Companies have shifted their operations online, and secure instant messaging apps have grown more important than ever. Cloud-based communications offer many advantages in terms of efficiency and productivity, but they also present new security and compliance issues, like instant messaging security risks.
In terms of security, news of malware like Echelon, and threat actors like Lazarus and Russia’s nation-state actors, continue to keep IT and security professionals on their toes. On the regulatory side, financial services and pharmaceutical enterprises have received billions of dollars in fines due to violations related to mobile messaging platforms.
Security and risk teams are faced with either forbidding these mobile messaging apps or accepting shadow use and attendant risk exposure. However, secure messaging solutions help reconcile these by offering a way to stay secure and compliant while embracing the cloud-based communication apps that drive modern business.
Modern businesses have rapidly increased their engagement with cloud-based, mobile messaging applications. These channels have helped grow revenue and engage more customers, especially in high-growth emerging markets.
However, a real challenge has emerged: Security and compliance teams do not possess the visibility required to secure communications over insecure apps properly.
Here’s the thing: It would be so simple to say that companies could just deploy secure messaging solutions and call it a day. But the truth is that many employees have intentionally circumvented security and compliance policies to gain competitive advantages. It does not matter how “secure” your communication tool is. If it hinders an employee from gaining these advantages, there’s a great chance they’d find loopholes to those “barriers”. The results are hundred-million-dollar fines for each institution, culminating in billions of dollars worth of penalties:
The amount that the Securities and Exchange Commission (SEC) and the Commodity Futures Trading Commission (CFTC) levied against 16 Wall Street banks and financial institutions due to using WhatsApp and other “off-channel” services to communicate, violating recordkeeping policies.
The amount that various pharmaceutical companies have collectively been fined due to off-label or unapproved promotion of medical products in 2022 alone.
With social selling compliance growing tighter due to new policies enacted in November 2022, we can expect more enforcement on recordkeeping and compliance violations in the coming months. Ensuring secure instant messaging for business is not only a luxury; it’s a necessity at this point.
So, what instant messaging security risks plague mobile messaging and communication applications? How do they threaten the safety of an enterprise and its data?
A whole gamut of digital risks threatens mobile messaging apps. From malware and ransomware to social engineering to identity theft and fraud, cybercriminals exploit mobile apps in several ways.
A simple click on a link is all it can take for malware or ransomware to be delivered. And bad actors are becoming increasingly skilled at crafting innocent-looking URLs that draw people in. Malware can now be skillfully embedded within innocuous files and have various targets – money, credentials, and even cryptocurrencies.
Case in point: Our threat intelligence team detected a credential stealer piece of malware being posted in a cryptocurrency-trading Telegram channel that we monitor. The malware, dubbed ‘Echelon,’ performs various functions such as targeting credentials, crypto wallets, and device details.
This incident may seem isolated, but it points to the risk exposure faced by financial institutions as they embrace modern communication, including mobile messaging apps like WhatsApp and Telegram, to conduct business.
Social engineering doesn’t happen at random. Bad actors carefully select their victims, locking in on targets they regard as high-value due to their title and organizational role. The profiling of social engineering targets pulls in a wide range of cloud apps and services, including the mobile messaging components of social media platforms.
For example, social engineering was at the heart of every Lapsus$ breach, including their attack on Uber, which forced the company to shut several of their internal communications.
The Lazarus APT group used social engineering tactics to steal $625M in crypto from Axie Infinity. At the time that was more than half a billion dollars stolen. An employee fell victim to a simple, but convincing, fake job offer that the attackers sent through LinkedIn.
To give a final example, in June of 2022, LinkedIn’s Threat Prevention and Defense detected the Lazarus group creating fake profiles to target technical support professionals and engineers employed at media and IT companies in the US, UK, and India. These “profiles” claim to be recruiters encouraging them to “apply for an open position at one of several legitimate companies.”
Here’s a quick summary of how insider risks and data loss have affected companies in the past few years:
- Insider threat incidents have increased 44% over the past two years, costing more than $15M per incident.
- Credential theft has become the most common insider threat, resulting in $4.6 million in losses.
- More than two out of three insider incidents happen because of negligence.
- Financial companies have the highest insider threat cost — $21.25M (up 47% from the previous year).
- The top three reasons for an insider attack are Fraud (55%), Monetary gains (49%), and IP theft (44%).
Companies in highly regulated industries such as life sciences and finance must work hard to stay compliant. Regulations include heavy controls over how businesses can communicate with individuals. For example, pharmacovigilance laws contain rules around discussing adverse events and off-label use. Financial regulations restrict discussions of certain financial products. To stay compliant, companies need to be able to monitor all such discussions and take swift action in real-time when necessary.
In 2022 alone, various pharma companies were fined over $8.2B with off-label promotion as their primary violation. Secure mobile messaging tools help enterprises in these sectors address these compliance and recordkeeping concerns.
In early 2022, Russia invaded Ukraine unprovoked, causing an all-out war that has resulted in thousands of deaths and millions of displaced people. But the war did not just happen physically — Russia’s nation-state actors also launched cyberattacks against Ukraine’s government.
Microsoft detected that nation-state actors grew brazen, taking advantage of the chaos by sowing more chaos of their own.
