The past year brought a security and privacy situation to the forefront that has been bubbling for years—the use of messaging apps at work. Within some organizations, WhatsApp, Signal, Telegram and other channels were heavily used during the pandemic despite not being corporately approved or monitored.
Part of the issue is the blurring of lines between personal and professional time. When users work from home, it can be hard to stick to a single messaging app for both personal and work messages. Thus, some employees and even entire teams evolved their own messaging channels—in some cases without the knowledge of their companies' IT departments.
All it takes is a glitch or two on an approved platform and some users will drift off to another channel, which may pose privacy and security headaches. If additional messaging channels exist, cyberattackers have more opportunities to cause harm. The consequences include noncompliance with regulatory mandates, data loss, ransomware and security breaches.
"Attempting to solve a market demand for communications has led to a range of quickly launched apps that are not business- or enterprise-ready, with many having poor uptime [the amount of time the technology is operational] and availability, and suffering from lack of inbuilt security, stability and basic feature sets," said Nick Emanuel, senior director of product for Webroot, a computer network security firm based in Broomfield, Colo.
WhatsApp is one of the most popular personal messaging apps and is likely in heavy use at some organizations. But changes to privacy policies have made it a hot potato for many corporations. Emanuel said end-to-end encryption is great for securing communications on rogue messaging apps and preventing them from being intercepted during transit.
Services such as Telegram and Signal have sprung up, offering end-to-end encrypted messaging as an alternative to WhatsApp. Signal boasts the ability to only store data on an individual's device. But even then, the door has been opened for corporate data, some of it potentially confidential, to be sitting on an unmonitored smartphone.
"In the race to disrupt the market, newcomers like Signal and Telegram have pushed growth, proliferation and privacy as key business drivers," Emanuel said. "This has raised public concern and discussion about their abilities to manage the pace of growth with features that enable users but pay little to no attention to how users will interact with the service, the app's security or what is being transmitted through it."
In addition, he noted that encryption on messaging apps make it difficult for HR teams to monitor that traffic for data loss, leakage, and compromising or harassing behavior.
"If an employer cannot see the content generated by and from their employees, on their network, and the app does not operate a robust content policy, HR teams may be skating on thin ice," Emanuel said.
[Want to learn more? Join us at the SHRM Annual Conference & Expo 2021, taking place Sept. 9-12 in Las Vegas and virtually.]
Greg Schulz, an analyst with IT advisory StorageIO Group in Stillwater, Minn., stressed the importance of establishing a policy, guidelines and education materials to make employees aware of the risks, ramifications and restrictions on using unauthorized technologies and services.
"Published policy from high up in the organization should spell out the do's and don'ts and actions that will be taken for violations," Schulz said.
Emanuel agreed, recommending either the prohibition of consumer-grade apps for company business, or at the very least, drawing up detailed corporate policies to control them. Security awareness education or training programs should reiterate business policy on what software is acceptable and highlight the risks to the business, such as threats to security, reputation and privacy should employees not adhere to the policy.
Company laptops can be set up to block unapproved communication apps from running desktop versions of WhatsApp and other services. If corporately managed Android/iOS devices are in use, mobile device management (MDM) technologies can achieve the same result.
"HR needs to accept that it is unlikely that all usage of unapproved messaging apps will be stopped," Emanuel said. "Embrace the free flow of communication but offer safer ways for it to happen while highlighting the risks."
Listen to Employees
Schulz made it clear that if employees persist in using rogue applications, those in IT should make it their business to find out what it is about such tools and platforms that workers prefer. What can they do while using these apps that they can't achieve on company-approved services and apps?
A worthwhile strategy, therefore, is to create internal feedback loops so employees can voice their preferences for communicating with one another. The business can then evaluate alternative apps that may more closely meet employee needs to determine if they pose security, privacy or compliance challenges. If so, an internal campaign can be launched consisting of mandatory educational sessions, and the highlighting of policy as well as the risks related to improper messaging app usage.
"Secure messaging protocols are often used by cyberattackers to hide data exfiltration, making it much harder for the company to identify they are being attacked," Emanuel said.
Drew Robb is a freelance writer in Clearwater, Fla., specializing in IT and business.