Solutions that secure instant communications provide cybersecurity, compliance, and data retention for instantaneous forms of digital messaging. These solutions reconcile two needs: the need to embrace the cloud apps that drive modern business, and the need to stay secure and compliant.
Modern enterprises need both internal and customer-facing communications to be instantaneous. This is the pace of communication that individuals and industries have come to expect. To fail to meet these expectations is to guarantee falling behind the competition.
WhatsApp, Facebook Messenger, WeChat and Telegram have approximately 2 billion, 1.3 billion, 1.2 billion, and 400 million users respectively.
In these apps, the instant communications that drive human connections take place. Engaging on these apps is mission-critical for enterprises that want to optimize the customer experience. Moreover, security teams don’t want to put limits on employees’ ability to build great relationships, but they are faced with the daunting tasks of securing apps they don’t own and in most cases entirely lack visibility.
That’s because apps exist outside the traditional security perimeter. This presents a serious security and compliance challenge in terms of visibility and risk remediation. Moreover, the sheer volume and velocity of instant communications occurring on these apps can be overwhelming for all risk teams.
“Fast-changing patterns of instant communications challenge enterprises looking for confidentiality and compliance assurances while enabling workforces and customers to communicate efficiently. Security and risk management leaders must address new use cases with new solutions.”
“Security and risk management leaders need to utilize a combination of policy, additional tools and monitoring to ensure compliance and secure usage of WhatsApp, WeChat and other popular communication apps.”
All modern businesses are undertaking digital transformation projects that rapidly increase their engagement with cloud-based communication applications. Enterprises know that new digital apps are no longer nice-to-haves, but are central to revenue growth and customer engagement, especially in high-growth emerging markets.
At every enterprise, mobile apps are increasingly a core part of operations, used across multiple departments. Apps such as LinkedIn, WeChat, WhatsApp, Telegram, Facebook, and Twitter are routinely used by marketing, sales, and customer experience teams. There is a need to implement effective methods of securing instant communication apps immediately, particularly apps that exist in the digital space.
Here is the core challenge: Security and compliance teams do not possess the visibility required to properly secure communications over insecure apps.
Tens of thousands of messages are often exchanged on these apps every month. But the teams responsible for making sure that these messages don’t contain security or compliance risks cannot get their arms around even 10% of these messages. Sampling – taking this 10% and treating it as representative of the other 90% – is a poor solution.
As a result, security and risk teams are faced with a lose-lose situation: They can try and forbid the use of these mobile communication apps. This choice is unrealistic and hurts business in an increasingly borderless digital landscape. Alternatively, they can accept that shadow use occurs, accept that staff will use these third-party apps even without explicitly sign-off from IT, and accept the attendant risk exposure. This is untenable. Secure instant communications solutions offer the third way: The apps can be embraced, without any attendant risk exposure, as long as security is achieved.
Cybercriminals know that billions of people – and many lucrative businesses – are leveraging the mobile apps that facilitate instant communications. This means that a whole gamut of digital risks threaten the world of instant communications.
A simple click on a link is all it can take for malware or ransomware to strike. And bad actors are becoming increasingly skilled at crafting innocent-looking URLs that draw people in. Malware can now be skillfully embedded within innocuous files: Word documents, PDFs, or any other format.
Frequently, the cause of malware or ransomware getting loose is pure accident. A staff member shares what they believe to be a legitimate site or video – but they are unwittingly sharing a threat vector for malware. For example, they might share a file that someone they thought was a customer sent them on Telegram -- only to find out this “customer” was actually a spear phisher, looking to gain access to the company infrastructure.
Making this worse is the fact that most communication tools frequently preserve the login credentials of former employees, or third parties, or other groups who may have reason to try and do harm to the enterprise. Most companies have no centralized way to manage account access in a systematized way.
Moreover, increasingly, ransomware possesses delayed mechanisms that allow them to evade initial detection. Even in the unlikely event that a manual review team casts an eye over an offending file or message, they might not spot it for what it is the first time around. Enterprises with secure communication tools are better prepared to fight and prevent this digital adversary.
Social engineering doesn’t happen at random. Bad actors carefully select their victims, locking in on targets they regard as high-value due to their title and organizational role. And the profiling of social engineering targets pulls in a wide range of cloud apps and services, particularly social media.
