Compliance Unfiltered is TCT’s tell-it-like-it is podcast, dedicated to making compliance suck less. It’s a fresh, raw, uncut alternative for anyone who needs honest, reliable, compliance expertise with a sprinkling of personality.

Show Notes: The Threat of Consumer Messaging Applications

Quick Take

On the episode of Compliance Unfiltered, Adam and Todd shed some light on the potentially daunting security realm of consumer messaging applications.

• So, what exactly are consumer messaging apps?
• How often does your team interact with them?
• Exactly how much risk could you be incurring because of them?
• How can an organization govern them, and what should a long-term strategy look like going forward?

All this and more on this episode of Compliance Unfiltered.

Remember to follow us on LinkedIn and Twitter!

Read Transcript

So let’s face it, managing compliance sucks. It’s complicated, it’s so hard to keep organized, and it requires a ton of expertise in order to survive the entire process. Welcome to Compliance Unfiltered, a podcast dedicated to making compliance suck less. Now, here’s your host, Todd Coshow, with Adam Goslin.

Well, welcome in to another edition of Compliance Unfiltered. I’m Todd Coshow alongside the pit crew to your compliance race team. Mr. Adam Gosling, how the heck are you, sir? I am doing just fantastic. How about yourself? Can’t complain. At its very core, I would say that all things are as they are and should be.

And today, we’re going to talk about what you should do if you run into the threat of, oh, I don’t know, something that you utilize every day in your professional life. And that is consumer messaging application. So what exactly do you mean, Adam, by consumer messaging applications? Well, we’re talking about things like Slack, WhatsApp, Teams, instant messaging, etc. Everybody’s always trying to find ways to make things a little bit easier for themselves. And if they think that something’s going to achieve that goal, then they’ll go ahead and use it. So I actually remember in my early days, one of the organizations I was working at, they’re like, oh, we’re going to use instant messaging, and we’re gonna it’s gonna be great because then we’re gonna have you know, the IT team, you know on standby for answering miscellaneous questions. It sounds amazing, but you know for some organizations it works, for some organizations it doesn’t so I’ll leave that up to the organizations themselves as to what they what they choose to leverage. But You know if you’re you know normally they you know send things through approved channels through the business like email or whatever it may be well now I’ve got these, you know theoretically, you know other You know alternatives out there maybe you’re sending proprietary information about your product or talking about an invoice or other sensitive information, how are you knowing that this stuff is secured and controlled and whatnot. So the consumer messaging apps that are out there, they’re very convenient, they’re quite popular, the more people use them the less they question them and it just starts to become a habit. So they’re always designed to meet advanced security needs of an organization. So that’s really where kind of some of the duality comes into these particular applications. Well, I mean, duality, I think is a great word for it.

So what are some of the risks of these applications? Well, when it comes to applications, here’s where the problem is, there’s in the marketplace, there are countless communication apps that exist. Not all of them are designed for business use. I mean, quite honestly, some of them are even designed to extract information from. So even apps that have been around for a long time, they’re found to be lacking in the security realm. Today’s work environment gets a little bit challenging because you’ve got people with their personal devices they use for work. They’ve got remote employees that are signing in during downtime. They’ve got personal tabs open on browsers as they’re in lunch and breaks, etc. So employees are using their own devices and often have the ability to use any app at any time. But when you’ve got users that adapt from a security perspective, running devices without restrictions, you’ve got a pretty big opportunity for things to go sideways. The spread of communication within your organization and you need to gain monitor and maintain control over it. A lot of the consumer messaging tools have been widely adopted by businesses, whether it’s officially or by practice. And there’s several of those platforms that give lip service to security, but they really aren’t running and managing and maintaining a full-scale security program. Anymore, the mobile app arena, it remains kind of the biggest kind of Wild West arena in that there are a lot of… privacy and protection issues. TikTok is getting beaten up in the media for their stance on access to user data, exposure to data, etc. And really an organization needs to know what’s going on implementing policies and teeth to protect their sensitive data is often a challenge.

Well, I challenged, I think it’s opt now. How does an organization provide governance here? Well, you know, when I’ve done consulting with clients, you know, I’ve, I’ve witnessed personally, you know, employees that are moving business data through personal dropbox accounts. I’ve seen people that are transmitting, you know, sensitive information, you know, in the clear through text, various other communication platforms on personal devices. You know, in a lot of cases, it’s happening because the organization isn’t providing, you know, any form of governance for, you know, with monitoring over tools that our employees are leveraging. So, you know, there’s a balance, you know, to be struck, you know, on the one hand, people need tools to communicate easily and conveniently, but on the other side, you’ve got to try to keep things secure. So, you know, it’s really a matter of, you know, balancing those needs to understand, you know, the employees needs established governance for apps devices, you know, that are to be used for, you know, for business purposes.

So, you know, when you don’t find, you know, when you don’t take the steps to, you know, get things buttoned up, then, you know, the people will find a way, shall we say, you know, and so then, which means that who knows what they’re doing. So, you know, how do you control, you know, control the data, you know, when, you know, when your employees, you know, don’t have dedicated mobile devices for work, it starts to get fuzzy, you know, there’s some organizations will, you know, will basically shrug their shoulders, you know, hoping nothing happens, others are going to train, you know, the employees to use devices securely, some organizations will install mobile app management on employees’ personal devices where, kind of segments their device into, you know, kind of a work segment and a personal segment so you can gain some measure of control, you know, and there’s organizations that will, you know, issue devices for business purposes, you know, so that, and prohibit anything going on those, you know, kind of on those personal devices. But, you know, it becomes a sticky problem. The answer ultimately is going to be different for different organizations. But, you know, it really starts with, you know, assessing the landscape, providing guidance to, you know, to personnel about, you know, what and how, you know, they should be doing, you know, which communication platforms have been kind of officially sanctioned for work use.

Now, how should a company go about vetting these? Well, when you’re going, you know, when you’re going through these communication apps, you know, in a mature security environment, applications are going through, you know, rigorous review processes before they’re, you know, before they’re approved for work use, vetting the security and compliance stance of the vendor. You know, there’s also, you know, analyzing the, you know, your people’s needs, business processes that you want to support so that you can, you know, develop that policy on the, you know, on these messaging applications.

You know, evaluating the needs against the tool sets, you know, that you currently have in place, you know, for an organization that is considering, you know, a net new messaging app, you know, then leveraging things that the organization does with other vendors, you know, would apply here, you know, such as a thorough vendor risk assessment, you know, requesting, you know, their security related documentation, going in and doing digging and research to see if this particular platform has seen, you know, any breaches or security issues recently, you know, inclusive of any, you know, kind of new security issues that have been identified. Going through and looking at shortcomings in their security posture, given what you’re seeing out there, a lot of times you see the headlines and then you can kind of play interpreter to what’s going on. So if you’re seeing a lot of vulnerabilities that are being identified on a particular platform and they center around commonly held security vulnerabilities, that should start to tell the user a lot about the maturity, the internal maturity of their kind of security and compliance stance.

There’s certainly the notion of only endorsing those that you know, have you know gone through and produce security and compliance documentation you know a lot of folks with all of this, this one’s got all these shiny bells and whistles And I just want to use it you know type of deal, you know I don’t know I would I would I, I would draw that line And say hey if they’re not you know implementing a full-scale security and compliance program You know then yeah, maybe this is a tool that needs a little bit of seasoning before we you know kind of dip our toe into that pond if you will. You know there’s a lot of entering is a polite term yeah, you know I’d rather not roll the dice if you will yeah, I’d rather You know take on an organization that’s you know gained a particular level of maturity and capability in the security and compliance arena You know so that you, you know it’s not lip service. This isn’t some piece of paper with you know they went off and got you know just so that they can check a box, but they’re actually taking it seriously and unfortunately That’s something that kind of plays out over time you know so there’s a lot of enterprise grade platforms that can get you know good communication and messaging capabilities to meet personnel needs You know etc. And you know oftentimes they’re, they’re already in place within you know within the organization they may need to you know get an upgrade or activate you know certain features, etc. So you know one of the examples you know Microsoft has you know has, you know solutions that a lot of organizations leverage you know to fulfill a number of business you know business You know needs, but you know messaging is one of those through, through Microsoft Teams with you know secure messaging video conferencing, etc so you know there’s certainly there’s certainly a you know a good ability To make some decisions. but I would encourage folks look at the tools you’ve already got, look at the tools that you that you that you’ve already adopted internally and see if any of those can you know can kind of be extended so you can take advantage of what you already have okay, I mean you’ve already started.

