Full Report
Most organizations don’t have a formal policy pertaining to how messaging applications are allowed to be used, but in the wake of a recent decision made by the chief administrator of the U.S. House of Representatives, they may want to reconsider.
Analysis Summary
# Best Practices: Securing the Use of Messaging Applications in Organizations
## Overview
These practices address the risks associated with the use of various messaging applications (often unmanaged "shadow IT") within professional environments. The primary concerns include data leakage, lack of transparency regarding data handling, poor encryption standards, potential for spyware infection, and unintentional disclosure of sensitive information via these platforms.
## Key Recommendations
### Immediate Actions
1. **Establish a Clear Policy on Acceptable Use:** Immediately draft and disseminate a formal organizational policy detailing which messaging applications are approved for business communications and which are explicitly banned or restricted for sensitive discussions.
2. **Conduct Incident-Based Education:** Share details of high-profile security incidents involving messaging applications (like unintended disclosures or data breaches) directly with business executives and relevant staff to highlight real-world risks.
3. **Promote Secure Alternatives:** Mandate the use of organizationally sanctioned and secured communication platforms (e.g., enterprise email, secured collaboration suites like Microsoft Teams) for all business-related discussions, especially those involving sensitive data.
### Short-term Improvements (1-3 months)
1. **Identify Shadow IT Usage:** Deploy monitoring tools or conduct surveys to identify which messaging applications are currently being used by employees (including senior leadership) for work-related purposes.
2. **Targeted Executive Awareness Campaign:** Develop specific training modules for senior leadership highlighting the risks of using consumer-grade messaging apps, emphasizing scenarios like accidental data sharing (e.g., sending invites/info to the wrong recipients).
3. **Baseline Vendor Security Review:** For any messaging apps currently recommended or informally allowed (e.g., Signal, Microsoft Teams, FaceTime), review their published security documentation regarding data encryption (in transit and at rest) and data handling transparency.
### Long-term Strategy (3+ months)
1. **Develop a Formal Application Vetting Process:** Establish a lifecycle management process where new communication tools proposed for use must undergo a formal security review by the cybersecurity team before being approved for corporate deployment.
2. **Continuous Employee Security Education:** Implement mandatory, recurring training that focuses on avoiding social engineering vectors common in messaging apps (e.g., phishing links, malicious file sharing) and teaches users the proper handling of sensitive information.
3. **Lead by Example (Internal Enforcement):** Ensure that all members of the cybersecurity team strictly adhere to the organization’s internal messaging policy. Non-compliance by security staff undermines enforcement efforts among the general user population.
## Implementation Guidance
### For Small Organizations
- **Focus on Prohibition and Simplicity:** Due to limited resources, start by strictly prohibiting the use of *unapproved* messaging apps for any official business. Direct all communication traffic toward one simple, agreed-upon, encrypted platform (like an enterprise email client).
- **Mandate Device Patching:** Ensure all endpoints used for messaging (especially mobile devices) are running the latest operating system versions to mitigate vulnerabilities exploited through message parsing or built-in browser components.
### For Medium Organizations
- **Implement Detection Controls:** Utilize endpoint security tools or network monitoring services to detect and flag connections to high-risk, unauthorized messaging services that may be used for data exfiltration.
- **Tiered Application Policy:** Create a tiered list: Tier 1 (Fully Approved & Managed), Tier 2 (Use Prohibited for Sensitive Data), Tier 3 (Strictly Banned). Communicate usage rules clearly based on data classification.
### For Large Enterprises
- **Integrate with Data Loss Prevention (DLP):** Configure DLP policies to monitor and block the sharing of sensitive or regulated data types (PII, IP, classified info) across known messaging application endpoints or via web integrations.
- **Formal Documentation for Approved Tools:** For approved apps (like Teams), ensure comprehensive configuration that enforces strong authentication (MFA) and encryption across all organizational tenants and groups.
- **Regular Third-Party App Audits:** Schedule periodic internal or external audits specifically focused on communication channels to assess adherence to encryption standards and data retention policies.
## Configuration Examples
*Note: The article suggests specific alternatives like Microsoft Teams and Signal were recommended by a government office, implying these may offer better controls. Specific technical configurations were not provided, but general controls are implied.*
1. **Enforce Multi-Factor Authentication (MFA):** Ensure MFA is mandatory for access to any approved collaboration platforms (e.g., configuring Azure AD or equivalent identity provider to require MFA for Microsoft Teams access).
2. **URL/Link Scanning:** Configure network gateways or web filters to actively scan and block links shared through messaging applications if those applications cannot be fully managed or inspected by enterprise security tools.
## Compliance Alignment
* **NIST Cybersecurity Framework (Identify/Protect):** Developing and communicating awareness programs regarding the acceptable use of messaging applications fits under workforce training and identification of operational risks.
* **ISO/IEC 27001 (A.7.2.2/A.13.2.1):** Policies regarding information transfer and acceptable use of information processing facilities must be actively defined and enforced to manage risks associated with third-party communication tools.
* **CIS Controls (Control 14: Security Awareness and Skills Training):** Training staff on the dangers of shadow IT and secure data handling practices within messaging apps directly supports this control.
## Common Pitfalls to Avoid
1. **Assuming Built-in Security is Sufficient:** Do not assume all consumer-grade messaging apps provide enterprise-grade security, transparency, or sufficient encryption for business communication.
2. **Ignoring Senior Leadership Usage:** Do not avoid addressing messaging security risks because senior executives are heavy users. Use documented incidents to persuade leadership of the necessity of controls.
3. **Banning Without Providing an Alternative:** Simply banning apps without offering an effective, sanctioned, and usable alternative for necessary communication will drive usage deeper underground (increasing shadow IT risk).
## Resources
- **Framework:** NIST SP 800-50 (Building an Information Technology Security Awareness and Training Program).
- **Concept Guide:** Documentation concerning managing "Shadow IT" exposure risks.
- **Vendor Security Literature:** Review documentation provided by approved vendors (e.g., Microsoft documentation on Teams security settings) regarding data governance within their platforms.