Worldr CEO, Max Buchan explains the growing need for zero trust security on Sky News

What are off-channel communications, and how can you avoid them?

Off-channel communications happen when employees use unsanctioned or unmonitored apps for work, leaving businesses open to serious compliance failures.

December 8, 2022

It’s no secret that the coronavirus pandemic radically changed the way we work, and that many of those changes are set to stay. Hybrid work is now the new normal. 

That means employees have become accustomed to using popular consumer-grade apps to connect with their colleagues. In many cases, the use of these platforms has even extended to employee interactions with customers. As such, services like WhatsApp have now found themselves playing an increasingly important role in both internal and external business communications.

These radical changes to how people communicate at work has proven a significant headache for compliance and security leaders, particularly in highly regulated sectors like healthcare or finance. The challenge lies in ensuring accountability and compliance across channels, while also cracking down on the use of unapproved channels. Off-channel communication occurs whenever employees use unapproved and inadequately protected platforms to share sensitive information with one another or with their clients.

Regulators on the warpath

In 2022, the US Securities and Exchange Commission (SEC) fined 16 Wall Street firms a total of $1.1 billion for failing to maintain and preserve electronic communications in accordance with record-keeping regulations. This followed an extensive investigation into the use of off-channel communications in financial services companies, particularly among both senior and junior investment bankers and equity traders.

Regulators in other jurisdictions are following suit. In the UK, the Financial Conduct Authority (FCA) recently reminded organizations of the importance of maintaining regulatory compliance in the era of hybrid work. Companies must maintain appropriate record-keeping procedures, such as by archiving instant messaging chats and voice calls.

Financial institutions are squarely in the spotlight owing to the vast amounts of sensitive and confidential data they collect. Without proper regulatory oversight and robust security controls, the misappropriation of this data can quite literally undermine the entire economy. Therefore, data governance is critical for staying on the right side of the law and, by extension, ensuring continued client trust.

Privacy regulations, such as GDPR and CCPA are also cracking down on the unsanctioned use of popular messaging services in the workplace. Both regulations give individuals the right to access and receive a copy of their personal data and, in most cases, request its permanent deletion. Organizations are legally obliged to respond to these subject access requests (SAR) within 30 days.

A legally adequate response demands the ability to locate and consolidate that data, including messages sent via channels like WhatsApp. The problem is that WhatsApp messages are typically only stored on the local device. If you receive an SAR from a former customer, it may be impossible to track down any personal information belonging to them that they shared over WhatsApp – especially if the owner of the device has left the company or lost the phone. While it’s good from a privacy standpoint that WhatsApp doesn’t store chat history on its own servers, it also means it’s impossible for companies that use the service to ensure compliance with SARs. This is only possible through the use of a third-party solution that retains records for compliance and makes it possible to search for, retrieve, and capture messages across all accounts used for work.

Emerging gaps in security

The use of unauthorized devices and software without the approval of the IT team carries a number of security risks. Off-channel communication platforms are no exception. After all, you can’t protect what you don’t know about, which is why off-channel communications are often exposed to social engineering attacks and other threats. Indeed, phishing scammers are more likely to target channels that are less likely to be monitored and protected by enterprise-grade security controls.

Once again, WhatsApp is one of the most common examples of a tool being used off-channel, even though it doesn’t have to be. The unmonitored and unsanctioned use of WhatsApp in the workplace is especially risky, but the service itself is also rapidly becoming mission-critical for businesses.

With more than a quarter of the world’s population using the messaging service, it’s simply too big to ignore, but that also means it’s a favorite target for cybercriminals. Organized criminal groups, such as Labyrinth Chollima and Lazarus Group – both of which are allegedly funded by the North Korean government – continue to use WhatsApp to deliver malicious payloads like ransomware and credential-stealing malware.

Account hacking and compromise are other common risks facing all business communications tools, including WhatsApp, Teams, and Slack. While all these apps have the backing of huge enterprises with dedicated security teams, there’s little they can do to stop targeted attacks like spear-phishing. This is because spear-phishing is a highly personalized form of social engineering that’s near impossible for even the most advanced AI-powered threat detection systems to detect. In other words, many cyberthreats are a wholly human problem, which can only be fully addressed by putting employees front and center in driving your security strategy. 

Closing in on off-channel communications 

The use of off-channel communication tools typically arises from employees looking for a more convenient way to connect with their colleagues and customers. Customers themselves prefer to use channels they’re already familiar with. Thus the temptation to use unapproved apps is constantly growing. Unfortunately, it’s often employees who get the blame if something goes wrong, when in fact security leaders should be looking for ways to allow their use without introducing new risks.

While the idea of using a single platform for all internal and external communication may seem attractive, it’s hardly practical in today’s hybrid work environments and where customer needs and preferences vary considerably. Rather than banning the use of third-party communication apps, security leaders should focus on bringing them into the fold with monitoring, governance, and archiving applied across all of them.

100% visibility is essential, and employees should recognize the need for their workplace communications to be monitored and archived. To make the jobs of security and compliance leaders easier – and more effective – it’s also important to have a single pane of glass for monitoring business communications on a given platform. For example, having the ability to monitor all WhatsApp, Teams, and Slack accounts across the entire enterprise is vastly more convenient than manually tracking down message archives and enforcing policies individually.

As long as your employees can get their work done, the best approach is to let them use their favorite tools – with which they’re already familiar – albeit with a transparent approach to data retention and governance. Above all, employees need to understand what security leaders are doing to protect their business communications and why.

Worldr monitors and logs all interactions that happen through WhatsApp to ensure that off-channel communications can’t happen. Book a demo today to see how it works.

Follow usTwitterLinkedIn