App Security Staffbase

In 2016, there were 3.26 billion internet users, that's over 40% of the world population. In addition, 96% of working Americans use new communication technologies as part of their daily life, while 62% of working Americans use the internet as an integral part of their jobs. Employee apps are following this trend and connecting workforces in locations worldwide. The apps feature fast and direct communication—an advantage for employees and employers alike—on an employee experience platform that combines all existing channels into one.

Security-Whitepaper, Internal-Communications-App, Employee-App, Employee-Security

While this might sound too good to be true, one of the most important things to consider—and also the first question people ask about employee apps—is, "How secure are they?"

After all, apps get installed on private devices or work phones which cannot be directly controlled by your corporate IT. Also, push notifications go past the provider infrastructure (Google for Android, Apple for iOS). So how to make sure that the app complies with IT security and data protection needs?

To clarify what your app should offer in terms of security and to help you to be safe here are 10 things you should consider in order to ensure security and privacy in your internal communications app.

1. Limit the information you put online. While, yes, the app should combine all your channels into one, and it's much easier having all the information visible with just one click, it's never smart to put your newest innovation or your company's bank account out there. Decide wisely on what you want to make visible and use the app for sharing news, the next Christmas party, a blackboard or the cafeteria menu. Not the spaceship you're building.

2. Similar to limiting the information you should also consider in which way your existing Intranet will be integrated. Your Intranet, if you have one, holds all your company's secrets. You don't want people to have access to it from their private smartphone, you don't even want the app to be on the same server as the information. Basically you want them on different planets so that information can never accidentally be accessed or moved.

The smartest solution here is to have your app running on a separate infrastructure (like our Staffbase cloud infrastructure which is hosted on Microsoft Azure’s enterprise-grade server centers). This will prevent information from being available anywhere it should not. If you need an integration use standard APIs and a clear integration scrope so that you can be sure that only things you want get sent to and from the app.

3. Consider the lifetime of your user’s sessions. On the one hand it is of course easier if employees just stay logged in, but on the other hand you should consider the maximum lifetime of user sessions and adjust them to the security based on company policies. Especially if people are going on their “creative sabbatical” it's not smart to have them logged in for six months while they are chilling on Mamungkukumpurangkuntjunya. That's a hill in South Australia and the name means “where the devil urinates.” I kid you not. You might consider temporarily deactivating users in such cases. Staffbase provides options for both scenarios, keeping everybody logged in as well as logging people out after five minutes.

4. Make sure to provide secure logins. You can onboard employees to your internal communications app by using your corporate email domain, private email address or single sign on- SSO. Single sign on means that users sign in with their existing company login managed by your IT. This reduces the risk of password fatigue since the ID is not stored or managed externally or reused. Using SSO, Staffbase wouldn’t get in touch with your user’s passwords. If you want a high security level this definitely should be something your app offers. If you cannot provide SSO or some of your employees to not have access to it, make sure to adopt a proven mechanism to get people on board


Apart from onboarding your employees the other step to consider is offboarding them. Employees that are no longer part of the company should ideally automatically be excluded from the application. Using an active directory, or AD, is one way to make that happen. It functions as a telephone book and holds all contact information on your employee while enabling easy offboarding. 

5. Before making the app available to everybody decide who will have access rights to which parts and who will be able to view which content. Especially if you are a bigger company it does not make sense to open up IT information to the art director or vise versa. Better to spread information to a limited amount of people than all over the place. Try to find an app that has an interface on which you can decide the security standard for each post individually, limit the amount of people who can post things, and create different groups to assign information more directly. Needless to mention that Staffbase comes with pre-built user roles and a multi-level access management system.

6. Only give your information to an app provider you trust. If they know what they are doing they should firstly, have all their employees sign confidentiality agreements, secondly, confirm that they are not giving your information to third parties and lastly, work with servers approved by ISO27001 or SSAE standards.

ISO27001 is an IT safety standard intended to bring information security under explicit management control and, hence, requires that management examines security risks, implements controls and adopts processes that ensure the safety of data. SSAE- 16 is a law by the American institute of certified Public Accountants and is intended to update the US security standards to ISO. Both standards are only given to companies after extensive controls relevant to security, integrity and confidentiality and can help you to determine if your information is handled the way it should be.

7. Make sure that all information is encrypted on its way to your app. Your app is installed on private smartphones and, hence,  gets transported over the internet. Therefore, it’s important to know how servers communicate with your app. Thoroughly check the app you plan on using. There should be strong HTTPS encryption.

HTTPS stands for Hypertext Transport Protocol Security and decodes requests to enter websites. This then prevents electronic eavesdropping, it's the sound proof layer in the door. This secures that connections are private, authentic and reliable and you should definitely use it!

8. Choose an app that is verified by other industry leaders. Every software has bugs, including security bugs. Therefore, it is a huge advantage if your app runs on a platform which has already proven its value to other companies. Such a platform is well-tested, confirmed by hundreds of other communications professionals and will perform significantly more stable than others. Staffbase for example is used by industry leaders worldwide, reaches hundreds of thousands of employees and has been in action for more than two years.

9. There are certain threats that are common on the internet. Your app/ your provider should know about them and be able to deal with them. The applications you use should be protected against common risks in Web applications, such as CSRF, SQLi, and XSS. Choose an app that either allows you to do penetration tests or that offers up old penetration tests results. 


And last but not least:

10. Make sure that there are backups. While this should be obvious, it still won't hurt to make sure that there are daily backups and to check out the uptime of the servers that the app uses. A good uptime is 99.9% or more.

When you have found the one app that gives you the possibilities to make all of these points happen while simultaneously opening the door for cat videos to be spread between your employees without using facebook, then she's the one. The good news is that you've already found her: Staffbase checks all of your IT department’s boxes and it's fun!

Read more about employee communication apps: