Workplace Tech: Choosing Apps For Secure Communications

With ‘hybrid working’ now a way of life for many, the NCSC (National Cyber Security Centre) has published risk management advice on what organisations should think about before choosing and using communication and collaboration apps for use on ‘corporately provisioned and managed’ devices. The guidance should be used by organisations looking to use, deploy, and understand the risks of adopting a range of popular Software as a Service (SaaS) applications.

Step 1: Establish the business context in which the app will be used
Users like the familiar. More specifically, they like what they use on their own devices, and they may prefer to use an app running on their personal phone instead of something that’s corporately available. Existing corporate solutions are usually rejected, usually providing a poor user experience, incorrect configuration, or the underlying architecture issues that can’t support effective communication. When adopting new software, the first step involves the question ‘is there a genuine business case for the app?’ will the adoption of a new communication process benefit the organisation as a whole?

Step 2: Research the app you intend to use
Have other organisations (such as other governments, academia, the IT industry and the technical media) conducted any security reviews of the app in question?

Be particularly wary of claims about end-to-end encryption, as it usually only refers to the data in transit, and will likely not apply to the backup of messages and related communications (i.e. the data at rest). Control of the metadata accessed by the app must also be assessed. Check the User Agreements to see what the supplier will do with the data and establish an acceptable level of risk.

Can the app settings on the user’s device be controlled by your organisation? If they are wholly controlled by the user, then you will need to trust your users to maintain the settings you advised to ensure the protection of your organisation. Finally, and importantly, you also need to make sure the app provider is GDPR compliant.

Step 3: Configure the app to minimise risk
So you’ve approved the business case and researched the app, and you still think the app is suitable for your organisation. In which case we’d recommend the following:

• Limit the use of the app to only those users who have a business need. The fewer people who use it, the less difficult the risk will be to manage.
• Understand the default privacy settings that the app applies and set these to ensure the most appropriate privacy settings are in place.
• Control system-level access permissions for the app so that only those accesses essential to your business are required.
• How are messages and collaborative data backed up? If they are to a cloud service, are these provided by the end-user device or the app? Are you confident this offline storage is secure enough for your business?
• Develop clear procedures so that users understand that it is their responsibility to maintain privacy settings. If possible, establish procedures that will allow you to audit these settings.

Step 4: Document your decisions
Record why you have chosen the app (rather than one that is already available on your enterprise or you have assessed using the NCSC SaaS guidance). Record your risk assessment of what you require users to do when using the app, and what you will do should a breach occur.

One of the most significant challenges remaining to the organisation will be the lack of enterprise integration of the apps on corporately provisioned devices. The locate global incident management and communications platform integrates with existing software to provide a secure and audited means of communication.

To learn more about how we keep our data secure, our integrations or onboarding processes, or to find out more about the platform itself visit www.locate.global.