Instant and secure communication solutions provide cybersecurity, compliance, and data retention for instantaneous forms of digital messaging. These solutions reconcile two needs: the need to embrace the cloud channels that drive modern business, and the need to stay secure and compliant.
“Fast-changing patterns of instant communications challenges enterprises looking for confidentiality and compliance assurances while enabling workforces and customers to communicate efficiently. Security and risk management leaders must address new use cases with new solutions.”
- Gartner, Market Guide for Instant Communications Security and Compliance
Modern enterprises need internal and customer-facing communications to be instantaneous. This is the pace of communication that individuals and industries have come to expect. To fail to meet these expectations is to guarantee falling behind the competition.
In these channels, the instant communications that drive human connections take place. Engaging these channels is mission-critical for enterprises that want to optimize the customer experience. Moreover, security teams don’t want to put limits on employees’ ability to build great relationships, but they are faced with the daunting tasks of securing channels they don’t own and in most cases entirely lack visibility.
That’s because channels exist outside the traditional security perimeter. This presents a serious security and compliance challenge in terms of visibility and risk remediation. Moreover, the sheer volume and velocity of communications occurring on these channels can be overwhelming for all risk teams.
“Security and risk management leaders need to utilize a combination of policy, additional tools and monitoring to ensure compliance and secure usage of WhatsApp, WeChat and other popular communication apps.”
All modern businesses are undertaking digital transformation projects that rapidly increase their engagement with cloud applications. Enterprises know that new digital channels are no longer nice-to-haves, but are central to revenue growth and customer engagement, especially in high-growth emerging markets.
In every enterprise, mobile channels are increasingly a core part of operations, used across multiple departments. Channels such as LinkedIn, WeChat, WhatsApp, Telegram, Facebook, and Twitter are routinely used by marketing, sales, and customer experience teams.
Here is the core challenge: Security and compliance teams do not possess the visibility required to properly secure these instant communication tools.
Tens of thousands of messages are often exchanged on these channels every month. But the teams responsible for making sure that these messages don't contain security or compliance risks cannot get their arms around even 10% of these messages. Sampling – taking this 10% and treating it as representative of the other 90% – is a poor solution.
As a result, security and risk teams are faced with a lose-lose situation: they can try and forbid the use of these mobile communication channels. This choice is unrealistic and hurts business in an increasingly borderless digital landscape. More commonly, they accept that shadow use occurs, and accept the attendant risk exposure. This is untenable. Secure instant communications solutions offer the third way: The channels can be embraced, without any attendant risk exposure.
Cybercriminals know that billions of people – and many lucrative businesses – are leveraging the mobile channels that facilitate instant communications. This means that a whole gamut of digital risks threaten the world of instant communication.
Compliance and Regulatory Threats
Companies in highly regulated industries – finance, healthcare, government – have to work hard to stay compliant. These regulations include heavy controls over how businesses can communicate with individuals. For example, pharmacovigilance laws contain rules around the discussion of adverse events and off-label use. Financial regulations laws restrict discussions of certain financial products.
To stay compliant, companies need to be able to monitor all such discussions, and take swift action when necessary.
This monitoring and visibility is very hard for companies to achieve when staff are increasingly embracing modern instant communication channels such as WhatsApp, WeChat, and Telegram These channels are black boxes for risk teams. And within a large and steady stream of communications, just a handful of messages from one rogue sales agent could prove to be an issue. Even internal communications can present compliance issues; a real challenge when more than 90 percent of employees connect with their colleagues using instant messaging apps.
More and more, to do business, companies in healthcare, finance and other regulated industries need to embrace the third-party cloud channels that facilitate instant communications. But at present, many companies don't have anywhere near the visibility and oversight they need to guarantee compliance.
Enterprises know this is an issue. A Florida-based broker was fined $5,000 and suspended 30 days without pay for messaging three clients through WhatsApp without the approval of management. But an approach like this is a whack-a-mole tactic that cannot guarantee long-term stability to business operations.
Industrial Espionage & State-Sponsored Attacks
Cited by Gartner as one of the chief risks of instant communications, 20 percent of the world's corporate organizations see industrial espionage and state-sponsored attacks as their biggest threat. What The Economist terms “offensive cyber-power – the ability to do harm in or through computer networks” is set to loom larger and larger in the coming years. Industrial espionage attacks often target the instant communication channels that both public and private sector executives use on a daily basis. Why? Because these channels are the most vulnerable--most enterprises lack the visibility to see into these channels and detect when their staff are interacting with accounts or content that could be harmful. Similarly, account takeovers and impersonations of employees and executives is becoming increasingly common and threat teams can’t stop it if they haven’t got the tools to manage it.
