Top 5 considerations for secure, private and compliant messaging
For some industries, secure messaging isn’t simply a 'nice to have' - it’s essential. If you are in certain industries such as legal, finance, insurance or healthcare, you need to comply with strict regulation around the distribution of sensitive data.
Putting compliance aside, keeping personal information private and secure is important for trust and customer loyalty. No one wants their personal medical information leaked and legal data has a high potential for misuse, causing all kinds of legal ramifications.
Even in industries where secure messaging is not necessarily required, such as supply chain logistics, it’s important to know that the right message was received by the right person in order to ensure the smooth flow of inventory. With just-in-time delivery becoming an essential part of supply chains around the world, fast, secure messaging will become an increasingly important issue.
But, what does ‘secure messaging’ entail? How can a business working in these sensitive industries protect customer data?
Here are the top five things to consider for secure, private, compliant messaging.
1) Privacy: Only the intended recipient can access and view your message
One of the most basic requirements of secure messaging is that only the intended recipient receives and accesses the message contents. The natural assumption is that, by sending a message to a specific recipient, only that recipient will read the message. And, while it’s true that most people have some kind of security on their phones, not everyone is security conscious about their phones.
How to limit the message contents only to the intended recipient is much harder than you may think. People share their phone PINs with friends and family, message contents may show up on lock screens, and phones can be hacked. One way to enhance message security is to lock individual apps - a feature contained within the OS of most phones these days. But how can you ensure that clients secure their messaging apps?
Some messaging apps built specifically for secure messaging, such as YEO (Your Eyes Only) Messaging, require facial recognition to unlock the app or message contents. Furthermore, it continually monitors the face while reading the message prohibiting the message from being shown to anyone but the intended recipient. This ensures that messages are secure away from prying eyes, whether a casual glance at the lock screen or someone knowing the PIN code. This way, you can be sure that only the intended recipient can read the message and the message stays under the control of the sender at all times.
2) Security: Messages can’t be intercepted
An issue that has seen a lot of press recently is message interception. Malicious actors, or even the business running the app (looking at you Facebook), may be able to gain access to the message contents on the server used to transmit the message from one platform to the client’s phone. In fact, a message may bounce through a number of servers on its journey to another phone, increasing the vulnerability of the message to hackers.
The main way of minimising this vulnerability is through end-to-end encryption. Encryption essentially jumbles the message contents at the source and unjumbles it at the receiver’s phone, using a secret key. The benefit of end-to-end encryption is that, even if a malicious actor could access a server (which is usually quite a lot of work), they won’t be able to decrypt the message without the secret key. This includes the business running the platform itself, which, theoretically, wouldn’t be able to make sense of the message contents even if they decided to take a peek.
3) Security: Messages can’t be remotely accessed
The other major security vulnerability is the phone itself. End-to-end encryption may protect the message contents while in transit, but what about when it reaches a user’s phone? If the phone itself has been breached and spyware installed, even the most secure encryption and facial recognition technology will be worthless as the hacker can simply read the message when it’s been opened.
Stopping spyware in its tracks is the primary responsibility of good security software. It will continuously monitor for accidental spyware downloads, such as clicking a malicious link, for example, and will regularly scan the phone for installed spyware.
Aside from malicious links, third parties may try to install spyware or phone mirroring software by physically accessing the phone itself. To limit the opportunity for malicious software to be installed, users should also keep their phone either on their person or locked in a secure location.
If you work in an industry that regularly sends sensitive information to clients via phone messaging, it is worth educating clients on the potential security risks they face from spyware and provide recommendations on how to limit exposure, such as recommending security software and secure practices. Again a system such as YEO Messaging that uses the recipient’s face as a key to decrypt the message goes even further to protect content.
4) Control: Limiting exposure of message contents
Another way malicious actors access message contents is by taking and uploading screenshots of the message while the app is open. By injecting malware and/or worms into the phone’s software, hackers can program the phone to take screengrabs every few seconds, uploading the contents to a remote server. The code can be hard to detect for security software as they are often programmed to cover their tracks or simply lay dormant until the app is opened.
To give you an idea of the prevalence and effectiveness of such malware, the Flame malware, discovered by Kaspersky in 2012, had infected over 1,000 machines across multiple countries, including many highly-secure government computers. It even turned machines into Bluetooth beacons to steal and transmit data from nearby phones.
One way the YEO Messaging app uses to prevent access, even to these types of highly-sophisticated malware, is to block the ability to take screenshots while the app is open. Even if the phone was infected by malware like Flame, the app would prevent the malware from taking screenshots or forwarding the message via Bluetooth, for example.
5) Control: Restricting access to safe spaces
The most lo-tech way malicious actors use to steal sensitive data is simply to look at your phone while you are reading the message. Often people are so engrossed in reading the message contents that they may not notice someone looking over their shoulder.
Say, for example, you receive a message on a secure app while out at lunch. The phone and app have facial recognition unlock security, end-to-end encryption, and is malware-free, yet someone could simply walk up behind you and read the message.
It seems impossible to stop such a lo-tech breach, but it is possible. One of the most effective solutions is to geofence the app unlock to secure locations, such as the office or home. By geofencing the app, it cannot even be opened unless the user is in a safe space where they can be sure that no one is looking over their shoulder.
By taking these precautions, those working in sensitive industries can more effectively communicate with clients, partners, suppliers, and so on, safe in the knowledge that the message contents will not be accessible to anyone except the intended recipient. Not only will this help make your communication compliant with even the most strict regulations, but it will also engender trust and customer loyalty in your business.