News

A Ticking Time Bomb: Mainstream Messaging Apps Are Killing Your Company's Security

In order to protect your employees, you need a messaging app that's truly secure.

Article originally posted at Entrepreneur.com

If the 2020 hack on IT giant SolarWinds offered anything of substance to the business world, it should be an unquenchable desire to protect their employees. The hack — targeted to infiltrate SolarWinds' Orion network management tool — affected thousands of customers, ranging from Fortune 500 companies to several government agencies. Unfortunately, the effects will be felt for years.

Early this year, American intelligence agencies pinned the attack on Russia after discovering several similarities between the code used in the attack (referred to as UNC2452) and an older Russian malware (called Turla). The extent of the infiltration is still unknown, but the data is already staggering. More than 18,000 customers downloaded the infected update, including national agencies like the U.S. Treasury, the Department of Homeland Security and the Department of State.

The ramifications of this attack are sobering; nation-states and their agencies are able to infect a top-rated IT company's software and spread it to thousands of companies when they patch their systems. Such an attack, known as a supply-chain attack, is insidious because patches and updates are considered a must for maintaining a defensive cybersecurity posture. When the patch gets compromised, the results can be devastating.

Tech-savvy users are more conscious about data-sharing

With such risks out there, enterprises should be doing everything in their power to protect their employees and data. When the resources of a hostile nation-state are stacked against you, you can't afford to miss out on easy victories. Cue the recent controversy with WhatsApp, a messaging platform that Facebook owns. It started bleeding customers when it began sharing data with its parent company. With data privacy an ever-present concern, enterprises should shy away from using apps that allow data to be shared with any outside party.

If the thought of sharing company data with one of the biggest data-harvesters in the world scares you, it should. With its pioneering of end-to-end (E2E) encryption on standard text messages, WhatsApp quickly built up a huge customer base among people concerned about their privacy with Facebook messenger and notoriously insecure SMS messaging.

That customer base is quickly leaving as WhatsApp becomes that which it swore to destroy,  requiring users to consent to share their data with Facebook. Suddenly, there's no real reason to keep using WhatsApp, so users are flocking to alternatives like Signal or Telegram.

As of January 12, Signal reported it had 50 million downloads on Android devices alone. In January, Telegram hit 500 million users, with 25 million of their new users joining within a 72-hour period. For reference, it took Telegram about six months to add 100 million in 2019 and 2020. Clearly, WhatsApp's mass exodus shows that secure messaging apps are still something most people want and need.

These apps are also using clever ways to get more people to download and use their app — like giving users the ability to migrate an entire group chat from WhatsApp to Signal with a simple link. Using this feature, Signal can grow its user base exponentially without asking people for their contact lists. Signal had around 20 million active users in December 2020. While the company hasn't disclosed how many new users they've added since WhatsApp started hemorrhaging users, it was downloaded 7.5 million times in a five-day period in January 2021 after Elon Musk tweeted about it.

Related: The Pivot to Remote, and What It Means for Security

Finding a Secure Alternative for Business

As more people join these secure messaging apps, they’re becoming a viable alternative for other users. A messaging app is only as good as its customer base, after all. If you can't find a user on it, why use it? But are these apps suitable for widespread enterprise use?

Truthfully, Signal is a pretty bare-bones app without a lot of features, and it can be clunky to use. Many believe it’s primarily useful for messaging, but enterprises need more robust features from an internal-communication app. Additionally, privacy advocates have their concerns because it requires a phone number to be associated with the account. Additionally, any contacts that are already using the app get a notification when one of their contacts signs up for Signal, which strikes many as a privacy issue. Enterprises simply can’t afford to have this type of unsecured platform as part of their communications.

Similarly, using WhatsApp across devices is difficult. It may be cloud-based, but it requires all data first be sent to your phone. Then, other devices can sync from that.

Although it is not end-to-end encrypted by default (you must enable it), Telegram is somewhat better for businesses because it allows customization and lets users access their group chats and messages from any device simultaneously. It also allows direct-to-consumer marketing, similar to emails, by offering companies the capability to send one-way messages to people who sign up for notifications.

It’s worth noting, though, that as these free, widely-adopted apps expand their customer base, they become more of a target. For example, a collection of 13 different vulnerabilities was recently discovered in the Telegram apps for both Android and iOS. The vulnerabilities existed in a library that Telegram uses to parse and render animated stickers in chats and created an attack surface for potential remote code execution.

Also, these apps are still in their nascent stages without the server capacity to handle huge migrations of large enterprises or government organizations. Already in widespread use across many government agencies, apps like Microsoft Teams offer much more robust options for enterprises, such as file storage, two-factor authentication and voice/video chat. It still lacks in the security arena, however. All in all, many of these solutions are not viable for securing employee communications, leaving their devices vulnerable to intruders. The best solution is a secure messaging app that is end-to-end encrypted.

Companies looking to secure their employees' online activity, devices, and messaging need to seek out innovative solutions. Research is critical for enterprises to understand whether or not their communications and data are as secure as they think. With threats lurking everywhere online, they can't afford to leave anything to chance. While not the only solution, using encrypted messaging platforms is an important way to secure vital communications and keep employees safe — especially in an era when more and more professionals are working remotely. The SolarWinds hack should be a wake-up call that organizations can never stop innovating.