So let’s just keep going what other quick tips do you have for the folks out there? Well, as it relates to, there’s certain applications that you can go ahead and eliminate from consideration pretty quick. Certainly, if at the top of the do not download list is stuff that’s originating from countries that the US government is deemed as a risk from a data perspective. So right, wrong, or indifferent, TikTok is the poster boy for that one. But avoiding apps from smaller organizations. Typically, the smaller organizations don’t have an eye toward security and compliance, and I would say both smaller as well as younger organizations. In both of those cases, they’ll typically spend less budget on making sure it’s secure and more about making sure that it is functional while insecure.
So certainly, looking at the size and scale of the organization, we talked earlier about where they’ve got repetitive security incidents, breach notifications, vulnerability notifications, things along those lines. Those should all continue to be red flags. And the other kind of barometer is look at who the organization’s typical consumer of the service is. So if the typical consumer of the organization’s platform is consumers versus enterprises, in the sake of their primarily targeting consumers, in many cases, they’re not going to take, again, the security and compliance stuff as seriously, you know, as they would if it was enterprise. And that’s primarily driven by the fact that every time that an organ, if an organization’s primary customer is other businesses, then there’s a much higher likelihood that they have, that those organizations will have a more mature vendor, you know, vendor review process and push for, you know, enhanced security and compliance activities at that organization. You know, I can’t, you can’t say any, with any of these kind of quick tips, you know, across the board, you can’t just make, you know, make it as a solid line, but, you know, yes, there’ll be exceptions to the rule, but, you know, just walk into it and do your due diligence will be the kind of the notion, if you will.

Parting shots and thoughts for the folks this week. Well, You know, when it comes to the use of the consumer messaging apps for business, you know, it really just comes down to, you know, looking through and evaluating the needs of the organization, yeah, I typically recommend folks to, you know, when you’re going in and doing that analysis, categorize the asks into, you know, need-to-haves versus nice-to-haves, that way you can, you know, kind of appropriately use that in your evaluation. You know, certainly before you, you know, go through and do, you know, go in and do the vendor vetting, you know, kind of take your own stance, make a decision as an organization, where do we want to stand on this? How are we going to approach this? Establish that policy and communicate that policy. You know, certainly taking the list of the needs and wants, putting that up against the various vendors in the space that you are going to kind of put in the running, you know, education of the employees and, you know, finally, you know, monitoring what’s going on within your environment, you know, we’ll call it the trust but verify model, you know, to the, you know, to the degree that you can do it reasonably, you know, keep your personnel accountable for their device and for their app use, you know, it’s one of the biggest, one of the biggest holes, if you will, in terms of visibility for an organization is, you know, who exactly is doing what, how, you know, for what reason, etc. And having the capability to have visibility into what’s really going on within the company will, you know, kind of help to drive the notion of, you know, kind of validating, are people really following what we put out there, you know, as our, you know, kind of organizational stance on these, you know, on these particular applications. And it would also give an organization some I don’t know I’ll call it some early you know some early information about where they may have you know some of the internal folks that decided to go rogue but just didn’t bother to communicate it, it would certainly give them a better heads-up about what’s really going on within the organization as well you know if you’re providing if you’re providing the, the secure messaging apps that are you know kind of user-friendly and meet the internal needs that will certainly go a long way to help to prevent that temptation of folks internally to take the option to paint outside of the lines if you will.

That right there, that is the good stuff. Well, that’s all the time we have for this episode of Compliance Unfiltered. I’m Todd Coshow. And I’m Adam Goslin. Hope we help to get you fired up to make your compliance suck less. Thanks for watching!