Has your business adopted Slack or WhatsApp for internal communications? Are your people using Discord to collaborate? Could your employees be DMing each other on Facebook about that new feature they’re developing?
Human beings will always look for new ways to make their lives easier. If they believe a certain path or tool simplifies their work, they’ll use it. And so your employees send a quick DM over Facebook Messenger rather than through your secure email system, because they happen to already be on Facebook.
Let’s say that message contained proprietary information about your product. Or it mentioned a client’s late invoice. Or it was a password. How do you know that information is secure? Sure, you likely have policies prohibiting these activities, but let’s live in reality.
Consumer messaging apps are ubiquitous, popular, and convenient. The more you use them, the less you question them, and they become a habit. But consumer apps aren’t always designed to meet the advanced security needs of an organization that handles sensitive information.
If your people are using these apps for work, you could be flirting with disaster.
The Risks of Consumer Messaging Apps
There are countless communications apps in the marketplace, but not all of them are designed for business use. Consumer messaging apps are easy and convenient, but they aren’t all secure. Even apps that have been around for a long time are often lacking in data security.
Today’s work environment is blurrier than ever. Personal devices are used for work, remote employees sign into work email during downtimes, personal tabs are open during lunch and breaks. Your employees are constantly using their own devices and often have the ability to use any app at any time, without restrictions.
When you have users who aren’t security adept operating devices without restrictions, there’s a lot of opportunity for things to go sideways. The spread of communication within your organization is like a wildfire, and you need to gain, monitor, and maintain control over it.
Many consumer messaging tools have been widely adopted by businesses, either officially or by practice. A lot of these apps give lip service to security, but they don’t truly manage or maintain a full-scale security program.
The mobile app arena is like the Wild West, and there are all sorts of privacy and protection issues. For example, TikTok is continually getting battered and beaten up in the media for their stance on access to users’ data and the exposure of that data.
Your organization needs to know what’s going on at work — and you need to implement policies with teeth that will protect your sensitive data. Otherwise, you’re just asking for disaster.
Provide Governance for Messaging Apps
When consulting with clients, I’ve personally witnessed their employees moving business data through personal Dropbox accounts. I’ve seen people transmitting sensitive information by texting and using various communication platforms on their personal devices.
In many cases, it happens because the organization itself doesn’t provide governance with monitoring over the tools that employees use.
There’s a balance: on the one hand, your people need the right tools to communicate easily and conveniently. On the other hand, you need to keep your organization’s information secure. You need to understand your employees’ needs and to establish governance for apps and devices that can be used for business purposes.
If you don’t take those steps, personnel will find a way to do their jobs as conveniently as possible. And often, that means using an unsecured consumer messaging app on their phone or laptop.
How do you control your data when employees don’t have mobile devices dedicated for work? It’s a fuzzy issue with no single right answer.
- Some organizations just shrug their shoulders and hope nothing happens.
- Others train all of their employees to use devices securely.
- Some companies install a mobile management app on employees’ personal devices, which segments phones into work-only and personal-only segments on the device.
- Many organizations will issue devices for business purposes, and prohibit any work-related activities on personal devices.
It’s a sticky problem, but it starts with providing guidance to your personnel about how you want them to be doing things and what communication platforms are sanctioned for work use.
How to Vet Communications Apps
In a mature security environment, applications go through a rigorous review process before they’re approved for work use. You must vet the security and compliance stance of each vendor.
Analyze your people’s needs and your business processes to determine your policy on messaging apps. Evaluate the needs of your organization against the tool sets that you currently have in place.
When considering a new messaging app, conduct a thorough vendor assessment. Request their third-party security related documentation. Do your own research online to see if they’ve had any breaches or security issues recently inclusive of the security issues identified. Review any identified issues from the perspective of where the shortcomings in their security posture must have been given the issues they reported. You can tell a lot about security program maturity based on the nature of the reported breaches.
Only endorse secure and compliant messaging apps that have been fully validated and have ongoing monitoring as part of your continual compliance management process for vendors.
There are many enterprise-grade platforms that can give you the communication and messaging capabilities your personnel need. And often, they’re already in place in your organization — you may just need to purchase an upgrade or activate the messaging feature.
For example, Microsoft has solutions that many organizations leverage against a broad spectrum of capabilities. Messaging is one of those capabilities — Microsoft Teams offers secure messaging, video conferencing, and other communications tools that are specifically designed for the enterprise, with a security focus.
Some Quick Rules of Thumb
As a general rule, there are certain types of apps you can eliminate from consideration pretty quickly.
At the top of the Do Not Download list is software that originates from countries that the U.S. government has deemed as risks from a data perspective. TikTok is the poster boy for that category.
Avoid apps from smaller companies that have experienced recent or repeated security issues.
If the app typically sells to consumers versus enterprises, expect lower security practices. While there are exceptions to the rule, usually these won’t be solid choices for your business.
Keep Communication Secure
When it comes to the question of using consumer messaging apps for business, it comes down to this: analyze your needs, establish your policy, communicate the policy, educate your employees, and monitor communication (trust, but verify). To the degree that you can do it reasonably, keep your personnel accountable for their device and app use.
Also keep internal communication as convenient as possible. If you provide secure messaging apps that are user-friendly, and meet your internal needs — you’ll help to prevent the temptation of personnel who skirt the rules.
Get equipped with insider expertise
Subscribe to the TCT blog