Last week we released the results of an interesting piece of research we carried out which tried to understand the kind of flawed and malicious things people do which put the data of the companies they work for at risk.
Some of the results raise eyebrows and others are downright staggering. For example, one in ten people questioned admit to visiting adult websites whilst on a work laptop or connected to the company network. Appropriateness aside, the volumes of traffic such sites generate make them a rich source of malware. To accompany this, 13% of people also admitted to downloading pirated material on a work device, another sure-fire way to invite malicious software into your company network. Whilst Jean in accounts is enjoying a ripped-off Hollywood blockbuster, somewhere a security admin is crying.
The most interesting trend to emerge for me, was the growing volumes of people admitting to using popular messaging apps like Whatsapp, Telegram and even Facebook Messenger to share work documents. Nearly a quarter of all people questioned admitted to using such services to share work documents. To a security person, this is a new level of consumerized IT hell.
Such apps create the ideal conditions for careless / malicious usage of data from your weakest point, your people, for a number of reasons. Firstly, I am of the opinion that when using consumer services, any data security training your employees have, instantly evaporates. Mentally programmed in tiny increments by millions of messages about tonight’s dinner or plans for the weekend and combined with a UX that begs for interaction, people become share-happy. Documents are out of the door before rational thought kicks in.
Such apps, especially when used on a mobile platform, are also designed to be deeply integrated into commonly used work tools that store confidential data. In a single swipe documents can be shared from Google Drive, Email, Docusign and other cloud services. Again, bye bye spreadsheets and confidential data.
Malicious actors have realised this weakness and are abusing it. ‘Wishing’ (WhatsApp phishing) is starting to become a more commonly used technique. Essentially, criminals impersonate a person or company you trust on Whatsapp, anything from a work colleague to a supplier, and seemingly legitimately ask for information. In the case of the enterprise, this could be anything from a request to share accounts spreadsheets or customer databases, to a spear phish aimed at the CEO requesting a bank transfer. Given the medium, many won’t question the validity of the message. This isn’t limited to Whatsapp either. The same approach can be exploited across anything from Telegram and Tindr, to Facebook Messenger. If your employees are on it, a creative attacker will doubtless be able to exploit them in some way.
This is a problem which is not going away. Companies like Whatsapp are starting to push enterprise offerings and people will always find a way to use consumer cloud services in a way which puts your enterprise data at risk. For this reason, blocking everything just doesn’t work. People can be surprisingly creative when they want to add their emojis into the group chat.
Like an IT security equivalent of the grief cycle, acceptance is the first step in addressing this problem. Only by using granular monitoring which gives security teams an understanding of each specific dangerous action that touches their data, such as sharing files or clicking links inside messages, and stopping these from happening can the problem be addressed. The desire to communicate is hardwired into humans, so with a bit of thought and the deployment of clever technology, you can make this safe.