Cyber criminals are patient, and they do their research. Just as businesses use social media to gain valuable insights into their target audiences, spear-phishers and bad actors use profiling techniques to develop extensive profiles about potential targets. In fact, cybercrime is increasingly mimicking the practices of legitimate organizations to find, profile, and connect with high-value targets.
They routinely trawl through social networks to identify high-potential targets, before learning more about them by scouring their public profiles for details on their history, their job, their activities, their interests. To that end, the more people post about themselves on social media, the easier they make things for criminals.
Billions of confidential records are breached every year. Almost 90% are compromised via insiders, both malicious and inadvertent. A great portion of these are leaked through instant communication apps, chiefly messaging apps and collaboration platforms.
Consider how liberally sales teams use messaging apps such as WhatsApp and WeChat to contact customers and prospects. Reams of information.
All of these third-party cloud apps are swimming with sensitive data, and they play host to constant interactions with the wider digital world. Without visibility and oversight, they are inherently vulnerable to spear phishing attacks, ransomware payloads, account takeovers, or just acts of plain old bad judgement.
According to a recent cybersecurity report, insider threats have grown by 47% in 2020. This is no surprise, when most companies lack the capacity to secure communication apps generating thousands of interactions every day. Unfortunately, companies are aware of it, too. 59% of enterprise and IT and security professionals cite data loss as their biggest cyber safety concern, according to SafeGuard Cyber’s own research.
Companies in highly regulated industries – finance, healthcare, government – have to work hard to stay compliant. These regulations include heavy controls over how businesses can communicate with individuals. For example, pharmacovigilance laws contain rules around the discussion of adverse events and off-label use. Financial regulations restrict discussions of certain financial products. To stay compliant, companies need to be able to monitor all such discussions, and take swift action in real time when necessary.
This monitoring and visibility is very hard for companies to achieve when staff are increasingly embracing modern instant communication apps such as WhatsApp, WeChat, and so on. These apps are black boxes for risk teams. And within a large and steady stream of communications, just a handful of messages from one rogue sales agent could prove to be an issue. Even internal communications can present compliance issues; a real challenge when more than 90% of employees connect with their colleagues using instant messaging apps.
More and more, to do business, companies in healthcare, finance and other regulated industries need to embrace the third-party cloud apps that facilitate instant communications. But at present, many companies don’t have anywhere near the visibility and oversight they need to guarantee compliance.
Cited by Gartner as one of the chief risks of instant communications, 20% of the world’s corporate organizations see industrial espionage and state-sponsored attacks as their biggest threat. What The Economist terms “offensive cyber-power – the ability to do harm in or through computer networks” is set to loom larger and larger in the coming years. Industrial espionage attacks often target the instant communication apps that both public and private sector executives use on a daily basis. However, most enterprises lack the visibility to see into these apps and detect when their staff are interacting with accounts or content that could be harmful.
One sobering example here is the Pegasus spyware. Produced by Israeli NSO Group, Pegasus hit an estimated 1,400 WhatsApp users, many of them human rights activists, lawyers, dissidents, and journalists. The spyware came with a malicious code that caused the infected mobile device to link to a remote server. Without the ability to detect threats emerging within WhatsApp, all of these victims lacked the protection layer they needed.
Similarly, Labyrinth Chollima, a North Korean threat actor, has used WhatsApp to deliver malicious payloads. With a last detected attack in June 2020, Labyrinth Chollima connects with enterprise employees on LinkedIn, and lures them to WhatsApp, where the victims are hit with malware-laced messages and content.
The theme of data retention and compliance ties strongly to the need to address compliance and regulatory threats. As Gartner describes it:
“In certain industries, regulations — such as the Health Insurance Portability and Accountability Act (HIPAA) and the regulations issued by the Financial Industry Regulatory Authority (FINRA) — encourage or require protection, auditing and archiving of communications… Data retention is an increasingly important feature, as it enables monitoring and archiving for regulatory compliance purposes, and instant deletion for security assurance.”
Increasingly, the lack of records of all corporate communications constitutes a major breach of compliance and governance laws. However, most instant messaging apps don't retain data as standard. A comprehensive data trail is essential for many modern enterprises; effective processes for protection, auditing, and archiving must be implemented. This is where secure instant communications solutions come in.
