As employees demand mobile access to the resources they need wherever and whenever they want them, some unintentionally circumvent security programs and adopt unsanctioned apps and tools simply to get the job done.
That increases risk for businesses and public-sector organizations, particularly those in highly regulated industries such as energy and utilities, financial services, healthcare, higher education and government. The use of insecure mobile apps is a problem recognized all too well by Avi Elkoni, chief technology officer and chief operating officer for Vaporstream. Chicago-based Vaporstream provides a secure communications app that it validates with NowSecure solutions and services.
A few years ago, Elkoni suffered severe burns from a household accident and was taken to the hospital by ambulance. The burn surgeon was not available to evaluate him in the trauma room, so the traumatologist pulled out her iPhone, took photos and texted them to the surgeon who was located elsewhere in the building.
“I didn’t say a word because all I wanted at that point was to get the best possible care,” Elkoni says. “But the pictures of my burns could still be on that traumatologist’s iPhone or in the iCloud to this day. No regulations were respected in the least in that story.”
Katie Bochnowski of NowSecure and Avi Elkoni of Vaporstream discuss secure messaging at NowSecure Connect 2019.
The incident illustrates what happens when you say ‘no’ too often and don’t give people the right tools to do what they want to do, explains Elkoni. Vaporstream offers enterprise businesses and public-sector organizations a mobile communication platform for confidential, leakproof and regulatory compliant conversations.
“We have customers in regulated industries — people subject to HIPAA, those who work with financial information or in energy — and they’ve been dying for years to take information and share it with their mobile devices,” Elkoni says.
For years the cybersecurity or compliance departments have been telling employees ‘no.’ In the best-case scenario, people obeyed the rules but worst case, they ignore them and bring their own apps to work. But now organizations can finally allow employees to do what they want and say ‘yes.’ “The secret is just the right amount of security to meet regulations and standards, then finally people can start using their devices in the way they want to use them,” says Elkoni.
For example, a Vaporstream customer in the energy industry previously circulated a form in response to immediate or urgent events. The information was generated in a web-based system, printed, and then faxed to internal and external stakeholders including vendors, service providers and local government. “We are many, many years after. It wasn’t the ‘80s but was the only secure way they had to transmit the form,” Elkoni says.
Working with Vaporstream, the company embarked on process engineering and regulatory reviews to replace the paper-based process. Today, the Vaporstream secure messaging app enables utility employees to transmit a PDF of the form using their mobile devices of choice.
Reassurance and Relief
Why do customers in regulated industries entrust Vaporstream to safeguard their most sensitive communications? In part, that’s because the company obtains third-party security validation from NowSecure. “Don’t just trust me that it’s secure, trust someone else,” Elkoni notes.
To that end, Vaporstream has worked with NowSecure for several years. The company engages our professional services team for mobile app penetration testing to validate its Android and iOS apps meet rigid security standards. Conducted annually and for major new releases as needed, the comprehensive test run by our NowSecure experts includes a battery of static, dynamic and behavioral analysis across numerous risk vectors (see the case study). In addition, the Vaporstream Quality Assurance team relies on the NowSecure automated mobile appsec testing platform on a daily basis to test the build and flag any vulnerabilities or privacy issues.
Recalling a time when cert pinning broke in an internal build of the Vaporstream mobile app, “It was NowSecure software that discovered that cert pinning was gone,” Elkoni says. “Without that, it would have been very, very difficult to find.”
Solutions such as the Vaporstream communications service and NowSecure mobile app security testing tool help organizations better comply with regulations and reduce risk.
As Elkoni points out, you can’t completely destroy the problem of employees ignoring security rules. “There will always be people who don’t care or aren’t disciplined.” By saying yes, use your device with this secure messaging app, you’ll have significantly reduced your risk exposure.
Finally, he recommends following the mantra of ‘trust but verify.’ “Anything you can do to verify security claims will put you in a better place,” he advises. And for Vaporstream, that means working with NowSecure to certify and ensure on an ongoing basis the security of its flagship secure messaging app.