Omdia view
Summary
In March 2025, an editor-in-chief from The Atlantic, an American media outlet and publication, was inadvertently added to a Signal group chat with senior US officials, which included the US Vice President, Secretaries of State and Defense, and the National Security Adviser. The chat contained classified discussions about US military plans. The issue elevates an important debate about the mainstream public consciousness: how can organizations strike the right balance between the ease and speed of modern collaboration and the governance, control, and security needed to protect sensitive communications?
Signal is not approved for classified communications, so why was it being used?
Signal is a free and open source app that supports messaging, voice, and video calls. The app boasts end-to-end encryption and only message senders and receivers can read the messages – no contacts, locations, or messages are retained by Signal. While it is a secure app that is commonly used by journalists and even government officials, it is not an app sanctioned for any classified US government communications. Messaging apps used for these purposes commonly need to support certain criteria and features, including government security certifications (e.g., FIPS compliance), auditing or logging features, controlled infrastructure, and verification of identity beyond just a phone number. So, this begs an obvious question: why was Signal being used for sensitive communications by US officials?
The answer is that people tend to favor apps built for convenience over those designed for secure and classified operations. Traditional enterprise-grade messaging and communication systems are secure but their security has often come at a compromise to the user experience. Officially sanctioned apps may not be intuitive to use ‒ for example, they may lack important modern features or they may not be optimized for use across mobile devices. This results in employees gravitating toward alternative messaging solutions such as Signal and WhatsApp that are familiar, intuitive, and mobile-friendly ‒ but also insecure by classified standards. This is very much an example of shadow communications in action – where employees bypass officially sanctioned apps due to issues with provisioning, access, or the user experience they deliver. This is not just an issue in government either, as businesses continue to struggle with the issue of balancing the need for delivering intuitive and mobile-centric communication experiences, but without compromising important security practices. For example, since 2021, in the financial sector, the Securities and Exchange Commission (SEC) has been focused on shadow communication breaches where apps such as WhatsApp and personal email have been used over official and auditable solutions. Almost $3bn worth of fines have been imposed on these institutions over this time. This US intelligence and Signal leak shows how a single weak point (a mistyped number or use of an unauthorized app) can have massive reputational, financial, and security implications.
Optimally balancing communication convenience and control is vital in the modern world of work, and CCPs can help
The important lesson here is that balancing security with usability is vital when it comes to modern business communications. Communication compliance platforms (CCPs) are one way in which businesses can address the issue. These platforms enable businesses and regulated organizations to maintain security and compliance across a range of different communication apps. These platforms support policy enforcement over which communication channels can be used based on the sensitivity of the conversation, suggesting an alternative communication app based on the nature of the chat. A CCP also ensures that communications are tied to verified and managed identities, which means that a third-party participant (for example, a journalist) could not be added to a communication channel. Even where a solution such as WhatsApp or iMessage is used for communications, a CCP ensures that conversations taking place are recorded, logged, and auditable. This is vital from a compliance and governance perspective, as it ensures businesses are not exposed to the fines and sanctions imposed by institutions such as the SEC. CCPs also support businesses in delivering the mobile-centric communications that extend across both personal and corporate device ecosystems that employees increasingly gravitate toward.
CCPs support a different security and user experience proposition when compared to the legacy approaches businesses have traditionally employed in securing sensitive communications. For example, CCPs enable internal employees to message external contacts across solutions such as WhatsApp and Signal, but the messages can be captured, logged, and subjected to the necessary governance policies. This is in stark contrast to traditional approaches that usually involved IT teams rolling out a dedicated clunky secure communications app or, even worse, blocking the use of popular messaging apps altogether. This may have met a security mandate but the reality is that this process would have introduced a level of friction that resulted in users just migrating communications to a consumer app without the knowledge of internal IT or security teams. While security and IT teams believe they have taken the necessary steps and enforced the appropriate policies, this is not enough and their business remains exposed to fines and repercussions, such as those levied by the SEC that we explored earlier. As advanced messaging technologies such as RCS become more pervasive, the risks will also diversify, making this a vital issue that businesses must address now.
The crucial role of new technologies in shaping the future of secure business communications
For enterprise communication vendors, it is important that security and compliance features are not developed or offered as a bolt-on but are a core element of the collaboration experiences they support. Enterprise communications have become a complex discipline to understand and navigate for businesses. As part of their customer support and go-to-market efforts, vendors and service providers delivering these solutions must focus less on features and functionality and more on the value and challenges their capabilities help businesses overcome. From a technical perspective, it is also important that the industry moves away from fragmented approaches to supporting and managing communications. In meeting the needs of a modern workforce, a typical organization must now provide and manage communications that extend across channels, including native mobile, in-app experiences, and fixed options. The variety of different tools and management portals businesses must work with is confusing and leads to security, administrative, and user experience issues. For collaboration giants such as Microsoft Teams and Zoom, this means rich integrations with specialists in communication compliance, including the likes of LeapXpert, Movius, TeleMessage, and Symphony, will be important. There is also a big opportunity for service providers and telcos to create advanced communication solutions that combine these different capabilities as part of a consolidated service and licensing structure, which better addresses the needs of modern organizations and their employees. Beyond the technology itself, providers should implement pre-developed governance policies and workflows within their solutions that strengthen communication compliance and audit practices. Dashboards and reporting mechanisms that improve awareness and administrative processes are also vital in ensuring optimal governance over communications.
To conclude, the Signal leak underscores the critical need for businesses across all industries to strike a balance between intuitive and engaging communication experiences and secure, governed processes. Solutions that empower employees to communicate freely, intuitively, and securely across multiple channels are well positioned to make a significant impact in the enterprise communications landscape.
Appendix
Author
Adam Holtby, Principal Analyst, Workplace Transformation
