The recent leak of sensitive US military operations via the Signal messaging platform, triggered by the accidental inclusion of a journalist in a group chat, underscores a fundamental and often overlooked vulnerability in many organisations: people. Specifically, individuals who operate within or adjacent to an organisation but fall outside standard onboarding and training processes.
This is particularly true in the public sector, where you find a wide array of individuals with high-level access to sensitive information: MPs, local authority figures, trustees, and central government officials, who are often not treated as traditional employees. As a result, they are frequently excluded from formal onboarding and awareness programs. Another at-risk group includes temporary workers, contractors, and interns, who may have legitimate access but limited information security education.
It’s easy to say that those in positions of power, such as a secretaries of state, should “know better.“ But that assumes they’ve had any foundational information security training in the first place. Politicians, after all, are not cyber security experts; they are public figures who have attained positions of influence, often without structured exposure to risk. And yet, they regularly handle some of the most sensitive and high-value information.
In addition, consider the recent case of a university student on placement at GCHQ, who pleaded guilty to transferring sensitive documents to personal devices and potentially exposing national security secrets. Despite undergoing a vetting process, the student lacked a full grasp of the operational boundaries and information handling protocols expected within such an environment. This mirrors the issue highlighted in the Signal leak: that individuals outside standard employment structures such as interns, contractors, MPs, and trustees, often operate in grey zones when it comes to information security governance. They may have legitimate access, but without tailored education and contextual guidance, they can inadvertently become insider threats.
The challenge for CISOs, then, is clear: how do you embed a culture of security awareness among people who are difficult to reach through traditional training routes?
The answer lies in language and relevance. Senior leaders are time-poor and goal-driven. If security messages are to resonate, they must be tailored in business terms, framed around risk, reputation, and leadership responsibility, rather than compliance checklists and jargon. Security needs to be positioned not as an IT issue but as a leadership imperative.
Another key takeaway from the Signal leak is the futility of banning communication tools outright. Platforms like WhatsApp, Signal, and Telegram are not inherently insecure; in fact, they offer robust encryption and widespread usability. The problem is not the tool but the governance around its use.
Instead of fighting a losing battle to eliminate these tools, organisations should accept them as part of the modern communications landscape and integrate them into formal comms policies. That means mandating approved use, applying audit and retention policies where feasible, and clearly defining what types of information can, and cannot, be shared over such platforms.
Ultimately, best practice now means embracing the tools people actually use, while wrapping them in governance, education, and accountability. It also means expanding the security perimeter to include all stakeholders with access to sensitive data—not just full-time employees.
The Signal leak is a stark reminder that even the most secure platforms can become vulnerabilities when human factors are overlooked. For CISOs, this incident should be a catalyst to re-evaluate onboarding, education, and communication protocols, especially for those at the very top.
