Overcoming the security risk of messaging apps - can businesses control communications channels use

The UK’s Financial Conduct Authority (FCA) recently made headlines for cracking down on communication over private messaging apps and SMS. The UK’s watchdog questioned top banks over the use of personal communications tools by staff after 16 banks – including Barclays, Citigroup, Goldman Sachs and Morgan Stanley – were fined $1.8bn in the US after staff were found to have discussed deals on private apps.

This issue isn’t new. Last year, a court order called for the investigation of former health secretary Matt Hancock’s WhatsApp messages as part of a legal battle over millions of pounds’ worth of antibody test contracts handed out during the coronavirus pandemic. It’s clear that apps such as What’s app, Telegram and others have become everyday tools for business deals.

The risks

Despite their convenience, using these channels to discuss business deals and sharing sensitive data poses a major compliance risk for many organisations. The pandemic is believed to have triggered an increase in the use of messaging, collaboration and video-conferencing tools as they gave organisations a semblance of ‘business as usual’. But, what may have been implemented as a substitute for inter-employee meetings, quickly spun out to cover all sorts of different business interactions that were never intended to take place on these platforms. Veritas research found that almost three-quarters of employees admitted to sharing sensitive and business-critical company data on channels such as WhatsApp, text or Zoom.

This leaves organisations open to a whole host of dangers, from data loss to non-compliance, to ransomware threats.

The Challenge

The challenge for financial service organisations now is that the genie is out of the bottle. The workforce knows that the best way to reach their clients is very often to hit them up on whatever messaging app they may have on their phone. Telling them to stop can feel like the business is shackling their productivity and a blanket ban will often simply push the use of these messaging services underground. And, that makes compliance and security even harder to manage.

It’s time businesses take back control and tackle this risk head-on.

Accepting Risk and Taking Back Control 

If businesses want to move forward without hampering productivity by accepting the use of newer channels but also recognising the risks, what can they do?

The answer is to learn to treat these messaging platforms in the same way that we treat more established methods of communications. Collaboration and messaging tools should be incorporated into the same eDiscovery and data backup policies that we have for email. Financial services organisations need to change the mindset from “find and stamp out the use of messaging tools” to “find and protect the use of messaging tools”. This will empower users to maximise the tools without putting the business at risk. Using what they prefer can yield better performance results.

Incorporating these communications tools will also improve visibility across the whole communications estate, enabling the IT team to identify risks that the network could be exposed to through these tools. Including cloud communications platforms is crucial in identifying problems quickly and isolating them before damage to data can spread. In other words, identifying a breach quickly and preventing damage is the priority.

In terms of compliance, knowing where data is held and protecting it is much more straight-forward when it is centralised and conforms with the company’s data management protocols. As the movement towards using different newer communications channels evolved organically, many institutions have not caught up with this trend. Hence being caught out and fined. However, the technology is available to prevent this from happening in the future.

When compliance is high on the agenda, it often feels like the easiest option is to lock everything down and retreat to safety. Banning apps is the sure-fire way of making sure that their use doesn’t lead to a regulatory fine. But, in doing so, financial services firms also lock themselves out of opportunities. There are customers they’ll never reach and trades that they’ll never make. The alternative is to embrace change – and embrace new ways of communicating – but to ensure that the risks associated with that change are mitigated. That requires financial institutions to proactively engagage with new apps and to bring them into their data management strategies.