Cybersecurity In-Depth: Feature articles on security strategy, latest trends, and people to know.

Escaping Email: Unlocking Message Security for SMS, WhatsApp

Messaging is growing in importance as dislike for email increases. That means knowing how to protect critical data in the messaging era is a must for IT security.

4 Min Read
Image: <a href=""target="_new">wutzkoh</a> via Adobe Stock

As messaging in forms as diverse as SMS, WhatsApp, and Facebook Messenger have become more popular, their use seems to have outrun IT security's ability to protect data sent over these various systems. As more employees look to messaging for their business communication, what should companies do to make sure that rapid communication doesn't equal insecure communication?

"The biggest challenge today is dealing with interactive and ephemeral content sources that are very difficult to process, review, and remediate with technologies designed for email," says Robert Cruz, senior director of information governance at Smarsh.

As IT security groups look to secure their organizations' data, two broad avenues can be taken for protecting messaging. They'll sound familiar. The first is to focus on the technology, how the systems work, and the protections they offer (or don't). The second is to focus on processes and procedures that include factors like the way employees use the services and think about the data they're sharing.

Acceptto CEO Shahrokh Shahidzadeh points out some basic considerations that cybersecurity professionals should keep in mind when evaluating messaging services and formulating security policies around them.

"First, it is best to pick apps that offer end-to-end encryption, including the encryption of metadata," he says.

End-to-end encryption is one of the factors many users cite when asked why they choose a messaging service like WhatsApp. And while that encryption is critical, it's not the only consideration, especially when an employee seeks to use one of these public messaging services to communicate with customers or partners.

"Knowing what data exactly is captured from your device is a key factor. Apps that harvest the contact list or store any metadata associated with communication are problematic," Shahidzadeh explains.

In addition, knowing how the messaging service itself protects the data (encrypted or not) it collects and that flows through its servers is important because of what NIST 800.53 calls "inherited risk." That is, security and privacy controls that cover a very broad range (the organization and its suppliers) may introduce risk that must be accepted by much smaller units (like a department). In this case, the service relationship and its security have an impact on every department that has an employee using the service.

Of course, even encryption can be of limited use when malware uses a messaging app to infect the device itself. A recent campaign of commercial malware using WhatsApp to attack smartphones is merely the latest example of attackers using the "security" of WhatsApp to increase the effectiveness of an attack.

Best Practices Emerge
Because organizations can use some of the process- and data-related security principles that have informed security of other technologies, best practices are beginning to emerge for securing messaging apps. Cruz says the first of these is simple: The IT security group must become actively engaged in evaluating messaging services and products before employees use them — not after they're already in wide use.

Next, "Policies must be updated to encompass new messaging, mobile and collaborative technologies — including explicit examples of acceptable and prohibited uses," he says. Those explicit examples will go a long way toward eliminating confusion about how policies are to be applied, though security has to be sure to point out they are examples — not statements of the policy's limits.

Cruz says training programs should be constantly updated to include permissible use of messaging for high-value organizational data. That training should include explicit language on scenarios when IT security should be engaged and brought into the conversation on new messaging services, he says.

That training also must include warnings against social engineering attacks that can use the special properties and relationships in services like WhatsApp for phishing campaigns, which are the latest variation of "smishing" attacks, making increasing use of mobile devices as an attack surface in the enterprise. These social engineering attacks can easily make even the comfortable confines of a restrictive "walled garden" like the Apple App Store ineffective against attacks and exploits.

Finally, Cruz points out, it important that IT security continually evaluate technology that can "preserve the context and metadata to track, inspect, and remediate security issues that can surface from interactive and non-text content sources." It is, as always, difficult to protect what you cannot see and define.

Cybersecurity professionals must remember that, as NIST states in 800.53, "There is no single set of controls that addresses all security and privacy concerns in every situation." As their employees look for new ways to stay in touch with colleagues, partners, and customers, security groups will have to continually evolve to stay if not ahead of their employees, then at least not too far behind.

Related Content:


About the Author(s)

Curtis Franklin, Principal Analyst, Omdia

Curtis Franklin Jr. is Principal Analyst at Omdia, focusing on enterprise security management. Previously, he was senior editor of Dark Reading, editor of Light Reading's Security Now, and executive editor, technology, at InformationWeek, where he was also executive producer of InformationWeek's online radio and podcast episodes

Curtis has been writing about technologies and products in computing and networking since the early 1980s. He has been on staff and contributed to technology-industry publications including BYTE, ComputerWorld, CEO, Enterprise Efficiency, ChannelWeb, Network Computing, InfoWorld, PCWorld, Dark Reading, and on subjects ranging from mobile enterprise computing to enterprise security and wireless networking.

Curtis is the author of thousands of articles, the co-author of five books, and has been a frequent speaker at computer and networking industry conferences across North America and Europe. His most recent books, Cloud Computing: Technologies and Strategies of the Ubiquitous Data Center, and Securing the Cloud: Security Strategies for the Ubiquitous Data Center, with co-author Brian Chee, are published by Taylor and Francis.

When he's not writing, Curtis is a painter, photographer, cook, and multi-instrumentalist musician. He is active in running, amateur radio (KG4GWA), the MakerFX maker space in Orlando, FL, and is a certified Florida Master Naturalist.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights