A slip of the finger

Instant messaging might help make internal communications at work a lot faster and easier, but could it also put your clients and your business at risk?

The importance of a keen digital security strategy has been ramping up in recent years. As valuable information zips its way around the world in staggering amounts, online piracy has become more of a danger.

This creates a precarious situation for businesses, where important strategic information is a few button-taps and a ‘send’ away from being put into the wrong hands. And as enterprise instant messaging (IM) makes its way into the office, it presents a notable – but innocuous – danger to data security. 

Most people use some form of IM software or app, often exchanging intimate information many times a day. Enterprise apps have followed the trend and skyrocketed in popularity.

Slack, one of the better-known enterprise platforms, has gone from 16,000 daily users in 2014 to six million at the end of 2017. Two million of those are paid subscribers. Wire, a German-based enterprise app with a focus on security, claims to have more than 100,000 daily users, although it only launched late last year.

Co-founder and Chief Technology Officer of Wire Alan Duric says the appeal is partly efficiency, partly expectation. “Many organisations are looking for an easy-to-use messaging system, allowing them to quickly and easily communicate internally – especially businesses that employ Generation Z workers who tend to prefer messaging apps to email entirely.”  

Few who use these apps, however, may be aware of the possible security risks. Developing an app with tight digital security costs a lot – the licence must be purchased for the software and implemented by a team of developers. Tight security demands a lot of computer power as well, so they’re large to download. 

And the market is overflowing with CPU-friendly apps that don’t cost a thing. So with the vast majority of users simply sending banal information between themselves and a recipient, there’s a convincing argument to cut security costs. 

Quick and easy

But for businesses, that isn’t good enough. The problem with IM apps is partly that they’re not built to defend against serious hacking attempts. However, it’s also the way they are used – for quick and easy communication. People use them to send important information, in what they consider private space, akin to an intimate conversation.

But if they’re discussing work, a leak could be catastrophic to a client relationship or a fellow employee.

There’s the potential for more serious mishaps as well. Last year, India’s largest biometric ID system in the world, Aadhaar, suffered a major data leak. It’s believed the biometric information was leaked by Unique Identification Authority of India (UIDAI) employees who had been laid off, but who were still active on work-related WhatsApp groups, and they’d been stealing the data and selling it on. 

The Aadhaar system produces a 12-digit code, based on biometric data and unique to any person residing in India – so the loss of this data is especially problematic because it’s very hard to discriminate between fraudulent and real biometric ID cards.

There have been cases of people using the easily available fraudulent Aadhaar cards to withdraw money from banks. This was the result of sloppy safety procedures by the employees who set up the accounts, presumably because they felt it would help them work better and communicate more quickly. 

The India example broadly showcases how more casual forms of communication, intended for consumer and not business use, lack the safeguards businesses need to keep information safe. Cases like these are a minority. But the question of whether to develop a well-rounded digital security policy is a bit like whether to leave your front door unlocked at night – the chance of being robbed is small, but you’d be foolish to risk it. 

There are two questions businesses must answer. The most important is how they will approach digital security in a way that encompasses new threats. The second is whether or not to adopt enterprise software. Like a cautious but liberal parent, should they demand that, if employees must use IM apps, it’s better done under their own roof?

Messaging management

Core to considering a strategy around digital security is employee training. “Moving from insecure solutions like email to secure platforms needs to go hand-in-hand with regular security awareness training for the staff,” Alan Duric says.

“Any organisation handling sensitive employee and customer data, R&D info or financial plans, needs to train staff on anything from basic good password strategies and using VPN when going online on untrusted networks, to not trusting emails, as phishing is still the biggest security risk today.”

Beyond helping staff understand digital security risks, security experts warn companies to be aware of ‘shadow IT’ in their organisation. Shadow IT describes when employees use personal devices to help get through their work – texting colleagues or looking up things at lunch on their tablets.

This scenario is described as ‘shadow’ because it isn’t accounted for by IT or management. It can’t be, because the list of possible devices and apps is endless. 

For this reason, employees must be closely involved in any process to tackle shadow IT and app use. Michela Menting, Research Director at ABI Research, focuses on technology and marketing issues.

She says employees need to feel a part of the solution to shadow IT, and not that their privacy and personal lives are under siege by their work life. “Companies must have this discussion with their employees.” she says. “They should ask them what tools [apps] they’re using, and be clear about the reasons they need to know. 

“It’s important to keep them in the loop: if you don’t inform them and you don’t ask for co-operation, you’ll then get resistance, and they may just continue to use them.”

With this information and employee consent in place, a strategy can be devised. Are the apps employees use risky? Can your IT department prescribe better tools, perhaps an enterprise solution that allows staff to talk freely but in their relevant silos? 

Hygiene strategy

Scott Kenyon, a Security Architect at Sure in the Channel Islands, says ‘hygiene’ is the key to good strategy – companies need to ‘wash behind their ears’ and make sure they don’t miss any important aspects of building a digital security strategy.

Menting says businesses should consider appropriately segmenting communications, so “you don’t share all your core, sensitive data with your interns”, for instance. 

Kenyon concurs, adding: “Mobile device management tools, such as VMware AirWatch or Microsoft Intune, are becoming the trend for ‘bring your own device’-type environments. These segment business data into controlled areas, from personal to business, and stop the bleeding. Users are only then available to see data that it’s crucial they see. This helps prevent inadvertent leaks.”

If you’re shopping around for an enterprise app, it’s important to find out what security they use. Wire’s Duric believes end-to-end encryption – where the sender and recipient are the only ones to be given the ‘keys’ to unlock a message – is advisable for businesses. Popular enterprise apps such as Slack and Skype for Business, don’t include this, though they do take other precautions. 

The task of tracking down who’s messaging whom in an organisation, and what exactly they’re sending, may seem overwhelming, but developing a strategy need not be. Speak to employees and come up with a strategy that’s relevant to the organisation, is flexible and can be adjusted in future. And once all that’s in place, feel free to send those messages.