Why enterprises need messaging apps that go beyond encryption

Back in the day, bulletin boards, internal newsletters and printed employee magazines were how enterprises encouraged internal communication among employees. But then everything changed, increasingly enterprises had to contend with moving to shared offices and expanding globally while many employees began demanding remote working arrangements. As such, enterprises needed to rethink how they could communicate with staff, while enabling communication between staff, both strategically and frequently.

Looking for ways to support these new working arrangements, without compromising the experience for their workers and customers, all while keeping costs at a reasonable level, consumer-based messaging apps emerged as a popular choice. On the face of it, this shift made sense: these messaging apps allowed workers to communicate via their personal devices — often with push notifications — from anywhere that had access to the internet.

Security risks

In recent times, however, it’s become almost impossible to ignore the elephant in the room: security vulnerabilities. It feels as if every week we read headlines of these very tools being compromised by hackers.

While many mobile messaging apps, such as WhatsApp and Viber, have made encrypted mobile communications as a default setting for their users, the reliability of the systems they run on remains questionable — indeed most of these apps hold data on servers that are completely out of the users’ control. Research by Talos Intelligence into some of the market-leading messaging apps that boast of strong security capabilities — WhatsApp, Telegram and Signal — found that attackers could compromise these applications by performing side-channel attacks that target the operating system these apps delegated their security to.

Tech Nation’s cyber security cohort: SaltDNA’s company profile

What’s the best way for an enterprise to protect trade secrets and other sensitive, strategic and proprietary information? SaltDNA has the answer

Furthermore, in May 2019, the FT reported that a vulnerability in the WhatsApp voice libraries was being exploited to enable sophisticated spyware to be pushed directly to victims’ smartphones. Compromised devices would be prone to theft of much, if not all, sensitive information.

According to John Bailie, head of marketing, SaltDNA, while these new apps are trying to move in the right direction for their customers, these consumer apps should not be confused with enterprise-grade encryption solutions for mobile communications.

“It’s very simple to tap into somebody’s mobile communications,” he said. “Ten years ago, IMSI catchers, devices for intercepting and eavesdropping on mobile phones are portable, cost thousands, nowadays they’re affordable and easily available for anyone to purchase on the likes of eBay and Alibaba, or to build yourself.”

Lack of control

There’s another problem with these consumer-based messaging apps in the enterprise: there’s no central control and no knowledge of who is using them, who is communicating with whom, and the frequency of those communications.

Bailie argued that this is big problem is meeting compliance requirements in regulated industries such as healthcare and finance and for industries like law enforcement where communications records must be saved to ensure accountability.

Cyber security scores: a new standard in mitigating risk?

Andrew Martin, founder and CEO of DynaRisk, explains how cyber security scores are improving employee engagement for enterprises

He said: “Organisations in these sectors need to be able to choose how their metadata is being stored and monitored, they also need to be able to wipe the data straight away if needs be. Furthermore, they need control over how it’s branded.

“Just as enterprises don’t rely on an employee’s personal device to protect their data networks and sensitive information, they also don’t rely only on their employee’s encrypted app to protect their mobile communications. Enterprises control who has access to which applications in the data centre and can see who accesses what and when; they need the same visibility and control to truly secure their mobile communications. Enterprise customers simply demand it.”

SaltDNA is part of Tech Nation Cyber — the UK’s first national scaleup programme for the cyber security sector. It is aimed at ambitious tech companies ready for growth.

Avatar photo

Andrew Ross

As a reporter with Information Age, Andrew Ross writes articles for technology leaders; helping them manage business critical issues both for today and in the future