Privacy And Security: We Need Both For Communications, And There’s An App For That
Our communications need to have both privacy and security. The recent uproar about WhatsApp’s changes to its privacy policy is a good reminder of that fact. While the changes had implications for consumers who use WhatsApp, the concerns also made their way into the enterprise. I heard from CISOs who saw the discussions quickly morph from personal concerns about privacy to enterprise security concerns about using WhatsApp for business communications.
The common question: Is WhatsApp “safe” to use for business communications? The CISOs already knew the answer (no, it’s not). The next question: What do we do, and what can we do, about it?
Understand the risks to the business to help make the case for change.
Your business is exposed to privacy, security, reputation, and compliance risks when employees use consumer tools for business purposes. If someone is targeting your organization specifically, it is useful to know that employees regularly communicate business info freely on such a channel. It likely wouldn’t be too difficult to discover if employees talk about it as a tool they use for work or encourage customers or others to use it to communicate with them.
Consumer apps aren’t built for business use. Yes, end–to–end encryption protects data in transit, and the app provider doesn’t see the content (sometimes). However, data is still vulnerable on devices. Malware on phones enables hackers to read messages. Someone else picking up an employee’s phone may be able to see messages if there’s no PIN protecting access on the phone or for the app. There is also no guarantee that an individual is using two-step verification or not automatically backing up their messages to the cloud. They could also save messages to share with others outside of the company, or screenshot freely, and the recipient can do whatever they wish with them. Additionally, vertical-specific compliance guidelines, such as those of the FFIEC (Federal Financial Institutions Examination Council), may also require that you retain business-related text messages.
Explore how purpose-built tools for secure, private, and compliant business communications can help.
Enterprises typically already have corporate-sanctioned tools for employee communication and collaboration like Google Chat or Microsoft Teams. Sometimes, they need more. They may find that they have use cases where another purpose-built tool is better suited for their needs. For general-purpose business communications and collaboration, tools such as Wickr and Wire include messaging/chat functionality, as well as other features like videoconferencing and file sharing. Tools like KoolSpan and CellTrust enable secure voice calling and more.
Options exist with added controls and features that make these offerings suitable for business communications. These can include capabilities such as administrative controls to revoke user access and adjust settings, encryption, the option to host on-premises or in private cloud, metadata protection, or integrations with enterprise applications. Some also offer the option of a portable phone number or use of the app independent of a mobile phone number so that employees are not using their personal phone number for business.
What To Do Next — Because Change Doesn’t Happen Overnight
Provide clear guidance for acceptable communication tools for employees. Consider this a part of security awareness training, too, so that employees understand the risks. This human element is the most important factor. Changing behavior is the most challenging component, especially when consumer apps are a convenient option.
Identify your audience, their use case, and employee requirements. Will a new tool serve a segment of the employee population, or is it meant to be used companywide? Determine if employees will need voice, text messaging, document sharing, video, or some other combination of functionality. Will you require integration with key systems (e.g., mobile device management or an archiving solution)? Clarity about these requirements in your initial planning will help narrow your shortlist of vendors and find the best fit for both your workforce and security needs.
Build a network of business user champions. These individuals evangelize the use of the tool internally with their peers and provide feedback from initial testing and tool selection through deployment. Target your messaging to best appeal to organizational culture and your workforce. In healthcare, this may be about promoting patient outcomes. For a manufacturer, protecting its competitive edge and reputation may resonate with employees. If no one wants to or can easily use the tool, you’re back at square one.