It seems like an eon ago, but it has only been a few weeks since top US defence officials used the Signal messaging platform to communicate about an upcoming US military operation and mistakenly added a journalist to the group chat. And news subsequently came to light that the US secretary of defence may have also used Signal to share sensitive military information with his wife, brother, and personal lawyer. What can CISOs learn from this potentially fatal error, and what does best practice look like when securing communications?
The events have highlighted the importance of data security: keeping sensitive information secure and out of the hands of bad actors, especially when a lot is at stake. It demonstrates the importance of following data security first principles. The core data security first principles are Confidentiality (protecting data from unauthorized disclosure), Integrity (safeguard data from unauthorized modification), and Availability (ensuring data is available to authorized users when needed). Drilling down from Confidentiality into data loss prevention and insider risk, the core problem is “keeping the data in”.
Data got out during the ”Signalgate” episode and the news highlighted the incident for exposing what should have been protected information; Leaking military secrets and operational details can compromise mission security and put service members lives at risk. From a CISO standpoint, it represents a data leakage event not too dissimilar from an executive inadvertently adding an outside party to confidential information, including an electronic conversation that touches on intellectual property, upcoming financial results, or a pending merger or acquisition, that would have repercussions if shared outside of intended recipients.
For a CISO, sensitive data loss episodes can have reputational, financial, legal, and regulatory consequences. CISOs need to have their data leakage defences and insider risk protection programs in order so they can answer the question, “why didn’t we stop this compromise?”.
Establish and enforce clear policies and good security awareness training
The US Department of Defence has rules around using Signal (TLDR: the DOD memo prohibits the use of personal accounts or apps for official business involving sensitive information), but apparently the secretary of defence decided not to use one of the secure communications tools available to him. He also may have been unaware of some of its risks, including the exposures it could bring as some participants in the chat were traveling and using different networks.
Organisations need to establish clear policies, communicate from the top to affirm those policies, and engage security awareness training to make certain that teams absorb the policies and recognize and navigate cyber security risks.
A big reason for establishing security policies is to avoid data leakage. Given permeable enterprise network perimeters and the variety of devices used by workers, enterprises need to establish and enforce data security policies.
Cultivating a healthy security culture
Policies are needed to ensure that everyone knows what is appropriate and inappropriate, but leadership needs to reinforce those policies on a day-to-day basis. If a leader does not walk the talk, that signals (forgive the pun) to the organisation that they do not need to take the policies seriously. The resulting lackadaisical security culture will end up costing an organisation when the lax approach to information security results in a loss of sensitive data.
During World War II, the US had a “loose lips sink ships” propaganda campaign establish and maintain a security culture for defence industries. People took it seriously because of a healthy security culture. Employees are likely to smirk at internal data security campaigns and policies if they don’t see leadership also toeing the line.
DLP across potential data loss vectors, existing and emerging
Security teams need to think through their data loss prevention strategy and deploy appropriate controls across their environment. That typically means solutions across vectors including email, endpoints, and messaging apps (Slack, Teams, etc), and Generative AI (GenAI) infrastructure. While some of these vectors are well known, others like GenAI apps and agentic AI are still emerging.
CISOs need to consider new loss vectors that arrive with the adoption of GenAI with large language models (LLMs) and emerging agentic AI deployments. Sensitive enterprise data can inadvertently train a model resulting in a potential data leak, or an employee may use sensitive data in a GenAI prompt. And without adequate security controls, a whizzy new AI agent may become a vector for data loss and fraud.
CISOs should get ahead of the game by collaborating with their lines of business to make certain new GenAI apps and AI agents are rolled out in a secure fashion.
Are encrypted platforms like Signal secure?
Every platform has its security nuances, but Signal has demonstrated itself to be a robust, end-to-end encrypted communication platform for mobile devices. The Signal team has been diligent in ensuring security of their platform. Signal is for personal communications and there is no DLP solution for Signal. From an endpoint security standpoint, if the endpoint sending or receiving the message is compromised, then the communication could be compromised. And if someone inadvertently includes the wrong party in a chat, then those communications would also be compromised (see Signalgate comments above).
CISOs navigating their own ‘Signalgate’ episodes need to communicate the limitations on data loss and insider risk programs given the current policies and technologies. If executives (or other members of the workforce) do not permit DLP technologies on their personal devices, the risk of a downstream compromise increases.
