Keeping your business and personal instant messages secure

Keeping your business and personal instant messages secure

Most people want to know their instant messages are securely wrapped up—whether that’s for personal privacy or making sure online scammers can’t grab the message content. If you’re sending text on a sensitive topic, or perhaps some photo attachments intended for one person only, you definitely wouldn’t want them falling into the wrong hands.

The same goes for business; what’s to prevent a disgruntled employee sending messages outside the network? There are a lot of solutions out there for better securing IMs. Here’s what we recommend.

The business cases

Many industries have compliance issues to contend with, and rogue IMs are one of the easiest ways to fall foul of an eye-watering fine. IM controls have been around for years as far as business is concerned, and most companies affected by this tend to have a number of solutions in place. Here are a few we suggest:

1) Securing IMs with company-issued mobile devices. Many people will happily use their own phones for work-related activities, which could pose a risk if left unsecured. These policies should typically be decided upon by the business itself, but that’s not quite accurate, with various authorities taking a dim view of Bring Your Own Device (BYOD, also known as Shadow IT).

As a result, many orgs will now simply issue locked down, pre-secured phones, which don’t allow things like user initiated installation of apps. It’s also a lot easier to kill those phones remotely if lost, rather than a general smattering of panic as Steve from marketing tries to remember if he signed his personal phone up to a find my phone service.

2) The usual staff training on best practices and sensible device use, in particular extending the training into the types of message sent, and why sending company secrets around by SMS is probably a bad idea.

3) Monitor messages sent on the network. This is tricky, especially when the company decides to use an ultra-secure messaging app. How do you monitor and log the message content when everything is scrambled? Companies must decide what falls in line with their own practices, whether that’s fully secured (and thus unable to be monitored) messaging, or secured with monitoring capabilities.

There are many solutions out there which can control comms, block out keywords or phrases (and send a message back to base if it detects something like a corporate secret being mentioned), in addition to logging and archiving multiple types of IM messaging.

In fact, providers of IM for business will often include their own (occasionally limited) archiving or logging for ease of use, and will work with compliance solution providers to ensure a result which works for everyone (besides the would-be corporate secrets sharer).

Generally speaking, business IMs are much more secure that personal IMing (or at least, given the possibility for getting in trouble with the law, it should be), but the weight of said security tends to lie in the direction of the parent company. The employee is just one part of a large machine trying to keep the organisation as a whole safe from harm.

The personal cases

Of course, with the device being fully your own, you’re free to break out of necessarily restrictive business requirements and grab whatever tool you like to send an instant message. The flipside is, you’re completely on your own and the standard, boilerplate caveats about “not downloading random junk that’s bad for your phone” applies.

There are many, many piece of coverage online about secure instant messaging. You can easily dig through lots of top five style lists and see what, exactly, is on offer versus your needs and expectations. Perhaps you want no frills IM lockdown. Maybe you want the ability to send secure SMS, even accounting for the fact you may need to do a little reading to help you on your way.

Whatever you need, there is absolutely going to be something out there for you which fills the gap alongside in-depth instructions for using your shiny new messaging system. Half the time, the biggest problem is convincing the friends or relatives you want to communicate securely with to download the same program. Apart from that potential roadblock, secure IM is but a few clicks away.

The real-world case

What I tend to be most interested in with regards secure IM isn’t so much the app going horribly wrong, but the possible assumption that after a quick download the job is done and your messages are safe forever. In practice, we tend to forget really obvious problems where secure bits of text are concerned. You may wish to keep the following in mind:

1) Your messages are likely more than secure enough if you’re using one of the apps from the “what’s on offer” link up above, be it Signal, Telegram, or Wickr. The problem is that you still have them all sitting there in plain text, on your phone screen, for anyone to see. While this may seem obvious, you’d be amazed at the number of people who loudly state everything from date of birth to bank details on a bus / train / plane / quite literally anything at all.

By the same token, people leave their devices unattended all over the place, often without any sort of lock screen enabled. If you have messages you’d really rather not expose to prying eyes, consider leaving them well alone in public unless absolutely necessary. If that’s not possible, be aware of your surroundings and keep an eye out for potential shoulder surfers.

You should also keep in mind that not everyone you talk to on IM may be trustworthy; sure, the messages are sent in a secure manner but that doesn’t mean the recipient can’t take a bunch of screenshots and post them online.

2) Did I mention lock screens? I hope so, because those are really, really useful for helping to ward off a case of exposed message syndrome should your phone be lost or stolen. If you have an iPad or iPhone, then this comprehensive guide to locking your screen is what you need. If you’re on Android, the same deal applies.

3) Unfortunately, the lock screen isn’t a magic bullet. Depending on your specific device, which network you’re with, and how many security options you’ve set, you may well be able to disable any locks applied via various network operated websites. In theory, a clever social engineer could pretend to be you, find the lost phone (skip this part if they stole it), and log right in.

Either way, if find my phone doesn’t work, or the device is languishing somewhere utterly inaccessible like a really big storm drain, you should have the “wipe device remotely” option available at least. Sure, your texts will go bang, but in a situation like that, you’d likely have additional content on the phone you wouldn’t want going public anyway.

The first rule of collateral damage club is don’t join collateral damage club.

Otherwise, cut your losses and hope you made a backup first.

Instant messaging might have fallen out of the news cycle a little over the years, but it never really went away and is still one of the best methods for communication around. Better than that, there’s now a truly diverse set of options available to give yourself the privacy you feel you might need when sending an IM.

You may not need locked down messaging right now, but should the situation ever arise, the tech is ready. Just make sure you have the real-world considerations locked down, too.


Christopher Boyd

Former Director of Research at FaceTime Security Labs. He has a very particular set of skills. Skills that make him a nightmare for threats like you.