Companies operating in regulated sectors in the US, like finance or healthcare, are legally required by federal laws to archive all their business communications, including emails, SMS, and other electronic messages; this is an effort to ensure employees are not avoiding or bypassing anti-fraud or antitrust laws. Civilian government and Department of Defense organizations are now being asked to maintain SMS and call logs to comply with records maintenance and FOIA request requirements.
The pandemic boosted the use of private devices – from laptops to tablets and smartphones – to perform business tasks and communications more than ever before, to ensure business continuity. However, most corporations and their employees were not ready for that and adopted a cavalier attitude, which might have been okay in some sectors as a temporary option to keep the business running, but this kept going on for a while and created a huge problem for some companies, especially regulated industries. For example, consumer Instant Messaging (IM) solutions like WhatsApp, Telegram, and Signal, allowing people to exchange end-to-end encrypted content-expiring messages, including photos, videos, and file attachments, have been increasingly used. However, these solutions have not only been limited to private communications, which is what they are designed for, but also used for business-related ones; this causes an issue as employees are bypassing the security mechanisms put in place by their company to comply with existing data regulations and laws, and they are putting themselves at risk not only from a business perspective but also a legal one.
Several international banks have already been sanctioned by their regulatory bodies with multi-billion-dollar fines for not ensuring their employees are using only auditable, enterprise-grade messaging applications for all their business-related communications, either in terms of providing them with the right tools or simply turning a blind eye to such practices.
What We Need
First, we need to ensure there is a copy available for all of transmission, archived on a separate storage, either on-site or on the cloud, under our control, that we can use, if need be, for auditing purpose.
Second, we need to ensure that all these messages are stored properly and kept for a minimum amount of time, following local and federal regulations (e.g., 30 days), so they can be audited later if needed, either internally (e.g., employees suspected to have left with specific strategic information, like IP) or by an external party, from regulators to law enforcement and the justice administration.
Ideally, all regulated users should be using Corporate-Owned, Business Only (COBO) devices provided by their employers that are fully managed and auditable to ensure maximum levels of security. While it does not apply to every single employee, even within a regulated business, it should be the golden rule for key, strategic employees handling business-sensitive information. This is quite easily achievable from a technical perspective using the right tools and processes on corporate-owned, managed devices, as these are fully controlled by the organization.
However, if a company also wants to allow the use of corporate-owned devices for private matters (COPE) or even allow the use of personal devices to conduct business tasks (BYOD), there MUST be security policies in place and enforced on those devices, to prevent any data leaks.
Enforcing similar levels of security and audit on personally owned devices – over which organizations have little to no control and visibility – as well as controlling data flows between managed, corporate apps and unmanaged, persona apps to avoid any intentional or unintentional data leakage of business-related data, is the real challenge here.
Steps to Take
Best practice would strongly recommend against using personal devices for regulated industries. Bring Your Own Device (BYOD) might be a good idea for some businesses, depending their size, budget, and line of business they are in, but the lack of control and management on such devices does not make them an option for highly-regulated businesses, where all information – from emails, to SMS, and chat messages – needs to be archived so they can later be audited, either from the organization itself or by an authorized third-party, from regulators (e.g., banking, healthcare) to law enforcement and justice department, for example in the case of a legal investigation.
We cannot prevent an employee from talking to another or a competitor using their phone, making private calls, or sending messages on 3rd party private messaging solutions, but we at least need to ensure that everything possible is in control.
First, allow only COPE/COBO if possible, restrict access to BYOD. Understanding your business requirements and enforcing accordingly makes your employees work life easier. COPE helps balance work and private life, while ensuring there is no data leakage. On COPE, employees can use containerized mobile apps with DLP security rules to ensure work data (e.g., contacts details, emails, SMS) cannot be forwarded and/or reused by personal apps. Shadow IT should be avoided, as it does not offer auditability.
Next, implement an auditable, enterprise-grade Instant Messaging (IM) solution. Implement a solution that will provide auditability, by keeping records of all business-related messages.
And this not only for regulated businesses, but some other industries might also require companies to be able to audit their employees work-related communications. It is important to define scope, as it can eventually be only for some employees but not for all, both for privacy and cost reasons (per-user or per-device subscription license).
Finally, remember that corporate-owned devices, where the voice subscription is provided by the company, also provide the option of retrieving call and SMS logs directly from the carrier themselves, directly at the source.
Which secure messaging solution to choose?
There are several factors to consider when looking for a secure, enterprise-grade, instant messaging solution.
We understand that auditability is only one small piece of your overall security strategy, and that there is no “one-size-fits-all" solution. ISEC7 has worked extensively with organizations large and small in both the private and public sector to enhance their security posture and fortify their ecosystems through the industry best practices, a curated product suite, and most importantly training. Please reach out to the team at ISEC7, and we can complete a security assessment and help you navigate the options available to you to help strengthen and protect your infrastructure and meet auditing requirements.
(C) Rémi Frédéric Keusseyan, Global Head of Training, ISEC7 Group