To understand more about the challenges facing employers, Digital Journal spoke with Dr Datskovsky, who is an internationally recognized information governance, privacy, compliance, security and artificial intelligence expert. Galina discussed the challenges of remote communications, increased demand for bring your own device (BYOD) and secure messaging.
Digital Journal: How has the coronavirus situation altered the way of work?
Datskovsky: If you didn’t already have a plan for communications and collaboration with remote working colleagues and clients, coronavirus made the decision for you. The shift to distributed workplace models has been underway for a long time, and the Covid-19 crisis has simply accelerated the trend. It’s more important than ever to keep lines of communication wide open, between employees, as well as between a company and its partners and customers. The sensitive information that’s shared via workplace collaboration tools and communications platforms is an attractive target for hackers and cybercriminals who might introduce malware to steal files or eavesdrop on conversations. We see that companies are organizing their communications to ensure success around how to have leakproof conversations, securely send messages, and stay in control of information all while remaining compliant with data protection and preservation obligations.
DJ: Do these changes herald a ‘new normal’?
Datskovsky: Yes, in many ways the pandemic has been a driver of change. While the last few months have been traumatic for many people and businesses, as we sort through ways to improve communications and grow an even more collaborative mindset, the ‘new normal’ may be good for businesses and push them forward faster. For example, a healthcare services provider that offers palliative and hospice care services uses Vaporstream to handle internal communications, especially during emergencies like hurricanes and even lava flow events. Like so many providers of essential services, they need reliable messaging tools so they can share confidential patient information with care team members and collaborate in a way that complies with the data-handling and -storage requirements of HIPAA. When the Covid-19 crisis happened they were ready because Vaporstream is a part of how they work every day. From that perspective, it’s becoming clear that best practices for communicating in a crisis are now the new normal for all of us.
DJ: How are technological challenges being addressed?
Datskovsky: Hope is not a strategy. People and businesses were forced into this mess very quickly, with little time to prepare and test. So, processes are being devised on the fly. Take Zoom, for example. People flocked to Zoom, which turned out to have many security issues. Infrastructure vendors, such as Microsoft and Amazon, have experienced unprecedented bandwidth demands as have the likes of Verizon and Netflix. The next phase of addressing the tech challenge is to create an environment of lasting and substantial change that optimizes for the right things—privacy, security, compliance, continuity—rather than for short-term incentives which have turned out to be a costly burden to business. Companies need to establish solid cyber-hygiene practices, and ensure the right policies and tools are in place to support them. This is the only way we will continue to innovate and do our best work, with the freedom to move at the speed we want, while living in the new normal. It’s exhilarating to think about.
DJ: What are the main security risks associated with remote working?
Datskovsky: Not having sufficient security on home computers or WiFi, as it may be left to the discretion of the employee, certainly comes to mind. But that is just the tip of the iceberg. People tend to store information on local drives, which violates many rules and regulations. People tend to use unsanctioned apps, which may be non-compliant, violate privacy or be prone to hacking or leaking. Businesses need to provide their employees with equipment and applications that are preset with the appropriate safeguards, as well as issuing strict guidelines for security in a work-from-home environment. Many financial institutions and other large corporations already have such guidelines in place, but others are still trying to catch up.
DJ: What are the challenges around BYOD?
Datskovsky: Bring your own device (BYOD) is a wonderful concept. People do not like to have multiple devices—a personal and a work mobile. When we designed Vaporstream we understood that there are a number of challenges that both employers and employees need to be aware of around BYOD.
First, it is important not to use unsanctioned applications for work purposes. The business may need to keep a record of certain communications, and may operate in a regulatory environment that prohibits using personal devices and personal phone numbers in the workplace or when conducting business.. This should be clearly outlined in any BYOD policy and transmitted to employees. Secondly, work and personal data should never be commingled. In a judicial context, for example, should a discovery motion be made, or should records need to be produced, the employee may find their phone temporarily—or worse, permanently—impounded. Finally, it is unlawful, for example under GDPR, for employers to ask employees for their personal phone numbers, thus making it potentially harder to communicate using apps that require phone number registration.
It is possible to create work and personal partitions on devices using, for instance, MDM (mobile device management) software. It is also worth remembering that if employers do not have an MDM solution in place or their employees utilize technology like ephemeral messaging, it is difficult to collect any data from an employee’s device, particularly if the employee leaves the organization. This can be problematic in terms of maintaining secure and compliant custody of PII, PHI and other sensitive data. Clear policies and procedures are imperative.
DJ: How vulnerable are messaging services to cyberattack?
Datskovsky: Messaging services are like all other applications in that some are more vulnerable than others. Sharing sensitive business information from smartphones, tablets and laptops may be convenient, but it’s also risky. Hackers frequently impersonate people in phishing emails, SMS phishing or “smishing” is a growing threat, and texts are often shared without permission—not to mention the ease at which malware can be inadvertently downloaded to a device. The fact is, while end-to-end encryption protects against man-in-the-middle attacks, it gives people a false sense of security. Messages protected by this type of encryption can still be posted on Facebook, shared with unauthorized parties, and accessed by your messaging service provider or even their partners. Governments, as we’ve seen in the case of China and other authoritarian regimes, can even subpoena data from said providers. It is hugely important that both people and the businesses that employ them consider these vulnerabilities when they choose a messaging service. Vaporstream gives you complete control over how sensitive business information is stored, shared, deleted and retained—and with whom you choose to communicate—so that you can securely and privately share it.
DJ: What are the aims of Vaporstream?
Datskovsky: Vaporstream is a messaging platform that provides totally private, secure and compliant communications for the enterprise. It puts complete control in the hands of the sender, while balancing protection of sensitive information with corporate governance and oversight. Preventing data propagation to unintended recipients, Vaporstream makes it possible to delete a message on all devices that received it, and to prevent data and images from being uploaded to the cloud and from being stored on devices. In addition, it allows organizations with regulatory requirements or specific legal holds to archive a single copy of a message to a client-specified repository. With Vaporstream, which is available for both mobile and desktop users, data is always encrypted both in transit and at rest. Vaporstream is trusted by companies and organizations across healthcare, energy, higher education, government, and other highly regulated industries, as well as firms in financial services, insurance and legal.
DJ: How did you develop the technology?
Datskovsky: While encryption is heavily commoditized, privacy controls are still sorely lacking from many messaging platforms. Security-minded developers of communication platforms were focusing all of their attention on endpoint security (in the case of mobile messaging: the mobile device) as early as 2015. This left the compliance needs of most enterprises unanswered. Most companies, especially those operating in regulated environments, were forced to ban mobile messaging altogether from their workforce. Vaporstream set out to re-invent mobile messaging in a way that provides privacy to the end users and allows enterprises to remain compliant without sacrificing security. We added Emergency Notification capabilities, Workflow Automation and Enterprise Integration features which allow our customers to fully utilize their mobile workforce across many industries.
The platform was built for the mobile market supporting iOS and Android devices and with support for Windows and Web users that are so common in a corporate setting. We leveraged available cloud technology, from Amazon Web Services and Azure, which allows us to benefit from reliability, scalability and security necessary for an enterprise application. We continue to enhance failover and redundancy within our cloud infrastructure and across multiple cloud providers.