You’re likely no stranger to the saying, “if these walls could talk,” and have been thankful a time or two that they can’t. But, what about the virtual walls, or more so, the internal communication channels your employees use daily—can they talk? Unfortunately, with the combination of a persistent threat actor and improper security for these applications, they can.
Email and instant messaging applications have become universal channels for internal corporate communication—and for good reason. Message delivery is instantaneous, the platforms are easy to master and use, and, in the case of email, the all-important paper trail is built in. However, these communication channels pose serious cybersecurity threats if not selected carefully and managed properly.
This blog examines the security risks, what to look for when choosing a messaging platform, and some common ways to prevent your internal communication from becoming an entry point for cybercriminals.
The Risks of Internal Communication Platforms
In today’s fast-paced business environment, email, instant messaging, project management tools, and video-chat applications like Discord, Slack, Skype, Basecamp, and Telegram have become popular office communication tools worldwide. One big reason for this is that they allow users to integrate their apps onto the platforms themselves using application program interfaces (APIs). When applied to a work environment, this factor cuts down on the time spent switching from app to app, resulting in a streamlined workflow and increased efficiency. While they’re valuable tools for connection and collaboration, they can enable threat actors to silently enter the conversation and launch phishing campaigns, as well as access enterprise data. In fact, research shows that cybercriminals are already abusing these chat platforms for malicious purposes.
In recent years, phishing schemes have shifted from imitating logos and login screens to mimicking people’s behavior. Through social engineering tactics and using intimate information, hackers can make an unauthorized and unusual request appear legitimate, reducing users’ suspicions. In business email compromise (BEC) scams, hackers develop a pool of personal information from users’ known profiles, and then use that familiarity to deceive users via email into authorizing an account transfer or divulging intellectual property. In fact, BEC schemes are so lucrative that 96% of polled businesses dealt with some form of them during the second half of 2017.
Even malware is getting harder to detect and prevent. By now, many users know to be wary of email attachments. But, when ransomware is designed to exploit commands and codes using various scripts, clicking an attachment to initiate a download isn’t necessary in order for malware to be disseminated into an organization’s system.
Per a TrendMicro blog, “What makes this particular security issue something for businesses to take note of is that there is currently no way to secure chat platforms from it without killing their functionality. Blocking the APIs of these chat platforms means rendering them useless, while monitoring network traffic for suspicious Discord/Slack/Telegram connections is practically futile as there is no discernible difference between those initiated by malware and those initiated by the user.”
The risks posed by email are well understood but those associated with the current generation of chat applications still need to be ingrained in users. If authorized users can access these company platforms from their mobile devices, on their personal computers at home, or on other remote equipment via the web, the risks are even more magnified. Login credentials can be viewed and stolen, allowing attackers to, potentially, compromise the authorized user’s access, disrupt the messaging application for the entire enterprise, or impersonate that trusted user and send destructive messages that are unlikely to be monitored, flagged as suspicious, or intercepted.
Security assurance begins with a solid agenda
As with any security program, every company will have its own communication requirements and considerations. However, prior to rolling out a new internal communications platform, it’s important to have proper controls in place:
- Check all the online tools your organization uses to communicate, including instant message platforms, project management apps, and even social media sites. Confirm what security features they have and what steps they take to ensure that messages are protected. If you find that any of your chosen applications have a history of data breaches or unsafe practices, it’s time to switch.
- Enable MFA wherever possible. Prohibiting unauthorized access to these sensitive communications channels is critical to prevent their abuse as a means to steal company information as well as to prevent their abuse as an attack vector.
- Analyze company networks. What networks are being used to exchange messages, and what networks are allowed? Make sure your Wi-Fi network is secured, and ensure that all devices connected to it are also secured—especially in the era of the internet of things (IoT). You may also consider limiting the use of company devices on public, unsecured networks, or use safeguards like virtual private networks (VPNs) to mitigate those risks.
- Make sure your communication applications can encrypt messages, both in-transit and at-rest and that they incorporate multi-factor authentication support in addition to basic features that meet organizational workflow requirements. The loss of personal devices can lead to loss of information, which is another reason why encryption is so critical.
- Determine how your message logs are being stored. This may be a question for your chat app or email hosting provider but, either way, you should have an answer. If your messages are accessible on a cloud server, or on a local hard drive, who has access to those messages? And how protected are they against an external threat? The use of cloud storage can also result in data leakage, especially if file attachments are stored without proper access controls.
- Review the company’s Bring Your Own Device (BYOD) policy and make sure your employees are following it exactly. Any device that has access to your messaging networks could, if compromised, provide access to all your historical messages. Likewise, if they use an unauthorized device or use a company device at home on an unsecured network, it could spell big trouble for your business.
- Pay attention to what other systems your messaging apps are connecting to. For example, your project management app might tie into your accounting app or a sales management app, or use plugins that modify its features. Any security vulnerability in this extended network could feasibly grant access to your messages, so make sure you investigate them individually and take action on any vulnerabilities found.
- Develop guidelines for proper use. For example: What information can or cannot be shared via internal instant messaging channels? Which employees are allowed admin access? Is the platform for internal use only among authorized users or can employees use it to connect with users outside your organization? But don’t stop there! Be sure to train users on those guidelines—and, just as important, enforce them.
- Keep your devices and apps updated, and run periodic audits to make sure you’re in line with modern standards.
Don’t Let Your Cybersecurity Fall Behind
Day-in and day-out employees are connecting with one another via the various internal communication platforms within your organization. Sometimes what they have to say to one another is personal and won’t affect the security or operations of your business. However, often it’s a way for people to quickly exchange information regarding projects on which they’re working, share documents, or troubleshoot a work-related issue.
Nothing stays the same for long, especially in the world of technology. However, as new, more functional communication tools become available—and cybercriminals become increasingly more devious—it’s important to remember that security considerations may need to change as well. With so much business-critical information being transmitted across these platforms, having the proper security and protocols in place is essential to keep your virtual walls from talking.