How to avoid billion-dollar fines due to unsecured messaging apps

In September, the U.S. Security and Exchange Commission (SEC) issued $1.8 billion in fines to some of Wall Street’s biggest banks for their inability to keep private information secure when using internal communications. These banks, including Barclay’s, Bank of America, Citigroup Global Markets, Goldman Sachs, JP Morgan Chase and others, received these fines for their “widespread and longstanding failures to maintain and preserve work-related electronic communications,” according to a 451 Research report.

While financial institutions were the latest to be hit, this is not an isolated incident. Businesses across all industries are at risk of compromised data through unreliable messaging apps. And with the rise in remote and hybrid work environments and the adoption of bring-your-own-device (BYOD) practices in the workplace, data breaches and ransomware attacks are increasingly surfacing. 451 Research’s report stated that 68% of workers use their personal smartphones for both personal and business purposes, putting private company and client information at risk.

To avoid facing millions — or even billions — of dollars in fines from instances like these, enterprises should consider the risks of using unsecured messaging apps in the workplace and adjust their practices accordingly.

Risks unsecured messaging apps pose for businesses

Although messaging apps are convenient and make for quick work and communication, they are not always the safest route. Popular workplace apps include Microsoft Teams, Slack and WhatsApp.

Teams and Slack are built for collaboration and integration within their ecosystem of business applications. They’re not inherently built for secure business communication that meets rigorous regulatory and compliance requirements such as GDPR, HIPAA, and more. WhatsApp is a consumer-grade app made for communicating with friends and family, not necessarily for work-related content.

When using apps such as these, the transferring of data, files, attachments and general conversations can be at risk of landing in the hands of hackers. These applications are not end-to-end encrypted, meaning that the messages can be decoded and accessed or read before the recipient has even opened the message.

Beyond messages, information stored on these apps is also up for grabs. WhatsApp has been under fire as numerous breaches have occurred in the past year. One recent breach left the profile information of nearly 500 million users open to hackers and scammers, which can lead to phishing attacks and identity theft.

Unsecure communications can lead to huge problems for enterprises. Reputations can be dismantled, operations stalled and copious amounts of money lost.

Importance of compliance

Furthermore, these apps are not always compliant with industry standards. These standards are set in place to keep a company from exploiting its clients’ personal and private information and also to protect the business from becoming a liability.

Common compliance and privacy requirements include HIPAA, GDPR and FINRA. By maintaining a high compliance standard allows an organization’s employees to establish trusting relationships with their external partners and clients. Businesses in healthcare, banking and the legal sector should all take these requirements into consideration when adopting a messaging platform for their employees.

Those industries are at the highest risk of cyberattacks because they hold the information most valuable to hackers. Personal identification and banking information are a hacker’s crème de la crème. The largest healthcare data breach in 2022 came in October when nearly three million Advocate Aurora Health patients had their personal healthcare information (PHI) passed to Meta/Facebook due to a coding error. The second largest incident of the year was at SightCare, Inc., and came as a result of a successful hacking attempt.

This year, the price of a HIPAA violation increased to adjust for inflation. HIPAA violations are now subject to penalties of up to $60,226 per violation and up to $1,919,173 per calendar year. Unless a business has an extra few hundred thousand sitting around for penalty fines, they can’t afford to be non-compliant.

What makes a messaging platform secure and compliant

An ideal messaging platform used in the enterprise has fully encrypted protocols, meaning that no message or file, nor even the tiniest piece of data, is at risk. Knowing that enterprises often work with external groups, trust that the information shared across teams is not going to be intercepted or distributed to third parties is paramount.

Platforms can have different levels of encryption, but few are end-to-end encrypted, which is the gold standard for security. Beyond being fully encrypted, a platform for the workplace should be under the control of the CIO or the IT staff. They should be able to monitor who has access to the medium and jump in should there be any red flags of security risks or breaches. Enterprise communication includes emails, direct messages and video and voice calls.

In a fast-changing world, an organization’s communication technology needs to be updated in real time to defend against the latest threats. This also means heeding the latest compliance regulations.

Finding the secure and compliant messaging app that works best for an enterprise can be difficult. If it ensures that the one being used is fully encrypted, adaptable, up-to-date with compliance, and in the control of the trusted IT staff, an enterprise should have no risk of financial burdens or business disruption from data breaches or cyberattacks.

Anurag Lal is CEO and president of NetSfere.