Over a year since the implementation of GDPR regulations, and the ICO has started handing out fines for infringements. The finance sector is well used to dealing with regulation (pardon the pun), however mobile devices often go under the radar. While some unsecured voice calls on mobiles can be recorded via the usual VoIP phone systems, it is information exchanged using messaging apps that is of particular concern. You may think that these so-called ‘secure’ messaging apps are secure because they are encrypted, but as we have documented in this blog on various occasions, there is a lot more to security than simply encryption.
Worryingly, in the past couple of months it has been stated that ‘almost half of the cyber-security incidents reported in the UK during the past year were caused by internal errors, where employees failed to follow security protocol or data protection policies.’ Furthermore, 70 percent of financial companies faced a cyber-security incident, and the number of attacks are increasing year on year. Details here: https://www.scmagazineuk.com/70-uk-financial-companies-report-hit-cyber-incidents-blame-internal-error/article/1594018
How secure are attachments?
Only recently, research from Symantec found flaws in Android that allowed so-called media file jacking, where malicious attackers are able to manipulate and modify media files such as commercial documents, photos and recordings in WhatsApp and Telegram based on the users’ settings.
As well as the integrity of files, another issue to keep in mind, is where your data is being stored when you use mobile comms apps. There is currently a high profile lawsuit being filed against Apple, claiming that iCloud storage is actually, in some instances, farmed out to other suppliers such as Amazon Web Services and Google. See: https://www.theregister.co.uk/2019/08/14/apple_cloud_confusing/
Sharing your contacts with the world
As well as knowing where your data is being stored, it is vital to keep control of your contact lists. Some consumer grade apps, such as WhatsApp, automatically upload all of your native contacts to the WhatsApp/Facebook server when you install the app, so that it can cross reference your contacts and enable you to call them using the app. While this might appear to be user-friendly in our social lives, in a corporate environment it is very different. If you use a corporate device in this scenario, you are effectively sharing other people’s personal details, without their permission. This would be a contravention of GDPR, which could open up the business to potential fines of 4% of global turnover. A heavy price to pay for simply using a ‘free’ app – not quite so free after all!
Fully Auditable mobile comms
While these consumer grade apps are encrypted end-to-end which provides some level of security for the contents of messages and attachments, that also means that the system doesn’t provide any capability to manage organisational and/or regulatory compliance. In essence, there is no audit facility for any of the communications that take place. Whether you’re a CISO who needs to ensure your staff are adhering to FCA policies, or a financial advisor who needs to prove what guidance you gave to a high value client, the lack of an audit capability for your communications system is a major issue. And as previous mentioned, you have no control over where your data is held, so the case against consumer apps quickly stacks up.
With an enterprise-grade, certified mobile comms app you get the very best of all worlds:
- An easy to use product with all the functionality of a consumer-grade app
- Complete control of your meta data
- Complete control of your contacts lists
- Attachments that are stored securely
- Audit functionality – for reviewing all communications including voice calls
- GDPR compliance
Contact us today for more details.