As if you, your admin, office computer whiz and your IT team didn’t already have enough threats to securing communications and keeping personal and business data protected.
In 2016 and 2017 we experienced more hacks, attacks, data breaches, exploits and cybersecurity threats than any of us could keep track of. One recent, little-noticed exploit — but nonetheless extremely dangerous and impactful — was when hackers found an old security opening in standard copies of Microsoft Word applications, which sit on virtually all of our personal and business desktops.
In case you haven’t yet heard about this Microsoft exploit — or, if you’re reading this post a few months after it happened — chances are you don’t even remember this attack because hackers have already launched a dozen more since. The exploit or hack leverages an old Microsoft Office feature called DDE (Dynamic Data Exchange), which has been used in the wild to distribute malware to unsuspecting users.
According to news reports, the hack requires unsuspecting recipients of the malware to click on a phony dialogue box or phishing email, which then executes the malicious code and potentially steals or extracts data from the victim’s machine. High-profile victims include mortgage giant Freddie Mac.
One obvious lesson from this latest malware attack is to make sure all of your security software is up to date as well as regularly check if new updates have come out. If you work in an office, getting your employees trained to watch out for potential hacks and cyber schemes — both on your company-issued devices and personal devices that they bring into your network — is costly but can save your company in the long run. Another important lesson is to revisit your IT team’s own practices for ensuring secure communications and secure messaging on all devices — company issued and personal — across your organization.
If you missed it, you might want to review our recently published post on “Best Practices for Secure Communications and Messaging,” to help you get started. This post will dive in a bit deeper to explore 10 secure tools and apps for protecting your communications beyond the standard Office products that we all know, use and love.
We’ll offer our picks for the most secure apps for many of the most common types of messaging, collaboration and communication that you and your employees can use at home or in their standard day-to-day workflow. After all, if even your plain-old MS Office package could be vulnerable to hackers, it might be time to beef up the security of all of your commonly used apps, tools and business solutions.
The Best Apps for Securing Your Message Communications & Data
Before jumping into our list of the most secure messaging and communication applications, it’s worth noting that most of these apps are primarily designed for individuals and small to medium-sized businesses, companies that don’t have (and, in most cases, don’t need) a large-scale in-house security infrastructure. A few of the apps listed below, however, do offer enterprise-level packages — including our own cloud fax platforms eFax Corporate and Sfax, which also have enhanced security and regulatory compliance features. Of course, it’s a good idea to contact the developers of each app to explore their security capabilities and to make sure they meet your individual personal or business needs and goals.
SECURE TEXT AND VOICE APPS
Wickr’s secure messaging is part of a larger suite of collaboration tools that include private-team chat rooms as well as secure online video and voice. What makes Wickr’s messaging app so secure is that it includes end-to-end encryption, it allows business users to set messages and other data to self-destruct after a specified timeframe, and it even offers remote wiping capability that lets company administrators remotely erase corporate data stored on Wickr apps on staff mobile devices.
Note: Wickr offers apps for both small businesses (Wickr Pro) and even enterprise users (Wickr Enterprise).
Signal is a pure-play text-messaging solution — and it’s often described as the most secure app of its kind.
Like Wickr, Signal’s messaging app uses end-to-end encryption. But Signal is also built on an open-source code base, which means its inner-workings are regularly peer reviewed and audited by coders — and that means its security protocols are generally up to date and state of the art. However, as with other open-source-based products, vulnerabilities such as the infamous ‘Heartbleed’ bug can still be introduced inadvertently, so make sure to always update the app when a new version is released, and if you are a heavy user, follow their developer change logs for updates.
SECURE EMAIL APPS
Even though its user interface is simple, streamlined and easy to use right out of the box, ProtonMail’s backend platform features a complex and seemingly impenetrable series of security measures.
Because the decryption of messages sent and received through the ProtonMail service happen in the browser, ProtonMail’s own servers store only the encrypted version of its customers’ emails — and there is no key for decoding these messages on the servers, either. Also worth noting: ProtonMail allows customers to exchange secure email messages with any email address — not just other ProtonMail users.
Like ProtonMail, MailFence encrypts and decrypts its users’ email messages in the browser. As the company’s website explains, this means “It is impossible for anyone (including us) to read your emails along the line.”
As secure and easy to use as MailFence is, however, it has one drawback: Users can send messages only to individuals or businesses using the OpenPGP encryption standard (which MailFence itself is built on). Still, this is one of the most secure email apps on the market today for businesses.
We all once viewed Gmail as a personal webmail service — essentially a more sophisticated version of Hotmail, and cooler because it’s a Google product. But Gmail is now increasingly being adopted by businesses as a corporate email solution. Indeed, although many companies don’t realize it, the Gmail-for-business service allows companies to use Gmail’s platform with their own domains, allowing them to use their own corporate email addresses for their employees — [email protected] — rather than an @gmail.com address.
And because it’s a Google product, you know that Gmail enjoys the same levels of heightened security and hyper-vigilance against cyberattacks and malware that Google’s security team applies to all of its services.
But this is not to say that Gmail is entirely free of security vulnerabilities. Hackers have discovered weaknesses in the past, and more recent reporting has found hundreds of thousands of Gmail accounts had been hacked and were being sold on the dark web.
SECURE VIDEO APPS
(Yep — that WhatsApp)
Don’t let the minimalist interface and casual style of WhatsApp fool you: The company’s security protocols are all business. And the world-wide instant messaging and VoIP application now supports video communications as well.
Developed in collaboration with encryption protocol experts Open Whisper Systems (whose technology is endorsed, if you can believe it, by Edward Snowden!), WhatsApp provides advanced, end-to-end encryption for all of its users messages — from texts to photos to video calls.
