Businesses still using consumer-grade comms platforms are playing with fire, says Morten Brøgger, pictured, CEO of secure messaging platform Wire.
When the pandemic hit, the urgency with which businesses had to shift to remote working models saw secure working environments replaced with home offices and secure corporate systems and firewalls substituted with unsecured networks and devices. Companies turned to communications tools like WhatsApp and Zoom as solutions to a sudden and unexpected business problem. But nearly two years on and with remote working now a well-established business practice, companies that are continuing to use mainstream, consumer-grade platforms to conduct business are playing an increasingly dangerous game; such platforms put businesses’ data privacy and compliance obligations at risk and leave confidential company data more exposed to potential cyberattacks.
Mainstream versus enterprise solutions
Mainstream communications and collaboration platforms provided an immediate solution to the remote working challenge inflicted on enterprises and organisations during lockdown: free, quickly downloadable, easy-to-use, and already familiar to many employees, these tools kept the workforce connected at a critical time. However, as tools designed to serve the needs of a wide range of consumers, mainstream platforms are not long-term solutions for enterprises.
Tasked with handling a greater volume of data and more dependent than ever on technology for every aspect of their jobs, employees need platforms that are specifically designed to make business digital communications more secure and more simple. While consumer collaboration platforms offer fancy features such as virtual backgrounds, enterprise tools take a security-first approach, and focus on the features that really matter to businesses. For example, messages that can be programmed to disappear after a certain time, to ensure confidentiality and tools aimed at facilitating employees in their day-to-day tasks, such as conversation groups that are ‘invitation only’. This feature not only offers additional security but helps to diminish the risk of human error, such as the recent MoD data breach, where contact details of Afghan translators were accidentally disclosed via email.
Businesses need to protect their data and communications with water-tight security technology and platforms that are regularly updated and enhanced to keep pace with advances in technology and the growing expertise of cyber criminals. While platforms like WhatsApp may have launched business versions or introduced enhanced security features like end-to-end encryption these features are still nowhere near as advanced as purpose-built, enterprise-grade platforms.
Part of the problem is that there are discrepancies between one type of security technology and another. End-to-end encryption (E2EE) has now become widely acknowledged as robust enterprise-grade security technology – but not all E2EE solutions are created equally. And many platforms have even been caught making false claims or utilising weak forms of E2EE that do not offer the same robust protection. For example, a decentralised solution that uses double-ratchet E2EE allows for every individual call, message, and file to be separately encrypted on every device, with the keys generated from the device rather than from a central server. This protects the information to the smallest possible unit and creates a system that grows more complex – rather than more valuable – for hackers with every message.
Therefore, companies need to not only to re-evaluate the validity of the tools they entrust with their business data, but they also need to look more carefully at the tech providers that are handling their data and at the specific technologies their solutions depend upon. Once in place, they then need to ensure that all staff fully understand how to use these systems and implement clear rules and processes around how employees should share and communicate company data. Without clear policies in place or an intuitive communications platform, investment in new secure communications tools is wasted as staff will return to using the communications channel they know and like to use.
Escalating threat of cybercrime
During the pandemic cybercriminals saw mass vulnerabilities and took advantage. As a result, cyberattacks thrived. According to data from Check Point, global weekly cyberattacks hit an all-time high in Q4 2021, with 925 attempts per organisation. It also found that attempted attacks have been continuously increasing since Q2 2020, with 50 percent more attacks seen per week on corporate networks in 2021 compared to 2020.
The threat that cybercrime poses remains immense. According to Cybercrime Ventures cybercrime threatens to cost the global economy as much as $10.5 trillion by 2025 and the World Economic Forum listed cybercrime as the fourth largest global risk in 2021 (after extreme weather events, livelihood crises, and infectious diseases). Cybercrime is a problem that is here to stay, enterprises and organisations including government departments simply cannot afford to take risks or cut costs when it comes to securing their confidential data and communications. The only way to protect data is to use enterprise-grade E2EE, anything less than this level of security will leave organisations vulnerable to attack by cybercriminals.
Lapse attitudes to security
Aside from the security threats of using non-enterprise-grade communications platforms, companies that fail to take data security seriously stand to damage their reputations and credibility. The recent government scandals are testament to this; media attention has focused on the lockdown parties, inter-party bickering and use of unconventional language between MPs, exposed via WhatsApp messages.
Indeed, an intrinsic part of these scandals lies in the fact that mainstream tools such WhatsApp are actively encouraged by government departments for routine communications in the first place. Last month, two sources at No.10 have alleged that they were told to “clean up their phones” when reports first surfaced of illicit gatherings at Downing Street – hardly a commendable or professional practice, even on an enterprise-grade communications platform.
The UK government is not alone. In November last year, the Danish prime minister admitted to relying on text messages for governmental correspondence specifically in relation to a controversial mink cull in 2020 and to deleting important messages after 30 days because there was no professional system in place for archiving this data.
Apart from the fact that prominent global leaders are using some of the lowest -grade, most insecure technologies for the most sensitive of communications, by disregarding the need for robust, secure communications platforms, these government leaders risk marring their own reputations. If they have lapse attitudes around data and cyber security, one of the primary global concerns of today, what other important issues are they overlooking or disregarding?
In the context of the commercial business world, companies that use enterprise level security to communicate with their customers are demonstrating respect and responsibility for their customers’ data. But above all they are protecting themselves and their employees from data privacy infringements and cyber attacks.
