Back when WhatsApp released their new data-sharing policies, public outrage over privacy concerns caused users to flock to rivals like Signal and Telegram nearly overnight.
However, even as weekly data breaches continue to bring even the largest corporations and governments to their knees, we aren't seeing the same backlash in the world of enterprise communications. For example, after hackers leveraged a vulnerability in a SolarWinds software update to gain entry into US government networks, they found much of the federal Microsoft 360 Office platform wide open to them. Forensic reports suggested that the hackers were able to monitor staff email accounts for months before they were noticed.
Similarly, less than a month later, a series of vulnerabilities in on-premises versions of Microsoft Exchange Servers enabled the China-based HAFNIUM group to browse the email accounts of thousands of organizations around the world.
What we're finding, then, is that even the most secure companies remain entirely at risk in the event that their third-party communication channels are compromised. And, while many companies have brushed off the headlines and continue to operate business as usual, Silent Breach has already begun working with many of our clients to fully transform their communications stacks, ensuring that in the event of the next breach (a question of when, not if) they won't find their sensitive data, files, and credentials splashed across the Dark Web.
The Status Quo
Currently, companies divide their communications between several channels. Emails maintain their place as the dominant form of corporate communication, but a more versatile work environment has shifted a substantial share of communications to messaging apps (like Slack and MS Teams), video chats (like Zoom and Google Meet), as well as file-sharing cloud services (like Dropbox and Drive).
While each service comes with its own package of pros and cons, the common denominator remains the same: none of these platforms provide end-to-end encryption (E2EE), data is mostly delivered in plaintext, and often remains widely available to insider threats and phishing campaigns (such as the one that compromised some of Twitter's most popular accounts).
We could easily go service-by-service and list their most compromising breaches to date, like the Dropbox breach which compromised 2.2 billion accounts or the recent Slack hack that compromised 100,000. But that's hardly necessary.
Instead, let's discuss possible solutions.
Not all data is created equal.
That is to say that data needs to be categorized by sensitivity before it can be properly managed. For example, it would be overly tedious to handle your grocery list in the same way that you handle your credit card information. The same holds true of business communications.
Accordingly, none of the above tools are inherently bad or should never be used. On the contrary, they provide immense value and continue to enhance the way that we interact and conduct business. The problem, however, is that often these tools are abused. Due to their simplicity, users will often default to the easiest tool available, regardless of whether it's actually properly suited for their purposes. The major shift, then, is a matter of behavior and company culture, rather than introducing some radically new technology.
That being said, there are a host of emerging platforms that will help your organization communicate more securely and seamlessly.
As an alternative to Slack, several companies have launched secure chat applications geared toward the workplace. Some examples include Keybase, Wickr, and Semaphor. Alternatively, some organizations prefer to handle sensitive internal communications through their own native platforms, a secure texting platform like Signal, or PGP encrypted emails.
Which brings us to our next category:
One of the major downsides of tools like Keybase or Semaphor is that they really only work for internal communication but are rendered nearly useless when you need to send a sensitive message to an external entity.
This is where companies will almost always fall back on old-school emails or a similarly popular platform, like Slack. But there is an alternative.
Companies like SharePass offer the ability to embed a link in your email or chat message which, when clicked on, will send the user to an E2EE message. Links can be set to expire and, in the event of a breach, do not contain any sensitive data. This way, organizations can stick with their current channels, while vastly upgrading their security profile. Even better, SharePass is optimized for credential sharing, JSON file transfers, as well as QR codes and standard messages. Crucially, solutions like SharePass are fully accessible on the web and don't require you to download any new software.
Finally, there's a whole suite of tools that enable the secure transfer of particular types of data. For example, Keeper specializes in password management and credential transfers, Sync is a secure alternative to Dropbox, and many credit card providers now allow you to generate single-use numbers for safer sharing.
With remote work here to stay, acquiring a robust set of multi-media communication capabilities will become ever more central to your business success. And, the way in which you secure this additional data will set you apart from your rivals, provide crucial reassurance to your clients, and enable you to continue business operations in the event of a cybersecurity breach. All of this goes without saying. However, the challenge lies in selecting the appropriate technologies that compliment your particular business structure, industry, and risk appetite. The tools are already out there, all you have to do is pick them up.
About Silent Breach: Silent Breach is an award-winning provider of cyber security services. Our global team provides cutting-edge insights and expertise across the Data Center, Enterprise, SME, Retail, Government, Finance, Education, Automotive, Hospitality, Healthcare and IoT industries.
The Rise of the Virtual CISO
Top Four Cloud Security Tips for 2021
US Companies Struggle To Notice When They've Been Hacked