With all the security breaches in the news today, it’s astounding that the natural tendency for IT and security teams is to continue to be reactionary. Upon confirmation of a cyber-related event, security teams work diligently to ‘stop the bleeding’ before conducting forensics to determine the attack signature and attack vector, which might ultimately shed light on how the attack was perpetrated. Then, either out of genuine remorse towards its customers; a moment of humility, or Board appeasement, security policies, and procedures are either reaffirmed, updated or changed entirely. That is until the next attack occurs; this cycle begins again.
To reduce the likelihood and frequency of the scenario illustrated above, corporate governance and IT teams are increasingly ‘locking down’ end-users’ access to both personal and corporate-issued devices. This risk mitigation strategy is frequently driven by the belief that humans are the weakest link in the security chain. Even as BYOD has emerged as the norm and not the exception, enterprises are tightening the belt on what employees can access on their devices and when they can access it. Such mobile limitations are somewhat ironic, especially as many of those same enterprises are in the midst of digital transformations in which a primary objective is to empower workers with productivity and efficiency benefits that only mobile can provide.
One of the unintended consequences of the ‘mobile lockdown’ is the proliferation of shadow IT. While such constraints are by no means the only trigger to stealth tech, they are one of the most frequently cited reasons business units and employees skirt around rules and regulations. Shadow IT refers to any technology built and deployed that is not sanctioned by the enterprise IT or security teams. Such unauthorized technology—which can include anything from data repositories, file sharing apps and APIs, to user-limited controls, cloud-based services and communications platforms—is accelerating new security and compliance issues.
The Rise of Text Messaging as a Business Communications Medium
Due to its speed and concise nature, text messaging has quickly become the preferred communication method to get work done as opposed to email and phone calls. In fact, already 80 percent of workers report using SMS texts as part of doing business, while nearly 70 percent of employees think their organization should use text messaging to communicate with employees.
However, enterprises, especially those with compliance requirements, often wholly disallow texting from corporate-issued phones or as part of a BYOD policy, forcing workers to embrace shadow apps that they deem as essential to performing their job functions. Interestingly, organizations will acknowledge, that despite such policies, employees will still text whether they know about the provision or not. In fact, according to Seyfarth Shaw LLP, even if email communications are the sanctioned form of communication in the workplace, employees will still text.
Such an intolerance to messaging apps has led to a significant increase in the deployment of shadow messaging and communications apps as well as the adoption of free apps like WhatsApp. These messaging platforms are used for file sharing (sometimes proprietary or confidential), and for communicating in confidence with colleagues and stakeholders.
The reality, unfortunately, is that “in confidence” is only partially true, since message recipients may use the content exactly how they please. This reality also includes forwarding messages inappropriately—think competitor or press—providing unauthorized access to people who shouldn’t see content, and even posting sensitive information on social media. There is of course also the concern over human error, which is just as likely to put sensitive information into the wrong hands as a malicious act from an inside threat or an outside adversary. Regardless of circumstance, once “send” is hit, control is lost, and organizations risk data breaches and compliance issues as a result.
Secure Messaging Apps Keep Control with the Sender
Organizations may be under the impression that they can prevent risky text communications through corporate policies and mandates. However, employees are not likely to follow these rules.
By deploying an approved, secure texting solution, the enterprise is not only adapting to the preferences of today’s workers, but it is embracing the benefits of discussing sensitive matters via text. Today’s modern secure messaging solutions alleviate the risks associated with native SMS text, so organizations can leverage the efficiency of modern-day mobile messaging without risking business information leaks and sensitive data breaches. With advanced secure messaging, the sender maintains complete control of the conversation, the data and its use—at all times, preventing unintentional sharing, data theft and propagation of information. Further, unlike native SMS texting, secure messaging ensures all texts are captured and archived to the organization’s repository of record for compliance purposes and processes while removing texts from sender and recipient devices.
Neither shadow IT, data breaches nor human error is going away anytime soon. By bringing messaging apps out of the shadows and into the mainstream, organizations can reduce the risk of both outside and inside threats to the enterprise.
About Dr. Galina Datskovsky
Dr. Galina Datskovsky, CRM, FAI and serial entrepreneur is an internationally recognized privacy, compliance and security expert. Galina is the CEO of Vaporstream®, a leading provider of secure, ephemeral and compliant messaging.
(Article originally published in ITSPMagazine on November 30, 2017 by Dr. Galina Datskovsky)