If your SMB clients communicate using messaging apps, they may be creating a vulnerability by sending messages using a service that isn’t encrypted from end-to-end.
A security gap in encryption gives hackers an opportunity to intercept, record or even delete a message on its path to a recipient. This could lead to stolen private- or sensitive-data, or even the loss of customer information. In turn, that could lead to customers taking their business elsewhere — 87% of customers say they won't do business with a company if they're worried about its data practices.
How to start a conversation with your client about the importance of end-to-end encryption (E2EE):
Make it easy to understand by explaining where the risk occurs: When messages are sent and received with end-to-end encryption, the sender and the recipient’s devices are the only ones that can access the contents of the message.
Video explainer: E2EE explained in under a minute
Without E2EE, there will be moments in a message’s journey from sender to recipient where the message content will be stored in a readable format. Those moments are points of vulnerability when a message could be accessed or otherwise intercepted by a bad actor. This could result in data loss or an information leak that could lead to a data breach.
When talking to your clients about E2EE, they may ask why other security tools don’t cover their communications. As the cybersecurity expert you can explain how certain security measures cover data at rest, while E2EE secures data in transit.
Share these three compelling reasons end-to-end encryption is important for small businesses:
End-to-end encryption is a simple way for SMBs to strengthen their security, and for SMBs with tight budgets, it’s relatively cost-effective. But it’s not just cost or ease that will motivate your SMB client to start messaging more securely. Using E2EE can help your clients:
Increase customer trust: With nearly 90% of consumers willing to pay more for something when it comes from a brand they trust, trust is very valuable to SMBs. A part of building trust with their customers is keeping those customers' data as secure as possible and prioritizing cybersecurity measures (like E2EE) within their organization.
Add another layer to customer data security. 74% of consumers are concerned about the amount of personal data companies have on them. Securing that data should be a top priority for every SMB. Ensuring all communications that may include sensitive data are transmitted securely, increases overall security which could lead to more peace of mind for customers.
Meet compliance requirements. Compliance standards like SOC 2, HIPAA and PCI DSS include measures that can be fulfilled with end-to-end encryption. Some standards even explicitly mention E2EE as a solution to meet requirements.
There are certain industries where E2EE is not feasible, which we discuss below.
Here's what your clients should be aware of when it comes to using E2EE:
Regulatory or audit requirements may limit some companies' ability to use E2EE. While the fact that E2EE messages cannot be accessed from the outside is a common selling point, it can be a downside for businesses with certain regulatory or audit requirements. Government entities and some financial institutions may require the ability for certain “outsiders” to be able to view messages in a regulatory capacity.
Device access is still a risk. Even when you’re protecting data as it travels and while at rest, if an attacker gains physical or remote access to a user’s device, they will still be able to view stored messages and other content or send messages using the compromised device.
Metadata could still reveal some details. While E2EE protects message contents, if unprotected, metadata could still be accessed. This could lead to an attacker viewing when and to whom messages were sent.
If your client is a good candidate for E2EE and they understand the potential value to their SMB, recommend a few easy-to-use tools and discuss implementation. These three commonly used tools are a great place to start implementing your client’s E2EE plans:
Text messages: WhatsApp and Signal are popular third-party apps that can be installed on most devices and offer E2EE within their platforms — note that WhatsApp is owned by Meta (Facebook’s parent company), and some information is shared between Meta companies. iMessage’s SMS messages are encrypted when sent from SMS-to-SMS and Android’s Google Messenger with RCS messaging is also encrypted from one device using RCS to other devices using RCS-messages.
Video conferencing tools: Both Zoom and Microsoft Teams offer the option to turn on E2EE in their settings but neither has this feature on by default.
Internal messaging apps: Microsoft Teams and Google Chat messaging are encrypted both in transit and at rest by default. Slack and Discord do not offer E2EE and use the HTTPS encryption system to secure their sites. They give administrators the ability to manage their own keys whereas E2EE manages that for users.
Educating your SMB clients and their end users about end-to-end encryption and other cybersecurity strategies is vital for defense against potential attacks. This discussion not only builds trust but also demonstrates your commitment to enhancing their cybersecurity program by proactively fortifying their defenses against breaches.
Article by: Brita Nelson
Learn more about HacWare: MSP partners can decrease the likelihood their end users will click on a phishing message by 60%. Let’s work together to educate your end users with automated, AI-driven phishing simulations and under three-minute micro-trainings to keep user attention and improve learning outcomes.
Learn more about our partner program and how we can support your MSP's growth!