Enterprise messaging apps: What to look for in encryption

Messaging apps that feature encryption may seem safe for business use. But it’s not always as simple as that. Sometimes it counts to dig a little deeper.

By Tim Ferguson

Mon 5 Feb 2018 @ 11:18

Digital technology is constantly changing the way people communicate and collaborate in the workplace. It enables remote workers to be plugged into what office-based colleagues are doing and for distributed teams to be more productive.

Mobile devices and tools such as web-based conferencing and cloud-based document storage are becoming cheaper and more capable all the time. Particularly useful are mobile messaging apps — including those that can also be used on PCs — with the likes of Slack, Google Allo and Microsoft Teams enabling colleagues to share and edit documents as well as chat.

More consumer-focused services are branching out to the enterprise too. For example, WhatsApp recently announced a free version of its messaging app for small-to-medium sized businesses, with plans to offer larger enterprises a paid version with the ability to provide “useful notifications like flight times, delivery confirmation and other updates”.

Alongside the rising use of mobile messaging apps, the cyberthreat landscape is becoming increasingly complex, fast-moving and dangerous. Major IT security breaches regularly hit the headlines, demonstrating the importance of keeping data safe, secure and locked away from malicious attackers.

Messaging apps represent another way in which the ‘attack surface’ of organisations is expanding and providing another route for cybercriminals to attempt to access corporate IT environments.

Encryption is one way of making messaging apps more secure. However, many consumer-focused messaging apps either lack encryption or only have it as an option (like Facebook Messenger’s Secret Conversations), meaning uninformed users could fall victim to hackers. And Apple’s iMessage only encrypts messages sent between iPhones, with unencrypted SMS messages sent to devices using other operating systems.

WhatsApp and Signal are two messaging apps that have been touted for their end-to-end encryption capabilities. This makes it extremely difficult for cybercriminals to intercept messages that are on the move, both within corporate networks or across the internet. Messages sent via the app can only be seen by the sender and recipient.

However, data sent via tools designed specifically for the businesses, such as Microsoft Teams and Slack, is encrypted during transit and at rest (i.e. when it’s not moving), meaning they have an extra layer of security.

So, the use of encryption doesn’t necessarily mean that the messaging apps are completely safe to use in the enterprise. If, for example, endpoint security has been compromised, data sent using messaging apps that only encrypt data in transit could be at risk.

If cybercriminals are accessing the data that appears on device screens, they will be able to see sent and received messages and make use of the information they find to develop phishing-type attacks or, if the messages are between IT staff, gain deeper access into corporate networks.

More sophisticated cybercriminals may even be able to send messages to users with instructions to perform certain actions for their gain. For instance, if a solicitor and property buyer are using a messaging app to confirm a deposit payment, a hacker could intercept the conversation to request payment into their own account, committing what is known as ‘Friday afternoon fraud’.

As a consequence, when selecting messaging apps for use within their organisation, companies should perform due diligence. The level of encryption should be a key consideration, in addition to cost and other functionality, such as the ability to share documents.

To boost security further, organisations should also put policies in place that forbid employees from downloading and using messaging apps that don’t meet the required enterprise-grade privacy and encryption criteria.

As a final step in protecting against the risk presented by messaging apps, organisations must have the appropriate security systems in place – such as endpoint and network monitoring – to pick up any anomalies that suggest cybercriminals are tapping into conversations.

Mobile messaging apps are still relatively new to businesses but their value for collaboration and bringing remote teams together will only make them more relevant and widely used. As this happens, they will inevitably become a target for cybercrime.

Security teams should consider the way messaging apps are used and the policies needed to ensure they are used safely before the risk grows. If they don’t, the potential opportunity messaging apps offer to cybercriminals could create serious security weaknesses.