Instant messaging platforms: are they secure enough?

Unless you’ve been living under a rock, chances are you’ll have noticed that business communications are shifting away from email to a diverse range of instant messaging platforms. These days, business departments are being pressured to either tolerate employees conducting business with consumer chat solutions, such as WhatsApp, or empower them by scaling an instant messaging platform across the enterprise.

This shift has come with many benefits; employees can chat more easily instantly, anytime and anywhere. For businesses, instant messaging has opened up more intimate opportunities to communicate with staff and customers. Due to increasing levels of phishing attacks, there’s also a growing consensus that email no longer meets the needs of businesses that rely on secure and verifiable communications.

But are instant messaging platforms really any better? The answer: probably, but this does not mean they are risk-free.

According to Douglas Orr, CEO and founder of Novastone, the harsh reality is that most instant messaging apps are not built with security truly hard-wired into them and businesses need to look beyond these apps for security.

“The business model of these companies is not about security, it’s about connecting users to other people,” said Orr. “They tend to want your address book so they can spam all your friends with invitations to the platform or they want to target ads based on the conversations you’ve been having. Security has taken a backseat.”

Douglas Orr, CEO and founder of Novastone

Security issues and instant messaging

It appears while many messaging apps on the market talk of encryption or authentication, there’s often question marks around the systems they run on; indeed most of these apps hold data on servers that are completely out of the users’ control.

As a case in point, research by Talos Intelligence into three leading messaging apps that boast of strong security capabilities — Telegram, WhatsApp and Signal — found that attackers could compromise these applications by performing side-channel attacks that target the operating system these apps delegated their security to.

Tech Nation’s cyber security cohort: Novastone’s company profile

Mobile messaging has revolutionised the way we communicate but it’s introduced new security challenges. Novastone can help

“If an attacker can copy the session tokens from a desktop user, then it will be able to hijack the session,” said Vitor Ventura, technical lead/security researcher at Talos Security. “The attacker won’t need anything else other than the information that is stored locally. It doesn’t matter if the information is encrypted or not — by copying this information, the attacker will be able to use it to create a shadow session.”

That’s not the only vulnerability, content that is being shared on many of these platforms is also at risk of being downloaded, screenshot or copied; not the mention that organisations have no record of what employees are sharing and with whom.

Making instant messaging secure

Where does this leave businesses? Should they continue letting staff use instant messaging applications?

The challenge, according to Orr, is finding a way to move forward where your business can enjoy the innovations of instant messaging platforms in a secure manner.

While introducing new security protocols — such as establishing a corporate instant messaging usage — is most definitely a move in the right direction, it may not be enough. One of the better options is to deploy an internal instant messaging system.

Cyber security scores: a new standard in mitigating risk?

Andrew Martin, founder and CEO of DynaRisk, explains how cyber security scores are improving employee engagement for enterprises

However, according to Orr, “the problem with many of the internal instant messaging platforms on the market is that that they are just trying to create another chat-room platform for collaboration and reject all the new forms of media.”

This is where Novastone differs from its competitors, it integrates to numerous instant messaging APIs and sits them into a secure and compliant environment. Meaning employees can still use their instant messaging platforms and security is stronger.

Novastone is part of Tech Nation Cyber — the UK’s first national scaleup programme for the cyber security sector. It is aimed at ambitious tech companies ready for growth.

Avatar photo

Andrew Ross

As a reporter with Information Age, Andrew Ross writes articles for technology leaders; helping them manage business critical issues both for today and in the future