What Uber Got Wrong (and Right) About Secure Enterprise Messaging
Uber execs are under fire for using an encrypted chat app that allows users to automatically “disappear” messages. Although the company was smart to use encrypted messaging, it also made some mistakes – and Uber’s example provides important lessons for other enterprises interested in a more secure way to share information and data.
In November, it was revealed that top executives at Uber relied on Wickr to hold privileged conversations. The information emerged during pre-trial hearings in the self-driving technology lawsuit between Waymo and Uber. Attorneys accused Uber executives of using Wickr’s ephemeral messaging to discuss trade secrets stolen from Waymo.
The use of ephemeral (or “disappearing”) messaging isn’t illegal. Employees and business leaders sometimes use this technology to share sensitive information. The problem was that Uber failed to archive information that could later be relevant for litigation or regulatory compliance.
Uber did several things right
Legal ramifications aside, it’s important to know that Uber’s decision to use encrypted messaging technology wasn’t entirely off-base. As the president and CEO of NetSfere, a leading secure mobile messaging solution for enterprises, I can honestly say there are several things Uber did right.
- Relying on secure encryption – Uber’s decision to rely on secure encryption for work-related messaging was spot on. Given the consequences for the loss of sensitive company and client data, end-to-end encryption is must whenever files or messages are exchanged in the enterprise.
- Using messaging to share sensitive information -- There’s no reason why messaging technology shouldn’t be used to share sensitive or protected information. The caveat is that organizations must use a secure messaging platform that has appropriate safeguards to enable compliance with company policies and regulatory requirements.
- Communicating with external stakeholders via messaging – Messaging isn’t just for communication between team members; it’s increasingly being used for communications with partners, clients and others outside the organization. Although it’s not entirely clear how Uber execs used Wickr, it’s possible that they used messaging to share information with people outside the organization – and if they did, it was a smart move.
But there are also several things Uber did wrong
Even though Uber used the professional version of Wickr, neither the platform nor the way it was used were appropriate for the enterprise. Here’s what Uber execs got wrong in promoting and using this technology.
- Choosing the wrong platform for the wrong reasons – Richard Jacobs, a former Uber security analyst, recently testified that Uber employees were trained to use ephemeral messaging apps so their conversations would be irretrievable for future litigation. The motivation for selecting a secure enterprise messaging solution should be to protect sensitive information and data from theft – not to facilitate clandestine messaging or avoid legal responsibilities.
- Failing to properly archive data – Again, Uber isn’t in trouble for using Wickr – it’s in trouble for failing to archive conversations and data that would likely be relevant in future litigation. Enterprises have a responsibility to preserve certain types of information (especially in regulated industries). To meet legal and regulatory requirements, your messaging technology should enable centralized data storage.
- Inadequate IT controls – It’s uncertain what role IT played in the Uber story. But when the new CEO realized the company’s messaging technology operated outside of IT control and compliance requirements, he banned the use of these types of messaging apps in the organization. At a minimum, your organization’s messaging platform should empower administrators to enforce policies and implement controls that prevent inappropriate data sharing and compliance violations.
Secure enterprise messaging offers a better solution
Uber’s decision to ban Wickr and other apps in the wake of its legal troubles is only half right. For enterprises, completely banning the use of messaging technology is neither a practical or realistic solution. Instead, Uber should make a more appropriate enterprise messaging tool like NetSfere available to its employees
But ephemeral messaging isn’t the only challenge enterprise decision makers face. In today’s workplace, two-thirds of enterprises authorize the use of consumer chat apps because they don’t have a reliable way to block their usage, according to a recent study NetSfere conducted in partnership with Ovum, “Secure Enterprise Messaging in the Age of the Chat App.”
It’s not that enterprises don’t understand the risks of consumer messaging and chat apps. By now, any IT department worth its salt knows that consumer-grade messaging apps pose serious risks to security and compliance. The problem is that enterprises struggle to stop employees from chat apps because they offer features that are ideal for business communication.
If nothing else, Uber’s story shows that encrypted messaging has value in the workplace. NetSfere offers a better solution than either consumer or ephemeral messaging solutions because it offers the features of consumer chat apps as well as enterprise-level security and controls.
The big lesson enterprises can learn from Uber is simple: Implement a secure enterprise messaging platform like NetSfere with centralized data storage and administrative controls or suffer legal and regulatory consequences later.