“During the past year, cyberattacks targeting critical infrastructure jumped from comprising 20% of all nation-state attacks Microsoft detected to 40%. This spike was due, in large part, to Russia’s goal of damaging Ukrainian infrastructure and aggressive espionage targeting of Ukraine’s allies, including the United States.”
Russia’s attempts to compromise information tech firms from NATO member countries have also accelerated. Research found 90% of Russian-based cyber attacks targeted NATO member states in the past year, with 48% targeting IT firms based in NATO countries.
Beyond that, Microsoft’s 2022 Digital Defense Report also reveals that 53% of these attacks targeted other sectors like education, as well as think tanks and NGOs.
The lack of complete records of all corporate communications, including those sent over through mobile messaging apps, constitutes a major breach of compliance and governance laws.
This is why institutions like the SEC and FINRA (the Financial Industry Regulatory Authority) continue to find ways to regulate the conduct and communications of banks, credit unions, stockbrokers, and brokerage firms. Regulatory Notices 10-6 and 11-39 refer to the corporate use of social media and record-keeping. At the same time, SEC Rule 17a-4(b) orders financial firms to preserve all social media and other digital communications by their employees for at least three years.
For life science companies, pharmacovigilance laws from the US Food and Drug Administration (FDA) and patient data protection laws like the Health Insurance Portability and Accountability Act (HIPAA) ensure regulatory compliance.
These compliance pressures cannot be fully adhered to without the right solution to secure mobile messaging. This means solutions that loop in the third-party cloud apps over which many enterprises currently have zero visibility. Data retention requires that companies extend archiving to third-party mobile messaging platforms, such as WhatsApp, Telegram, and Signal.
Tens of thousands of messages are often exchanged monthly on mobile messaging platforms. But the teams responsible for ensuring that these messages don’t contain security or compliance risks cannot get their arms around even 10% of these messages. They simply have little to no access to the data.
Even with 66% of companies planning to increase their cybersecurity spending to enhance their defensive postures, the effectiveness of a company’s cybersecurity stance still relies upon (1) how willingly its employees will adhere to them and (2) how the cybersecurity platform affects employee productivity and communication. Even now, some people still identify cybersecurity as a hindrance to their work processes.
Sixty-seven percent of employees admit to circumventing security protocol because they either:
- hindered productivity,
- required extra energy and time,
- forced the employees to do things differently, or
- made them feel monitored all the time.
As a result, security and risk teams face a lose-lose situation: They can try and forbid using these mobile messaging apps. This choice is unrealistic and hurts businesses in an increasingly borderless digital landscape. Alternatively, they can accept that shadow use occurs, accept that staff will use these third-party apps even without explicitly sign-off from IT and accept the attendant risk exposure.
This is untenable. Secure mobile messaging solutions offer the third way: The apps can be enabled, without any attendant risk exposure, as long as security is achieved.
Some secure instant communications solutions are partly or wholly tied to devices. Many such solutions include “a hardware-based root of trust. This can be the secure enclave or trusted execution environment (TEE) natively available on mobile devices or a microSD card. Some solutions are instead part of stand-alone hardened smartphones.”
As Gartner acknowledges, “software-only solutions in the form of an application are the easiest to deploy and run.” Hardware-based solutions “impact user experience.” But there is a deeper issue here. Securing devices is a dated, vulnerable approach.
The future of communication app security lies in securing applications, not devices. The cloud apps where communications happen are device-agnostic. For example, employees can use WhatsApp on both their personal phones and through a browser window on their corporate laptops. The device doesn’t matter much, because it only acts as a conduit for the comms.
To properly secure messaging solutions means protecting communication instances at the moment of interaction at the cloud level.
When enterprises integrate effective methods to secure mobile messaging into their strategy, defense translates into offense. Knowing that they are secure, IT teams can give sales and marketing the green light to drive revenue. Cases in point:
A Global 100 Pharmaceutical company needed to enable WhatsApp to compete in Latin American markets. Our platform ensured the company’s adoption of WhatsApp for a multi-country field force while maintaining compliance. The results:
- Rapid time-to-value across 15 countries in Latin America
- Automated supervision of 40+ regional regulatory policies across 100,000+ messages per month
- 4,000+ violations detected per month through automated compliance.
A leading financial services firm bridging institutional investing to cryptocurrency markets wanted to enable Telegram for business. With help from the SafeGuard Cyber platform, the company achieved the following:
- Over 70,000 Telegram messages captured and archived automatically every month
- Reduced regulatory risk by fulfilling SEC and FINRA requirements
- Avoided hundreds of thousands of dollars worth of fines from SEC censure.
Enterprises now face increasingly challenging regulatory environments, where all digital communications are subject to compliance and supervision controls over policy concerns ranging from business conduct and data privacy to industry-specific regulations (e.g., FINRA, SEC, FDA).
With the increasing velocity, variety, and volume of digital communications, the ability to capture, supervise, and secure messaging solutions requires a more flexible, scalable, highly automated approach to managing compliance risk effectively.
Failure to provide governance and compliance to secure mobile messaging apps may have many adverse impacts on the enterprise, including the stall-out of digital transformation initiatives, increased use of unsanctioned apps, and increased fines, penalties, and litigation expenses for resulting compliance violations.