AIM) changed the way we communicate. It was more private than a phone conversation — which was especially great if you worked in a cubicle — and the real-time nature of the conversations was big advantage over email when you needed an immediate answer. Its convenience, at the time, was unparalleled.
AOL officially shut down AIM in 2017, but its basic principles still drive electronic communications through mobile messaging apps. You don’t need to know someone’s phone number or email address; a connection through social media could be enough. Because they are cloud-based, we can use messaging apps anywhere, on any device, with or without IT approval.
However, as our dependence on mobile messaging increases in the workplace, so do the security risks. What IT and security departments don’t know about your messaging use could result in all sorts of cyberthreats, as well as General Data Protection Regulation (GDPR) violations.
Who Is Using Mobile Messaging Apps?
According to the “Mobile Messaging 2016” report from the Mobile Ecosystem Forum, 66 percent of workers have used a chat app to communicate with a business. When you count SMS apps, that number rises to 74 percent. Connections with health providers and financial institutions appear to be the most common consumer-to-business communications, and more than half of mobile users choose Facebook Messenger as their preferred app.
If consumers are using these apps to reach out to organizations, you can assume that your employees are doing the same — and likely on your network. If they’re communicating with other business operations for personal use, they’re likely communicating enterprise information via these same mobile apps.
Unfortunately, this is risky behavior. According to research from Infinite Convergence, 44 percent of employees use an unsecured messaging app during their work day. In fact, workers like the convenience of these apps so much that they convince themselves they are secure: 23 percent of respondents in the finance industry said they believe these apps represent the most secure form of communication, and 33 percent in the legal industry said that messaging apps are their preferred means of sensitive communications. The problem isn’t just that nearly half of users are communicating via unsecured apps, but that these apps aren’t built with security in mind.
How Can You Recognize the Risks?
Despite the rise of mobile messaging as a business communications tool, organizations have been slow to create security policies for the apps. As Computer Weekly reported, even as messaging apps have overtaken other forms of communication such as email and voice calls, 62 percent of companies have not changed their policies regarding employee messaging service usage in the past six month. Furthermore, the vast majority are using these apps on their own devices for business purposes, making security monitoring even more difficult.
At the same time, we’re seeing an uptick in the use of mobile messaging as a way to spread malware. For example, Trend Micro reported that threat actors are using Facebook Messenger to spread the FacexWorm malware, which is designed to steal passwords, and Kaspersky Lab reported a vulnerability in the Telegram messaging app that allows cryptojackers to spread malware and take over devices to mine certain types of cryptocurrency.
On top of everything are persistent GDPR concerns. Enterprises conducting business with European Union (EU) citizens must ensure the messaging apps they use are GDPR compliant. For that reason, many organizations in the EU have simply banned popular commercial messaging apps, according to GDPR.Report.
Why You Should Employ End-to-End Encryption
The harsh reality is that employees will continue to use mobile messaging apps as a favored form of business communication no matter how many policies and regulations forbid it. One possible solution is to implement end-to-end encryption to secure messages between only the sender and intended recipient.
However, encryption technology isn’t foolproof. If an attacker does manage to install keylogger malware, he or she can still pick up the input text from one end or the other. Plus, if the app is used across multiple devices, it dilutes the data security. Encryption works fine during a one-to-one chat, but it breaks down in group chats, as reported by SC Magazine.
In addition, encryption doesn’t address poor human behaviors. When malware and social engineering attacks are spread through messaging apps, we make the same mistakes we make when using email and social media. And individual encryption methods are occasionally cracked; be sure to periodically update organizationally approved end-to-end encryption technologies accordingly.
Chief information security officers (CISOs) and other security executives need to consider security policies that address the risks found in mobile messaging apps, either directly or through bring-your-own-device (BYOD) security policies. The better employees understand the risks to both network security and data privacy — and the options available to mitigate those risks — the safer use of these apps will be.