Security, of information, of networks, of corporate assets is a paramount concern for enterprises. Malware attacks in 2020 ranged from Twitter to Zoom to Finastra to Marriott Hotels in the US alone.
Research predicts data loss from this kind of attack to cost US$10.5 Trillion a year by 2025. However, it is a long hard road back for an organization after a malware attack. Both in terms of recovery and reputation. Understandably enterprises remain extremely concerned about malware in corporate systems.
A new way in
More and more businesses use messaging applications like WhatsApp, WeChat, Signal, Telegram and LINE to communicate with customers. Especially in these uncertain and hybrid-working model times. As a result, hackers see messaging applications as a new channel to target corporate networks.
To date the majority of malware on phones focused on less impactful, more consumer-oriented actions. For example, an SMS sent repeatedly in the background to a premium cost number or locking phone access. However, now employees access more corporate assets from phones. Additionally conversations on messaging applications communicate more kinds of data in the form of file attachments and links. As a result, there is a rise in the opportunities for malware insertion into enterprises.
While there is encryption on the messages themselves, potentially there is little to no protection against malware contained in files sent via a messaging application. This is especially troublesome if those files are then uploaded to the corporate system through a back-up or saving onto a company server where someone else inside the network could open them.
Are mobile applications less safe than email?
No, however more challenges arise when protecting these devices compared to a static corporate email network. Mobile Device Management (MDM) systems that enable Bring Your Own Device programs don’t focus on this aspect of mobile management. They often default to a third-party software to manage malware and security threats.
Scammers use many of the same tactics on messaging applications as they do in a traditional phishing attack. For example the employee receives what they think is a standard customer query that contains a file or a shortened link. The very intimacy and immediacy that is the benefit of messaging applications in this case is a downside.
Employees are more likely to let down their guard in messaging applications or chat apps as the conversations are in “real-time” and on a platform of their choosing. Given it is a potential business conversation – sometimes with someone they don’t know or haven’t met – they are more inclined to communicate with someone who demonstrates interest in them or their company or product.
What should enterprises do?
There are several things to consider:
In a world of Bring Your Own Device, organizations have little to no control over what applications employees download on a personal device and from where. An employee obviously has the right to install applications on their personal device, but the provenance of these applications is a concern for enterprises. Clear guidelines, protocols and expectations around employees’ expectations are crucial as are any parameters for ring-fencing corporate applications from personal ones.
Update, update, update
Update all software and plugins regularly with the latest security patches. Employees need to understand requirements and how to execute updates.
Data – protection and expectation
If corporate data is on the phone enterprises should ensure two things. Firstly, that there is a consistent back-up program in place to make sure data stored on the phone is also kept in a back-up file separate to the device. Secondly, set expectations with employees about what data can and cannot be stored on the device.
Ensure the enterprise MDM has a third-party security software deployed across all employee phones – corporate and BYOD. This third-party software must be regularly updated and ideally from a reputable company. This provides on-device first-line protection against anything that is a known-threat, assuming it is opened on the mobile.
36% of breaches in 2020 involved phishing, an increase of 11% over the previous year. Phishing is still seen as primarily an email-based risk. However, new channels like messaging applications are increasingly popular. It is vital to ensure that employees know that mobiles are as vulnerable to social engineering like phishing and corrupted files as email or other more traditional points of entry.
Secure Messaging Solution
Central to proactive protection of corporate assets, employees and customers is a secure messaging solution. LeapXpert’s Federated Messaging Orchestration Platform has safeguards built in that help secure data. It has options for malware and security protection specifically for messaging application conversations suitable for different organizations. Additionally, enterprises can control what information employees can receive and send to limit the likelihood of malware being received. Admins have a real-time view of messages, attachments and any breach or concern which can deliver earlier detection of any breach.
Ultimately, once an enterprise or employees adopt consumer messaging applications as a communication channel, a new threat malware vector emerges. Traditional anti-virus and malware tools can scan and protect against malware in emails, But they don’t have any facility to handle messaging applications. This is where LeapXpert’s FMOP comes into play. Anything shared from external parties is scanned in real-time and suspicious or infected files are rejected immediately, in-flight. This ensures that the security perimeter of enterprises remains safe from those threats.
Social engineering attacks, phishing, and malware are not likely to go away any time soon. More likely are shifts in how they reach employees and customers. Particularly as messaging applications increase in use. It is imperative that enterprises consider how to secure their corporate assets against incursion through messaging applications. These key areas aid enterprises as they continue to enjoy the many benefits for both employees and customers presented by messaging applications. In this case, prevention really is better than a cure.
Want to know more about how LeapXpert’s centralized and secure messaging platform can help your organization? Talk to one of our team.
Interested in how to prevent data from leaking over messaging applications? Learn more in our blog.
Next week we will continue our discussion of security in the messaging space.