Security Think Tank: Use technical controls and policy to secure messaging apps

What criteria should organisations use to assess the security of smartphone messaging apps and how can they ensure only approved apps are used by employees?

Smartphone messaging apps are a quick and easy way for employees to collaborate. They have become part of the fabric of day-to-day business, as employees find them a speedier way to get through some everyday tasks

Today’s mobile devices often run a mish-mash of work and non-work applications. Personal smartphones are used for work – bring your own device (BYOD) – and corporate devices used for personal applications – corporately owned, personally enabled (COPE). These blurred boundaries mean it is not possible to fully prevent the use of smartphone messaging apps by employees for business use, especially when those apps are also used in everyday life.

However, research by the Information Security Forum (ISF) shows that more than 90% of organisations are concerned about the potential for organisational damage, financial or reputational, resulting from the insecure use of messaging apps. Confidential or sensitive information could be inadvertently disclosed.

To address this, potential technical controls include the deployment of mobile device management (MDM) on corporately owned smartphones – software used to manage and secure employee smartphones. For corporate and personal smartphones deploying applications for business use, mobile application management (MAM) software gives organisations an approved set of mobile applications. It does this partly by scanning code and checking the application developer’s reputation before adding an application to the whitelisted group, providing the organisation with reassurance.

Technical controls alone will not be enough. As is clearly demonstrated with the use of smartphone messaging apps for business purposes, determined users will find a way around technical controls if they are prevented from using such applications. As such, policies are required to address both BYOD and COPE, to explain what the workforce is allowed to do with company data and property, and specifically calling out smartphone messaging apps.

Continue reading…