The Business Risks of Secure Messaging Apps

Alan Brill , Steve Bergman , James McLeary


May 3, 2021

Virtually everyone has experienced a data breach. We all receive notices from companies we deal with informing us that our information has been compromised and recommending that we change our passwords. They may offer solutions like credit monitoring, but the reality is that these incidents have become so common that many people experience “data breach fatigue.” While breaches have become more common, they are still serious, and companies and executives are increasingly focused on how to better protect sensitive information.

In recent years, consumers have seen the emergence of encrypted messaging apps like WhatsApp, Signal and Telegram. Sometimes referred to as “ghost apps,” these offer end-to-end encryption, so many assume they are secure. Strong encryption certainly helps protect information, but employee use of these apps may still present a significant data security risk to many organizations.

These risks are particularly notable in fields like financial services, where maintaining accurate books and records is required by specific regulations and enforced by agencies like the Securities and Exchange Commission, the Financial Industry Regulatory Authority (FINRA) and the U.K.’s Financial Conduct Authority (FCA). For example, unless specifically excluded, FCA requires that electronic communications be preserved, and FINRA reminds firms of their recordkeeping responsibilities for any relevant communications. Failing to comply with those regulations—or to have full and accurate records—can result in financial, reputational and even criminal consequences.

In one such case, the FCA fined a financial services employee nearly $50,000 for sharing ­confidential client information using WhatsApp. In another case, a money manager overseeing New York’s multi-billion-dollar public pension fund was convicted of fraud for accepting bribes in exchange for directing more than $2 billion in fixed income business to two broker-dealers. He reportedly used WhatsApp to prevent his company and law enforcement from monitoring his conversations.

Failing to maintain accurate records can have other consequences as well. Evidence needed in the case of disputes may be unavailable. It may hinder compliance officers’ investigations of insider trading or foreign corrupt practices. And if U.K. or EU data ends up on U.S. servers, it can be a GDPR compliance issue.

Incomplete Technological Control

Maintaining measures of control over corporate mobile devices can provide additional confidence for organizations as they seek to comply with regulations and protect corporate assets. But as corporate users download certain consumer messaging apps onto corporate-managed or even corporate-owned devices, the calculus of control changes dramatically. Consumer apps are easily accessible and often incorporate strong encryption, providing unscrupulous users with a mechanism to exfiltrate data on either company- or employee-controlled devices. The encryption involved makes detection or mitigation a challenge for companies, complicating the means of monitoring and retrieving corporate data. 

In an attempt to limit such liabilities and protect corporate intellectual property from being exfiltrated, companies often utilize software that provides mobile device management (MDM) capabilities. MDM software controls access to unauthorized applications and tightly enforces policy-based controls on corporate-controlled mobile devices. This allows corporate administrators to block employees from installing specific apps on managed devices and monitoring and controlling certain data flows between those devices and sensitive network endpoints.

Corporate IT departments can also create virtual segmentation on employees’ devices that allows the corporate apps and data to be controlled in one area of memory while personal data remains private to the employee. Should an employee leave the company, the corporate segment of the device can then be remotely deleted, leaving the employee with their personal data and mobile device intact.

Risk Mitigation with Clear Policies

When it comes to mobile devices, it is important to carefully evaluate the risk of allowing employees to use their own devices, with or without MDM installed. If the device is not company issued, you may not be able to effectively control employee misuse or mishandling of your data.

If someone wants to cheat the system, all they need is a personally owned smartphone—even just a cheap, disposable “burner” phone—and a free encrypted communications app. Then they can send and receive any messages they choose to, including those with confidential or transaction data that the company is supposed to preserve. No software exists that can prevent that.

To best discourage misuse and to mitigate the resulting legal and regulatory risks, it is vital to ensure that your company has specific written policies regarding recordkeeping requirements and clearly communicates them to employees. You must be able to demonstrate that you have taken effective steps to reduce claims like “I didn’t know I wasn’t allowed to do that.” These tips can help craft a strong policy about encrypted app use:

  • Make policies easy to read. Legalese will not help. The ­policies have to prohibit any communication of protected information by unapproved means, and do so in terms every employee will understand.
  • Provide a mechanism for appeals. While it is difficult to think of why an encrypted communication app should be approved, having a way to request a waiver makes it less likely that someone will assume there is no point in even asking and automatically proceed on their own.
  • Require everyone to sign an acknowledgement of the policies. This could be connected to the company’s annual review program, but more frequent acknowledgments will help emphasize the importance of compliance. Ideally, updates should be semi-annual or even quarterly. Before each acknowledgement cycle, counsel should check whether the policies need to be changed.
  • Define consequences in the event that the acknowledgment is not signed or the rules are violated. These could range from suspension of access to sensitive data all the way up to job termination. Threatening to hold up a person’s salary increase or to decrease the size of a bonus for not cooperating with a cybersecurity program may seem excessive, but it makes the importance of compliance clear.
  • Recruit compliance and internal audit units to help. There should be rules regarding who can authorize downloading of apps onto company-provided devices. If the end-user
    can download anything they want, there are much higher odds they will download and use a “ghost app.” Only pre-approved apps should be allowed to be downloaded, and companies should put procedures in place to allow other apps only following a stated review and authorization process. In many cases, you can conduct a remote audit of a device to discover what apps have been installed. Doing this on a regular basis is an important safeguard.

Companies must balance convenience of use of a communication device, the privacy rights of employees and the need to control how a device is used. In regulated industries, failures can pose direct violation of a regulatory requirement and may subject the organization to severe penalties. Regardless of industry, failure to maintain proper controls and records represents a risk to all organizations, and that risk is growing as new misuse scenarios and regulations emerge.

Alan Brill is senior managing director for Kroll's Cyber Risk practice, where he consults with law firms and corporations on investigative issues relating to computers and digital technology.
Steve Bergman is managing director in the cyber risk practice at Kroll.
James McLeary is managing director in the cyber risk practice at Kroll.