One sobering example here is the Pegasus spyware. Produced by Israeli NSO Group, Pegasus hit an estimated 1,400 WhatsApp users, many of them human rights activists, lawyers, dissidents, and journalists. The spyware came with a malicious code that caused the infected mobile device to link to a remote server. Without the ability to detect threats emerging within WhatsApp, all of these victims lacked the protection layer they needed.
Similarly, Labyrinth Chollima, a North Korean threat actor, has used WhatsApp to deliver malicious payloads. With a last detected attack in June 2020, Labyrinth Chollima connects with enterprise employees on LinkedIn, and lures them to WhatsApp, where the victims are hit with malware-laced messages and content.
Insider Threats & Data Loss
Billions of confidential records are breached every year. Almost 90% are compromised via insiders, both malicious and inadvertent. A great portion of these are leaked through instant communication channels, chiefly messaging apps and collaboration platforms.
All of these third-party cloud channels are swimming with sensitive data, and they play host to constant interactions with the wider digital world. Without visibility and oversight, they are inherently vulnerable to spear phishing attacks, ransomware payloads, account takeovers, or just acts of plain old bad judgement.
According to a recent cybersecurity report, insider threats have grown by 47% in 2020. This is no surprise, when most companies lack the capacity to secure the instant communications channels generating thousands of interactions every day.
The theme of data retention and compliance ties strongly to the need to address compliance and regulatory threats.
“In certain industries, regulations — such as the Health Insurance Portability and Accountability Act (HIPAA) and the regulations issued by the Financial Industry Regulatory Authority (FINRA) — encourage or require protection, auditing and archiving of communications...
Data retention is an increasingly important feature, as it enables monitoring and archiving for regulatory compliance purposes, and instant deletion for security assurance.”
Increasingly, the lack of records of all corporate communications constitutes a major breach of compliance and governance laws. However, most instant messaging apps don't retain data as standard. A comprehensive data trail is essential for many modern enterprises; effective processes for protection, auditing, and archiving must be implemented. This is where secure instant communication solutions come in.
As a result, many companies find themselves storing peoplesʼ personally identifiable information (PII). It is their responsibility to safeguard this sensitive data in adherence with local and global compliance regulations. HIPAA includes strict rules around patient data. As healthcare practitioners increasingly move to instant communications tools generating thousands of messages every day, adhering to these regulations is harder than it was in the era of only using email.
The same goes for FINRA (Financial Industry Regulatory Authority), which regulates the conduct and communications of banks, credit unions, stockbrokers, and brokerage firms. FINRAʼs Regulatory Notices 10-6 and 11-39 refer to the corporate use of social media and record-keeping, while SEC Rule 17a-4(b) orders financial firms to preserve all social media and other digital communications by their employees for at least 3 years.
These compliance pressures cannot be fully adhered to without the right solution. This means solutions that loop in the third-party cloud channels over which many enterprises currently have zero visibility. Data retention requires that companies extend archiving to third-party instant messaging apps, such as WeChat and WhatsApp.
Beyond the Device: The Imperative to Secure Apps
Some secure instant communications solutions are partly or wholly tied to devices. Many such solutions include “a hardware-based root of trust. This can be the secure enclave or TEE (trusted execution environment) natively available on mobile devices, or a microSD card. Some solutions are instead part of stand-alone hardened smartphones.
As Gartner acknowledges, “software-only solutions in the form of an application are the easiest to deploy and run.” Hardware-based solutions “impact user experience.” But there is a deeper issue here. Securing devices is a dated, vulnerable approach.
The future of securing instant communications lies in securing applications, not devices. The BYOD era is waning, because the cloud channels where communications happen are device-agnostic. They can be accessed through an app or a browser, with the device only ever acting as a conduit.
Properly securing instant communications requires delivering protection at the moment of interaction and at the level of the cloud.
The Business Benefits of Securing Instant Communications
When enterprises weave secure instant communications into a Security by Design posture, defense translates into offense. Knowing that they are secure, IT teams can give sales and marketing the green light to drive revenue.