As standard, many companies find themselves storing peoples’ personally identifiable information (PII). It is their responsibility to safeguard this sensitive data in adherence with governmental and global compliance regulations. HIPAA includes strict rules around patient data. As healthcare practitioners increasingly move to instant communication apps and tools generating thousands of messages every day, adhering to these regulations is harder than it was in the pen and paper era.
The same goes for FINRA (the Financial Industry Regulatory Authority), which regulates the conduct and communications of banks, credit unions, stockbrokers, and brokerage firms. FINRA’s Regulatory Notices 10-6 and 11-39 refer to the corporate use of social media and record-keeping, while SEC Rule 17a-4(b) orders financial firms to preserve all social media and other digital communications by their employees for at least 3 years.
These compliance pressures cannot be fully adhered to without the right solution to secure communication. This means solutions that loop in the third-party cloud apps over which many enterprises currently have zero visibility. Data retention requires that companies extend archiving to third-party instant messaging apps, such as WeChat and WhatsApp.
Some secure instant communications solutions are partly or wholly tied to devices. Many such solutions include “a hardware-based root of trust. This can be the secure enclave or trusted execution environment (TEE) natively available on mobile devices, or a microSD card. Some solutions are instead part of stand-alone hardened smartphones.”
As Gartner acknowledges, “software-only solutions in the form of an application are the easiest to deploy and run.” Hardware-based solutions “impact user experience.” But there is a deeper issue here. Securing devices is a dated, vulnerable approach.
The future of communication app security lies in securing applications, not devices. The BYOD era is waning, because the cloud apps where communications happen are device-agnostic. They can be accessed through an app or a browser, with the device only ever acting as a conduit.
Properly secure apps mean instantiating protection at the moment of interaction, at the level of the cloud.
When enterprises weave secure communication into a Security by Design posture, when they integrate effective methods of securing these apps into their strategy, defense translates into offense. Knowing that they are secure, IT teams can give sales and marketing the green light to drive revenue.
A Global100 pharmaceutical company needed to improve interactions with healthcare providers in the crucial market of Brazil. To achieve this goal, the company's 400+ person field force needed to leverage WhatsApp, Brazil's most popular messaging platform. However, the company had no way to ensure that WhatsApp was protected against both security threats and compliance violations. They couldn’t meet customers on their own terms, and sales were suffering as a result.
With our security solution, the company achieved 100% coverage of all their WhatsApp communications – over 118,000 messages every month. Our platform automatically detects and quarantines potential malware threats in links or attachments, and flags potential compliance issues, protecting the field force. As a result, sales interactions are now far more frequent, and of much higher quality.
An asset management firm controlling $50B in assets needed to optimize communications with the Chinese market. Penetrating this market required empowering their asset managers to utilize WeChat. However, China possesses strict censorship laws and complex regulations. Without an added layer of protection, it was impossible for the firm to ensure that their managers’ communications were remaining compliant. Outreach was suffering.
By investing in our secure communication solution, the firm’s asset managers can now freely engage with the Chinese market, while ensuring communications are compliant and 100% archived. Each month, our platform secures an average of 880 WeChat messages, automatically flagging all indicators of malicious content, ransomware, data leakage, and compliance violations. All WeChat content flows seamlessly into the firm’s existing Global Relay archive, creating further efficiency gains.
“Threats to mobile applications and devices pose security risks to global enterprises. Security and risk management technical professionals responsible for IT security, especially in organizations with high security or compliance needs, must have an in-depth strategy to defend mobile devices.”
Enterprises now face increasingly tough regulatory environments, where all digital communications are subject to compliance and supervision controls over policy concerns ranging from business conduct and data privacy to industry-specific regulations (e.g. FINRA, SEC, FDA).
With the increasing velocity, variety and volume of digital communications, the ability to capture and supervise multiple channels requires a more flexible, scalable, highly automated approach to effectively manage compliance risk.
Failure to provide governance and compliance for these apps may have many adverse impacts on the enterprise, including the stall-out of digital transformation initiatives, increased use of unsanctioned apps, and increased fines, penalties and litigation expense for resulting compliance violations.