Why governments and commercial enterprises need secure messaging01 June 2020 | Enrique Pena
Previously, the primary targets of a mobile device and phishing attacks were consumers. However, during the past few years, the focus has shifted to government entities and commercial enterprises and especially their employees. While convenient for employees, the biggest threat in enterprise messaging is the prevalence of popular messaging apps. This has opened numerous opportunities for attackers and new threat vectors. Messaging apps create a huge security hole that threatens not only the business infrastructure but also corporate regulatory compliance. The future of enterprise data breaches and cybercrime lies in mobile applications, primarily through popular messaging apps.
Digital communications are essential to everyday business operations, but unfortunately, the most commonly used means -- popular messenger apps -- are notoriously insecure. Every week we read news headlines on how digital messaging and video communication methods violate their users' privacy and are compromised by hackers, nation-states, insider threats and human error.
These risks have prompted business employees to turn to apps that advertise end-to-end encryption. Employees have taken it upon themselves to use these apps because of a preconception that end-to-end encryption provides just enough security to protect both the senders and recipients from outside interference. In all honesty, end-to-end encrypted messengers do prevent certain types of cyberattacks during message transmission. They may be less risky alternatives, yet too many assume that this means that information cannot be saved, shared, stored or otherwise forwarded by a recipient to others, which is where the security paradigm breaks. This gives too many businesses and government entities a false sense of security.
Although end-to-end encryption protects against outside monitoring when messages are in transit, consumer-grade messengers provide no protection against forwarding messages, documents, contacts, images or screenshots to unintended recipients. The moment a message is received, it can be distributed all over with relative ease. Encryption, in and of itself, only goes so far to keep communications protected. Have you ever thought of the following risks when using consumer messengers for business purposes. Here is a top ten list of things to think about:
1. Unencrypted third-party backups: Have you allowed Google Drive or iCloud to store your messages? Are your messages and content encrypted while in the cloud? Do you know where in the world and under which laws your business data rests?
2. Hoaxes or fake news in your message feed: Many attempts like these are deployed for intelligence gathering and to incite wanted behaviours and confusion.
3. As a group member in a messenger app, anybody can access your user profile. People can see your profile photo, name, last seen info, phone number and status. And contacts that you have blocked can still view your status and other details of you.
4. Your phone number can be saved, and using a messenger app, anybody can start displaying your account in their contacts list, including your photo, status and last seen info.
5. Messenger apps are left vulnerable to foreign government interference and push developers to disclose data and messaging records. Technology companies are constantly called to help intelligence agencies by providing them with backdoor access to messaging apps and other encrypted communications.
6. Have you ever approved your messenger app’s end-user license agreement without actually reading it? Virtually all of them have a non-personal use policy. Popular messengers forbid the use of their apps for business or for commercial purposes, which relieves them from any liability. If your business data is lost, shared or breached, the developer is not responsible. Also, as a consumer, once you sign up as a user, you are under a legal agreement giving consent for data collection. There are lots of hidden risks.
7. The messenger developer can sub-license, transfer, use, reproduce, distribute, create derivative works of, display, and perform the information that you upload, submit, store, send, or receive on or through the developer’s services.
8. Advertising is coming to popular messengers. Messenger apps have a legitimate interest to promote their products and conduct direct marketing.
9. The internet is filled with countless messenger spying apps and step-by-step video tutorials on spying techniques, all publicly available, for free or at affordable prices. Most require a one minute access to the targeted device, but in some cases no physical access to the device is even needed.
10. Parental control and phone monitoring apps are available from reputable companies which can be used to access and monitor any consumer messaging apps. All one needs is a one minute access to the targeted phone and install the legit monitoring app.
The list can go on and on. For consumer messengers, end-to-end encryption seems the only security control they offer in protecting data, yet it leaves users themselves as the weak link that can compromise an organisation’s sensitive data. As discussed on a previous blog consumer-grade messaging apps were not initially designed with the intent of organisational use -- they simply are not designed to adequately provide the security required for serious business.
In order to protect critical data and communications -- which run organisations -- those considering messaging solutions must demand the most secure platform for communications, one in which every layer has been designed to prevent penetrating and sophisticated attacks. Businesses crave the convenience of messaging but should also demand the highest level of security. Enterprise- and government-grade secure messaging platforms enable users to maintain complete control of the conversation, the data shared and its use at all times to any unintended recipient. Enterprise-grade secure messaging is an ideal solution for managing crisis and incident response situations, as communicating with employees, stakeholders, and sometimes even customers can be critical to success. The last thing organisations need during a crisis is for information to be leaked to the media or to a competitor. Complete control over communications is imperative.
Secure communications solutions should allow organisations to manage, monitor and audit communications. Messages should automatically expire from devices while also ensuring communications are archived for compliance and legal mandates. Depending on your jurisdiction, if a business fails to comply with regulations, there are exorbitant fees. Secure communications ensure your business is adhering to your industry’s strict rules. There are great benefits too, as secure communications affect more than your daily office messages and emails. Secure communications matter to customers and investors.
Cybercriminals will only get more efficient and are only going to grow in the coming years. As technology gets a stronger foothold in the modern workplace, criminals will get smarter. Hackers see encryption as a challenge, and they will simply team together to hack your business. Make sure that your business is ready for a tech-oriented future and focus on security now; it will help you avoid disaster in the future.
At Digital14, we recommend to keep your communications secure, let your customers and investors know that you value security. Digital14 has designed and developed KATIM® Messenger, our cross-platform secure messenger offering that governments and security-conscious enterprises are growingly realising as their choice. We apply continuous threat modelling that assumes something will be compromised at some point. Every link in KATIM® Messenger's communication chain is strong enough to handle unforeseen threats and mitigate the risk of breach providing resilience against cyber attacks and vulnerabilities.
We pride in delivering predictable service quality, and we enforce that practice with robust, independent security testing and validation and ongoing mitigation. We never deploy any solution to production before achieving appropriate levels of independent testing, validation, quality and security.
Connect with us