Subscribe to Palex Journal
For FREE
We release two articles about localization manager's work every month. Subscribe and receive them by email.

A small bonus for our subscribers:
  • Subscribe
  • Share any our article in your social network
  • Contact us in the same social media or by palexjournal@palex.ru
And receive 6 months of Verifika subscription for FREE.
I consent to processing of my personal data according to Privacy Policy and Terms of Use
We use cookies to provide the best site experience. Privacy Policy
Ok, don't show again
Close
Illustration: Natalia Novikova

You are a weak link in the chain. Signed: WhatsApp.

What about the regulations? Mail, Zoom, WhatsApp?

Often, e-mail, Zoom, and Skype are the most popular tools for business communication. If there is a corporate mobile phone, messaging apps are added up (the most common being WhatsApp and Telegram). And where there is only a corporate PC or a laptop available, employees tend to use their personal devices such as smartphones or PC to keep in touch with customers or colleagues 24/7. And it seems that everything is done for the sake of business success. But is it really?

Some companies take the liberty of not regulating the use of communication tools. Many don't have an internal security office or even a security manager, but the situation changes drastically after the first data leak. The reason for the latter is inadequate instruction on the use of corporate and private communication tools and devices, which leads to leaks or the inability to streamline the workflow. Nevertheless, regulations and even security services don't guarantee the elimination of all risks.
How to easily damage a company's reputation?

At the beginning of the year, we faced an interesting situation where a Palex employee found himself in a Whatsapp chat with two other people. One of the chat participants introduced himself as a linguist but soon ceased to respond. Our internal security service confirmed that one of the numbers in the chat belongs to our client. The third number once belonged to a former employee of the company, who blocked the number with the mobile service provider after she relocated. The chat was created a few years before the incident to arrange a call with a client. After some time, the mobile provider regained ownership of the phone number and sold it to another customer. Since the Whatsapp account was not removed by the previous owner, all her contacts became visible to the new owner. In such a case, various incidents may occur: from simple pranks leading to reputational risks, to selling the customers' contacts to competitors.
Where does it stem from?

It is clear that the current situation is not the result of malicious hacking but is due to the so-called human factor. Here we have an employee who strives to be closer to the client and sometimes settles for the clients' demands to communicate in the tool most convenient to them, such as an already installed messaging app. This is not surprising because over the past ten years, mobile applications and web services have become fantastically widespread, having taken on a significant part of desktop services. In addition to that, let's consider a long-standing request for a remote workplace that existed long before COVID and increased personnel mobility, leading in some cases to the complete abandonment of office space. Palex has to adapt to a new reality and reconsider the approach to creating working places for employees: from remote access to physical machines to thin clients, and from virtual machines to the delivery of the desired services completely via the web interface.

An employee also looks for missing functions in a web client or on mobile devices: conference call tools to talk to a client or suppliers, data visualization tools to prepare a report, etc. Mixing personal and corporate means of communication, quite often they register accounts using personal phone numbers and email names. And if an unauthorized software setup on the corporate PC is very easily traceable, the potential risk of stealing or removing a personal account is hardly possible to track automatically.
How to lay down a regulation?

This incident demonstrated that our outer and internal communication regulations are quite frankly outdated. The world has changed dramatically, and keeping an employee within the boundaries of our infrastructure while they perform duties is becoming a mission impossible. They will always lack some tools or other, while others will be inconvenient to use. But our experience proves that it's not about the communication or data protection protocols or even improper tools. The chain is no stronger than its weakest link, and that link is the human himself. So, it is necessary to manage not only processes but also people.
The new regulations should be created taking into account the following issues:

  • Who creates an account?
  • Where do they create it?
  • For what reasons?
  • Which providers do we consider safe?
  • When and under what conditions are the accounts passed on?
  • What happens to the account after the dismissal of the employee?
And what about the internal security service?

All the above is aimed at preventing unweighted actions of employees leading to issues of varying complexity. But what to do when it comes to deliberate theft of data? This question is much more complicated, and it most often rests on resources and feasibility. By evaluating its risks and opportunities, we adhere to the basic rule of strict evaluation of suppliers established by our security service. Checking third-party web services and security protocols, we study "Security Policy", check compliance with the 27000 international standard, and look carefully to whom we are subscribing when registering an account. If you do not evaluate the suppliers, you will sooner or later face malicious or quite legitimate data diversion by a third party. How often do you not read a tick under the "Security Policy" "Yes, I agree (-I)"?
What is an employee responsible for?

Although some think that it's superfluous to mention the importance of instructing newly arriving employees on their responsibility for data security, in 90% of cases there is only one reason for leaks - lack of awareness. Each Palex employee signs a Non-Disclosure Agreement, which sets out in great detail the responsibility for both deliberate and unintentional disclosure of trade secrets. Then instructions from internal security follow. However, together with all the corporate regulations, the employee's common sense and attitude are crucial. Now, when our rules have been adapted to the new reality allowing an employee to register for work purposes outside the corporate infrastructure, the responsibility for the safety of the data falls solely on the employee's shoulders. Transferring a work account on a third-party service to a person by mistake or not removing it after dismissal is equivalent to the transfer of data protected by a trade secret. The same goes for transferring contacts of customers or suppliers, or internal documents through third-party services. If a leak occurs the liability should be applied.
How to convince a client to stop using "convenient" tools of communication?

We now take it for granted that we need to communicate with a client through working communication tools - corporate mail, not a personal mailbox - because you represent the company. Why should there be a different approach to other tools? These issues should be given more attention when training new employees. Responsibility must be documented and, equally important, understood and accepted by the employee.

The clients themselves impose information security requirements on their suppliers. Among our clients, there are many companies working in the medical field. Regulators are putting pressure on them, and we are also subjected to this pressure. HIPAA, GDPR, and other acts become guidelines for LSPs since many of our clients deal with the personal data of patients, for example, during clinical trials. In this regard, our clients are interested in communicating through secure internal communication channels. Sometimes they just don't realize it. Therefore it's not a big deal to explain why communicating via mailbox would be a not-so-convenient but safer option.
Our partner Oxygen Forensics, a cyber security expert, commented on the situation:

The easiest way to avoid security issues with various apps and other communication sources is to use a business phone not a personal one. Today it is uncommon to communicate with clients using a personal mailbox. Corporate mail is commonly used everywhere, but for some reason, a business phone is still a rare thing. However, it plays the same role for the company security - if an employee is dismissed, the mailbox and the phone number are withdrawn and blocked or transferred to another active member. Thus, the main risks are reduced, such as unintentional (as in this case) or deliberate leakage of the customer base to third parties, inappropriate communication with customers, and others. Besides, it is always better to use apps specially designed for businesses. For example, Whatsapp Business aimed for small and medium business communication with customers.
comments powered by HyperComments