In fact, on the “Security” page of its website, WhatsApp explains that when you communicate with anyone over its platform — whether sending an image or conducting a live video chat — that data is secured with a lock that no third party (not even WhatsApp itself) can open. Indeed, WhatsApp creates a unique lock and key — accessible only to you and your recipient — for every message sent over its platform.
SecureVideo describes its app as “HIPAA-compliant videoconferencing,” and if you know anything about HIPAA, you know these healthcare rules are some of the strictest data privacy guidelines governing any industry in terms of electronically protected information — and they can lead to big fines for businesses who don’t comply or experience a breach. ePHI (electronically protected healthcare information) will continue to be a big talking point in 2018 as technology advances and businesses try to keep our health information secure.
A review of the SecureVideo app’s website confirms the company understands the many layers of security necessary to protect such sensitive and regulated information. The platform uses the most advanced encryption protocols — including 256-bit AES-encrypted signaling and media stream — to secure its videoconferences. It offers similarly sophisticated encryption for the app’s Secure Chat and File Sharing features. And the company even offers to sign a Business Associate Agreement (BAA) for their HIPAA-regulated customers — meaning they are confident enough in their app’s security and regulatory compliance to assume some of the legal liability under the HIPAA law.
SECURE FAX APPS
For two decades eFax Corporate has been a pioneer in secure business faxing online —helping companies securely send and receive faxes by email, through an intuitive web portal, directly from their productivity apps like SAP and salesforce.com, and even straight from their mobile devices.
A HIPAA compliant cloud fax solution, eFax Corporate’s secure fax app also helps businesses in other regulated industries — such as financial services, legal, real estate, education, manufacturing, transportation, etc. — better comply with their regulators’ demands for secure messaging and communications.
eFax Corporate uses only the most advanced encryption protocols for fax data both in transit (Transport Layer Security, or TLS 1.2, which is the latest published version of the IETF standard) and at rest in storage (256-bit AES encryption), and further secures its customers data at state-of-the-art, geographically redundant Telco-grade data centers. The application also provides access controls and audit trails, which are necessary components of the HIPAA regulations, and the company will sign a BAA with customers to back up those claims.
The reason eFax Corporate fax-over-SMTP email is secure while others aren’t is that the authentication and encryption process is strictly enforced; if the other end of the connection does not support the strongest encryption cypher sets required by the TLS standard, the connection will not be made and the communication stops. The company’s unmatched fax data security is one reason eFax Corporate is the cloud fax partner most trusted by the Fortune 500.
Another favorite among heavily regulated organizations that need to transmit highly sensitive data by fax, Sfax is, like eFax Corporate, a HIPAA-compliant cloud fax solution for personal use or for use by businesses of any size that undergo the rigorous HITRUST evaluation every year.
Also like eFax Corporate, Sfax employs a wide range of security, access, and data-encryption protocols to protect its customers’ faxes from the second they begin their transmission journey over the Internet, and for as long as they remain archived and stored on an Sfax cloud server in a Telco-grade secure data center. Sfax will also sign a BAA for its HIPAA-regulated customers, reflecting the company’s confidence that its security infrastructure is as good as bulletproof.
SECURE FILE SHARING APPS
ShareFile (from Citrix)
For sharing documents, presentations, spreadsheets and other files over the Internet, you can’t get much more secure than ShareFile.
Like the other apps listed here, ShareFile secures files both for their journey over the Internet (using TLS encryption) and while they’re in storage (using the AES 256-bit standard, the strongest encryption protocol available). ShareFile has also built a physical infrastructure of Telco-grade secure data centers, which offer their own additional layers of physical and cybersecurity to protect customer data stored on its cloud servers. And finally, like some of the other secure-app partners included on this list, ShareFile’s solution will help bring its customers into a better compliance standing with regulations like HIPAA, FINRA and CFPB.
While technically not a file-sharing platform itself, Virtru is a secure-data app that lets users add layers of security to their existing apps for email and file sharing. Indeed, Virtru is the encryption add that Google recommends, and it offers tools to help secure your files, for example, on Google Drive and across your company’s other Google Apps.
If your company develops and collaborates on files using the Microsoft Office suite, rather than Google’s G Suite tools, Virtru offers a similar data-security app for your organization as well — helping you create, share and store your Microsoft files (including your Outlook email) more securely.
Another advantage of Virtru is the app’s simplicity. As the site explains, it makes encrypting and protecting the information you share “as easy as using Gmail.” If you’ve just started investigating secure file-sharing solutions for your company — and you want a solution to help beef up the protection of the file-sharing tools your staff is using right now — Virtru might be worth a try.
Recap of our Secure Apps for Business Blog Post
A final note. Many of the apps mentioned above incorporate layered security protocols, including strong encryption for data in transit and storage. But you should not assume that these apps are necessarily compliant with all federal regulations and are therefore able to safely transmit an individual’s personally identifiable information (PII) or other confidential data in electronic format.
That is because encryption alone is not sufficient to be fully compliant. HIPAA compliance regulations, for example, also requires secure access controls and the ability to provide a complete end-to-end audit trail of every communication containing ePHI.
That would eliminate WhatsApp and others for medial-document transmissions, for example, because those tools do not maintain and provide message transmission logs.
And a final word to the wise: Any secure text, email, fax or file-sharing service that is not able and willing to sign a BAA with its customers cannot be used to transmit ePHI, regardless of how secure they claim to be.
For companies operating in the healthcare space, using them in this manner is risking serious enforcement action, including hefty fines, for non-compliance.
It is also advisable to check with the apps’ developers and security team about any other possible federal regulations that you or your company may need to adhere to —including, for example, PCI-DSS, SOX, GLBA compliance and even in-house security protocols.
It’s better to be safe than sorry, and it’s better to ask the questions first, before a regulator comes knocking.