The management of messaging apps within an organisation is often non-existent, reminiscent of how cyber security was treated 30 years ago. Back in the day, cyber security was often an afterthought with very little focus on controlling data, and even less on where and how users were saving data (remember the two disks containing personal details of 25 million UK citizens were lost by HMRC anyone?).
We are seeing a return to the days of the wild west in the way that un-sanctioned messaging apps have been allowed to proliferate under the radar for business use. People love these consumer apps because they are easy to use and they already have them on their personal devices, so why not use them for business too. Another reason for their popularity is that users can build their own chat groups, and have conversations with colleagues without any oversight, avoiding scrutiny by their organisation (government, political, or corporate). This enables individuals, departments or whole organisations to invoke ‘plausible deniability’ as a defence because messages are mysteriously lost (or deleted) when they should have been saved, documented or archived in official organisational systems.
Taking control of data to provide oversight should be a rite of passage
As organisations grow and professionalise their operations by taking control of their data, ad-hoc and ‘shadow IT’ arrangements are replaced with built-for-purpose applications, that provide more powerful enterprise features and can be centrally managed. The same should be true for messaging apps. Indeed, in the financial services industry authorities have been cracking down on the use of unregulated communications channels for a number of years. Numerous financial institutions have been fined, and some high-profile bankers have even lost their jobs as a result. Unfortunately the same cannot be said for some government organisations where use of consumer apps still appears to be widespread.
Emails of government employees and ministers are securely stored and have been for many years. So, with the ubiquity of instant messaging, why are these communications not treated in the same way? Many other countries’ governments have banned the use of consumer apps such as WhatsApp, Telegram and Signal, with France making an announcement last year. Given the amount of resources invested in IT systems, surely no organisation should be relying on free-to-use apps over which they have absolutely no control for business/government communications.
Consumer apps pose serious security risks but that’s not all
It’s not just that the use of un-sanctioned messaging apps to discuss state secrets pose a serious security threat, (as demonstrated recently when Russia hacked a German military video call that subsequently put British troops in danger) using these apps for business contravenes GDPR. These apps can also put individuals at risk from phishing and impersonation-based attacks that could result in compromise due to blackmail, as happened just a few weeks ago to a number of ministers, staffers and a political journalist.
Furthermore, consumer and mass-adoption apps do not meet the NCSC’s 7 Principles for Secure Communications, which translates to many government and public sector organisations NOT following the recommendations of the UK’s own technical authority for cyber security.
All this emphasizes the need for organisations to keep control of their own data – something that the use of consumer apps simply doesn’t allow.
Choose your secure comms platform carefully
When it comes to enterprise secure comms, organisations should avoid the lure of ‘shadow IT’ – just because people like it and everyone uses it does not make it acceptable, particularly when there are credible alternatives. A built-for-purpose, Secure by Design secure comms platform can provide an equally slick user experience plus the ability to manage and control data. Whether on-premises or a secure hosted solution, an enterprise-grade secure comms platform that covers voice calls, instant messaging and video conferencing ensures data sovereignty (your data stays on sovereign soil, i.e. you know where it is being held) and data separation (no mixing of data, be that different classifications of data, or business and personal).
Enterprise secure comms platforms provide additional services such as archive and audit, which enable the review of communications at a later date, to ensure compliance with regulations (GDPR, FOI, for example). None of this is available from consumer apps.
In short, our government officials and politicians should be leading by example, following the guidance of their own organisations. To understand how Armour Comms can help your organisation to take control of its data, even on BYOD devices, download our Buyer’s Guide, which includes 10 Top Questions you should be asking, or visit us at Cyber UK, 13 – 15 May, ICC, Birmingham.
