Secure Messaging Software: What Enterprises Need to Know

20 October, 2016 by Ouriel Weisz

When it comes to safe and secure messaging software, users often receive a false sense of security, believing that their information is kept private thanks to cryptographic algorithms.

However, how safe is safe, and how can an enterprise guarantee its information is secure? Here’s what enterprise CIOs ought to know.

Whether your workers are checking their personal or work email over a secure connection, or whether you yourself are making a purchase online, have you ever wondered how safe your private information or credit card data really is?

Information is kept secure online thanks to cryptographic algorithms that scramble the message so that it will be impossible to read by anyone who is not the intended recipient.

However, not all encryption is created equal. Weak encryption can potentially be worse than no encryption at all.

It misleads users, giving them a false sense of security.

This is precisely why enterprise CIOs need to provide employees with applications that encrypt data on the device, in transit and at rest. In addition, company policy should insist only these apps are used for work.

Hope for the best, but prepare for the worst

Just last year, the number of data breaches in the United States amounted to 781 with close to 169.07 million records exposed.

As data breaches demonstrate, security and identity theft are ongoing enterprise issues.

This March, mobile app Snapchat suffered from a data breach that exposed the payroll information of around 700 current and former employees. The data wasn’t stolen by a coding mastermind but rather by an attacker who gained an employee’s trust by pretending to be Snapchat chief executive Evan Spiegel in order to get the information.

Like Snapchat, fellow message app Slack suffered from a security breach in 2015, and while the company assured customers that all its passwords were encrypted, the truth was far less comforting. “The company is emphasizing that the passwords are encrypted and salted, but that simply means they will take just a little longer to crack,” Alex Heid, chief research officer at SecurityScorecard told Business Insider at the time.

In fact, once the passwords have been cracked it was only a matter of time until the hackers could use them to figure out users’ accounts elsewhere. Furthermore, since anyone could find a company‘s Slack account by performing a simple Google search, it seems that “Slack is vulnerable by design,” as Heid puts it, and will probably suffer further breaches in the future.

Another major breach happened in December 2013 when discount retailer Target discovered that 40 million credit cards belonging to Target users had been stolen by hackers who accessed data on point of sale systems. Target later revised that number to include private data for 70 million customers with over 11 GB of data was stolen.

Such breaches are a stark reminder of the clear and present dangers that enterprises face.

In order to protect themselves as well as their users from a potential breach, this is what enterprise CIOs need to know specifically in relation to secure messaging software.

Properly train employees

The Snapchat incident exemplifies one of the biggest challenges for companies struggling to protect their sensitive information: Even if your technical security is up to scratch, your people may let you down.

In fact, this factor was the root cause of more than half of security breaches in 2015.

Clearly companies must do more to educate their workers on the dangers of cyber terrorism.

Snapchat CIOs learned this lesson the hard way.

“When something like this happens, all you can do is own up to your mistake, take care of the people affected, and learn from what went wrong,” the company said in a blog post.

“To make good on that last point, we will redouble our already rigorous training programs around privacy and security in the coming weeks.”

The Target breach, while not fully disclosed to the public, had to do with both human as well as technical factors.

The attackers hacked their way into the company’s corporate network by compromising a third-party vendor. They then used the vendor’s login credentials to figure out which portal to subvert and use as a staging point into Target’s internal network.

The company later updated their security system and technology. Consequences of the breach were severe and resulted in the CEO and CIO having to resign.

Don’t use WhatsApp

With more than 1 billion monthly active users, the world’s most popular messaging app, Facebook-owned WhatsApp, delivers 100 million conversations each day.

In 2015, the messaging app started using a secure-messaging protocol from Open Whisper Systems. A year later the secret service was made mandatory to all WhatsApp users.

A step in the right direction you might think.

But then Western governments and state authorities started to worry that terrorists and criminals will use encryption to keep their plans secret.

However, as the Intercept put it, “it’s important to keep in mind that, even with the Signal protocol in place, WhatsApp’s servers can still see messages that users send through the service.”

Furthermore, as stated in Tech World, “using competent encryption secures the communication channel but does not necessarily secure the device itself.

There are other ways to sniff communications than breaking encryption.” In fact, according to the WhatsApp privacy policy, the company reserves the right to record users’ information, and give it to governments.

This is precisely the reason why Isis has come up with its own secure messaging app, and has told its followers in a booklet for would-be jihadists that “any operation that doesn’t have a strong security and precaution base is deemed to fail, just like a big building needs strong foundation. Security precautions are the foundations of any operation.”

CIOs need to pay careful attention to the issue of cyber security in the workplace and after hours when it comes to sensitive data.

Done properly, modern encryption is just about unbreakable but it all depends on the strength of the encryption.

“It’s not something governments can wish away or make illegal any more than parliament can repeal the law of gravity,” as stated in the Guardian. “You must be motivated to use encryption, but few people could be more motivated than a terrorist in hostile territory.”

Secure Messaging Software: It does exist

We’ve mentioned quite a few issues that might deter CIOs from allowing their employees to use messaging apps at all.

But the genie is out of the bottle. If the company does not provide the tools then employees will find and use their own.

Happily some secure messaging software is in fact quite safe to use.

The key is to encourage employees to only use messaging apps that have strong encryption and emphasize privacy and security.

Breaches in security will always be an issue, but if enterprises have the right procedures and software in place, chances are their data will be safer.