October 26, 2018 By Sue Poremba 3 min read

Two decades ago, AOL Instant Messenger (AIM) changed the way we communicate. It was more private than a phone conversation — which was especially great if you worked in a cubicle — and the real-time nature of the conversations was big advantage over email when you needed an immediate answer. Its convenience, at the time, was unparalleled.

AOL officially shut down AIM in 2017, but its basic principles still drive electronic communications through mobile messaging apps. You don’t need to know someone’s phone number or email address; a connection through social media could be enough. Because they are cloud-based, we can use messaging apps anywhere, on any device, with or without IT approval.

However, as our dependence on mobile messaging increases in the workplace, so do the security risks. What IT and security departments don’t know about your messaging use could result in all sorts of cyberthreats, as well as General Data Protection Regulation (GDPR) violations.

Who Is Using Mobile Messaging Apps?

According to the “Mobile Messaging 2016” report from the Mobile Ecosystem Forum, 66 percent of workers have used a chat app to communicate with a business. When you count SMS apps, that number rises to 74 percent. Connections with health providers and financial institutions appear to be the most common consumer-to-business communications, and more than half of mobile users choose Facebook Messenger as their preferred app.

If consumers are using these apps to reach out to organizations, you can assume that your employees are doing the same — and likely on your network. If they’re communicating with other business operations for personal use, they’re likely communicating enterprise information via these same mobile apps.

Unfortunately, this is risky behavior. According to research from Infinite Convergence, 44 percent of employees use an unsecured messaging app during their work day. In fact, workers like the convenience of these apps so much that they convince themselves they are secure: 23 percent of respondents in the finance industry said they believe these apps represent the most secure form of communication, and 33 percent in the legal industry said that messaging apps are their preferred means of sensitive communications. The problem isn’t just that nearly half of users are communicating via unsecured apps, but that these apps aren’t built with security in mind.

How Can You Recognize the Risks?

Despite the rise of mobile messaging as a business communications tool, organizations have been slow to create security policies for the apps. As Computer Weekly reported, even as messaging apps have overtaken other forms of communication such as email and voice calls, 62 percent of companies have not changed their policies regarding employee messaging service usage in the past six month. Furthermore, the vast majority are using these apps on their own devices for business purposes, making security monitoring even more difficult.

At the same time, we’re seeing an uptick in the use of mobile messaging as a way to spread malware. For example, Trend Micro reported that threat actors are using Facebook Messenger to spread the FacexWorm malware, which is designed to steal passwords, and Kaspersky Lab reported a vulnerability in the Telegram messaging app that allows cryptojackers to spread malware and take over devices to mine certain types of cryptocurrency.

On top of everything are persistent GDPR concerns. Enterprises conducting business with European Union (EU) citizens must ensure the messaging apps they use are GDPR compliant. For that reason, many organizations in the EU have simply banned popular commercial messaging apps, according to GDPR.Report.

Why You Should Employ End-to-End Encryption

The harsh reality is that employees will continue to use mobile messaging apps as a favored form of business communication no matter how many policies and regulations forbid it. One possible solution is to implement end-to-end encryption to secure messages between only the sender and intended recipient.

However, encryption technology isn’t foolproof. If an attacker does manage to install keylogger malware, he or she can still pick up the input text from one end or the other. Plus, if the app is used across multiple devices, it dilutes the data security. Encryption works fine during a one-to-one chat, but it breaks down in group chats, as reported by SC Magazine.

In addition, encryption doesn’t address poor human behaviors. When malware and social engineering attacks are spread through messaging apps, we make the same mistakes we make when using email and social media. And individual encryption methods are occasionally cracked; be sure to periodically update organizationally approved end-to-end encryption technologies accordingly.

Chief information security officers (CISOs) and other security executives need to consider security policies that address the risks found in mobile messaging apps, either directly or through bring-your-own-device (BYOD) security policies. The better employees understand the risks to both network security and data privacy — and the options available to mitigate those risks — the safer use of these apps will be.

More from Data Protection

Data security tools make data loss prevention more efficient

3 min read - As businesses navigate the complexities of modern-day cybersecurity initiatives, data loss prevention (DLP) software is the frontline defense against potential data breaches and exfiltration. DLP solutions allow organizations to detect, react to and prevent data leakage or misuse of sensitive information that can lead to catastrophic consequences. However, while DLP solutions play a critical role in cybersecurity, their effectiveness significantly improves when integrated with the right tools and infrastructure. Key limitations of DLP solutions (and how to overcome them) DLP…

Defense in depth: Layering your security coverage

2 min read - The more valuable a possession, the more steps you take to protect it. A home, for example, is protected by the lock systems on doors and windows, but the valuable or sensitive items that a criminal might steal are stored with even more security — in a locked filing cabinet or a safe. This provides layers of protection for the things you really don’t want a thief to get their hands on. You tailor each item’s protection accordingly, depending on…

What is data security posture management?

3 min read - Do you know where all your organization’s data resides across your hybrid cloud environment? Is it appropriately protected? How sure are you? 30%? 50%? It may not be enough. The Cost of a Data Breach Report 2023 revealed that 82% of breaches involved data in the cloud, and 39% of breached data was stored across multiple types of environments. If you have any doubt, your enterprise should consider acquiring a data security posture management (DSPM) solution. With the global average…

Cost of a data breach: The evolving role of law enforcement

4 min read - If someone broke into your company’s office to steal your valuable assets, your first step would be to contact law enforcement. But would your reaction be the same if someone broke into your company’s network and accessed your most valuable assets through a data breach? A decade ago, when smartphones were still relatively new and most people were still coming to understand the value of data both corporate-wide and personally, there was little incentive to report cyber crime. It was…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today