Employees of financial services firms often use insecure mobile applications in the workplace, a new U.S. study found

By Danny Bradbury | December 2015

MOBILE MESSAGING APPLICATIONS are replacing text messaging as a communications platform on smartphones, with services such as Viber, WhatsApp and SnapChat having become commonplace. But the use of these apps could represent major headaches for financial services companies.

A recent survey by Arlington Heights, Ill.-based Infinite Convergence Solutions Inc. (ICS) of 500 professionals in the U.S. finance, banking, health-care, retail and legal sectors found that employees of financial services firms often use insecure mobile messaging apps in the workplace, potentially putting their firms at risk.

In the financial services sector, 95% of employees used mobile messaging at work at least a few times a week, but only 62% of firms have an official third-party messaging platform.

That's a problem, says Anurag Lal, CEO of ICS, which sells messaging and mobility systems to corporations: "Based on conversations we're having with our finance customers and prospects, employees in the financial services sector are inadvertently communicating sensitive and private information by communicating via consumer-facing messaging apps."

Consumer-facing messaging apps typically aren't enterprise-ready, warns Mark Nunnikhoven, vice president, cloud research, with Tokyo-based cybersecurity firm Trend Micro Inc. in Ottawa. Mainstream users of these apps have a baseline of simple expectations, he says, including that their messages reach the right person and that they can tell when the message has been read.

"Corporate expectations go beyond that," Nunnikhoven adds, "[including] that the message is also read by the institution for compliance purposes."

The compliance issue is a potential concern. The Investment Industry Regulatory Organization of Canada's Regulatory Notice 11-0349 and Rule 29.7, which focus on record-keeping and supervision requirements for client correspondence, state that all information must be retained for a period of five years from the date of creation.

Even digital communications not made directly with a client are subject to regulation. The Ontario Securities Commission's National Instrument 31-03 requires financial services firms to archive any records relating to "buy and sell transactions, referrals, margin transactions and any other activities relating to a client's account."

Nunnikhoven cites a study from the Electronic Frontier Foundation (EFF), a San Francisco-based digital rights group, that evaluated several mobile messaging apps for security and privacy purposes. The following seven criteria in the study, he says, should be at the top of every financial services firm's list when considering the use of a messaging app among employees:

1. Are messages encrypted in transit?

2. Are messages encrypted so that the provider can't read them?

3. Can you verify contacts' identities?

4. Are past communications secure if your encryption key is stolen?

5. Is the code open to independent review?

6. Is the security design properly documented?

7. Has there been any recent code audit?

Even when financial services firms mandate an official third-party messaging platform, it isn't always secured properly. One in five employees surveyed by ICS said WhatsApp was their firms' officially sanctioned chat system, but WhatsApp can be particularly problematic from a privacy and digital rights perspective.

Ranking Digital Rights, a project of the Washington, D.C.-based New America Foundation's Open Technology Institute (OTI), rates technology communication firms according to their terms and conditions. The OTI's study found WhatsApp lacking.

WhatsApp's performance in disclosing privacy terms and conditions and in management oversight of privacy policies is so poor that the app reduced the overall score for Facebook Inc., which acquired WhatsApp in 2014. The OTI report also includes comments from WhatsApp's technology partners that state that its Android client didn't encrypt group chats.

WhatsApp satisfied just two of the seven EFF conditions, as did Google Inc.'s and Facebook's messaging services, which are used by 18% and 16% of participants in the ICS survey, respectively.

The problem for financial services firms is that allowing personal messaging apps on smartphones used for work can encourage workers to mix personal and business communications, warns Kevin Haley, director of security response at Mountain View, Calif.-based cybersecurity company Symantec Corp.

"We're generally installing [these apps] to talk to a friend. It's very innocent, but then people say, 'This is very convenient and an easy way to speak with somebody'," Haley says. "All of a sudden, they start mixing work with play on conversations, and then it blows the roof off it all."

This trend is known as "consumerization." And it can be especially difficult if employees also use their personal devices at work through a "bring your own device" arrangement.

There are some solutions. The most important is to give employees the tools that they crave, but in a controlled environment, Haley recommends.

"If this is something that makes their job more effective, then you should be giving them some tool that they can use," he says. "But it should be a tool that you can control and that meets your policy requirements."

Traditionally, Waterloo, Ont.-based BlackBerry Inc. has provided the Canadian mainstay for secure messaging, although its plain-vanilla Blackberry Messenger scored surprisingly poorly on the EFF scorecard, meeting only one of seven criteria. The BlackBerry Protected service, which provides separate encryption keys for each message sent, scored far better, hitting five of seven.

Another corporate messaging options with a mobile element is Microsoft Corp.'s Skype for Business (formerly Lync). The consumer version of Skype scored poorly on the EFF scorecard, but Skype for Business includes some security and archiving of messaging content.

© 2015 Investment Executive. All rights reserved.