Internal and external comms are an age-old minefield for security leaders, with teams balancing security with usability. In some cases, insecure comms systems can turn otherwise diligent top teams and employees into (accidental) insider threats. This presents two key challenges: data loss prevention and corporate buy in.
Let’s start with data loss prevention. The recent leak of information on American military operations via Signal is an extraordinary incident – but it may be more commonplace than we think, especially within corporations. Politics and legal issues aside, the exchanging of sensitive organisational data on systems that aren’t designed for such is not uncommon, despite its blaring insecurity.
Incidents like this highlight why it’s not worth the risk to use unvetted third-party apps, like Signal or WhatsApp, despite their ease of use. Leaks from chats like this can be ruinous to the reputation of an organisation, resulting in financial loss, reputational and legal damage and, in some cases, non-compliance. Often, conversations held on apps that aren’t overseen or approved by security teams are not officially logged, which can be a problem for compliance. In some industries, like finance and healthcare, for example, organisations are expected to keep logs of conversations to meet compliance, with disappearing messages, as an example, violating this. On the other hand, some organisations (like many of those in the retail and media sectors) have very short data retention policies, with written, non-disappearing messages violating this.
Usability and getting organisational buy-in
It’s important to consider why employees turn to external messaging apps so security professionals can build secure tech that people will actually use. Simply put, sometimes employees turn to non-org issued comms apps due to ease of use and accessibility. Top teams are especially prone to this, with any sort of restrictions running the risk of slowing work down – and time is money.
Security teams are challenged with trying to provide secure tech that will actually be used with the appropriate security measures built in. These apps should be encrypted and let people get their jobs done efficiently and with little friction. Equally, employees must be educated on the risks (and laws) of using unapproved third-party apps, as well as the personal and organisational repercussions of not using them.
The rise of BYOD
Modern working conditions, like hybrid working, have further complicated the matter. Personal devices being used for work and ‘bring your own device’ (BYOD) models are on the rise across organisations. Oftentimes this is because it reduces costs and increases flexibility. Whilst these devices enable quick conversation between teams, unmonitored personal devices can mean a lack of control for security teams and, as a result, increased security risk.
Ultimately, robust BYOD policies and practices must be put in place to mitigate excess risk that arises from using personal devices for work. There must be some element of corporate review of what’s allowed on these devices to ensure safety of organisational data.
Whilst many users may have faith in the security of the apps they’re using, personally and professionally, a compromised device often means that these security measures are overridden. Ensuring that users follow basic device hygiene when it comes to security is important (regularly updating software and apps, for example). Additionally, users should understand the importance of enabling multi-factor authentication (MFA) and similar measures that make it harder for a threat actor to move across accounts.
The verdict?
This isn’t a new problem for CISOs and security teams. Getting organisational buy-in on cyber in general is hard, but restricting the apps that allow people to get their jobs done quickly is equally as tedious. Security teams should prioritise creating and investing in comms systems with good user interfaces that are backed up by robust security measures, like encryption. These apps, devices and tools must also meet the compliance standards set for the organisation’s respective industries. Additionally, strong awareness training is crucial for helping people at all levels understand the risks and consequences of working outside of organisational security standards.
Elliott Wilkes is CTO at Advanced Cyber Defence Systems. A seasoned digital transformation leader and product manager, Wilkes has over a decade of experience working with both the American and British governments, most recently as a cyber security consultant to the Civil Service.
