Mobile collaboration apps in the enterprise and the conflict with compliance

9 January, 2017 by Paul Shlackman

The enterprise today is host to a new kid on the block.

Say hello to mobile group collaboration and chat apps, the must-have accessories that employees are adding to their phones and phablets to help them organize their lives more productively.

Industry observers call this trend Bring Your Own Cloud (BYOC) and it’s bad news for CIOs because personal cloud-based apps like these are totally outside the IT department’s control.

The news is especially bad for organizations in highly regulated industries like retail, healthcare, legal or banking & finance.

Compliance with regulations is an onerous (not to mention costly) process comprising an admin-intensive series of continuous requirements, strict adherence to standards and regular audits.

Above all compliance demands control. Without it the whole governance effort becomes a waste of time.

Personal mobile collaboration and chat apps in the enterprise are vulnerable to scams and malware attacks. Yet the IT department has no visibility into, or influence over, them whatsoever.

Such apps are in direct conflict with compliance.

Greater regulatory emphasis on security

By 2018 mobile collaboration and chat apps will account for half of all enterprise coordination and communications (Gartner).

A relatively recent phenomenon, group chat apps fall outside the scope of most regulatory standards.

For a long time compliance standards have simply covered the basics with regards to data security. The most common regulations – PCI DSS (retail), HIPAA (healthcare) and Sarbanes Oxley or SOX (financial services) – prescribe the bare minimum of what is expected of organizations in terms of information processes.

But the regulatory climate is changing.

The European Union General Data Protection Regulation (GDPR), when it comes into force in 2018, is set to take things up a notch.

GDPR will make personal data protection a priority. Any organization, regardless of their geography, that holds personal information about customers anywhere in Europe will be required to keep their data private and secure.

Penalties for data leaks will be severe.

Tightening up the rules

Other regulatory bodies are adding new rules that focus more sharply on data security.

Moves are afoot to update the Sarbanes-Oxley Act to expand demands on internal controls reports and disclosures to include cyber security systems and risks of publicly traded companies.

And although HIPAA rules state that encrypting health data is advisable rather than required they make it clear that organizations can ill-afford to ignore health data encryption or assume that it does not apply to their operations.

Meanwhile, in 2016, the PCI Security Standards Council – the body responsible for the PCI DSS standard widely used in the retail and hospitality industries – amended its guidance to help businesses address the lack of awareness about cardholder data being held on compromised systems. It also introduced new stipulations requiring merchants and banks to implement strong encryption and multifactor authentication.

Not built for the enterprise

Consumer mobile collaboration apps cannot guarantee data security. They were built for mass consumption with no thought for compliance needs.

Some, like WhatsApp, have made a big deal of adding end-to-end encryption which is fine for messages in transit. But that’s only part of the story.

They have no answers for enterprise questions such as “how do you protect the end-user device?”; “where are our messages stored?”; “how do we know other users are trustworthy?” or “can we retrieve old messages on demand for auditors to examine?”

Perhaps the biggest weakness of the consumer chat app is that its rudimentary controls are left up to the everyday user rather than the IT professional.

If the organization has no control over how company confidential information is shared or stored then it is impossible to know if the process used was sufficiently secure or compliant.

The NURO secure messaging platform is different. It was developed to be “secure by design” (one of the four pillars of GDPR).

Among its properties is that every one-to-one or group chat has its own secure, encrypted channel; that advanced encryption is provided at device-level, in transit via HTTPS as well as an encrypted enterprise-owned database when stored. IT operatives are provided with a centralized admin console for management of such issues as policy-setting or role-based permissions as well as integration with other enterprise systems, database activity monitoring and, when authorized, the ability to decrypt stored messages for inspection by auditors for compliance purposes at a later stage.

In summary, unsecured mobile messaging and chat in the workplace is a growing concern for enterprise CIOs. The pressure to lock down all communications channels has never been greater. At a time when high profile data breaches have placed a spotlight on enterprise security compliance vulnerable group chat apps are a risk that organizations simply cannot afford.