The recent leak of sensitive US military details through Signal happened after a journalist unintentionally joined a group chat. This event highlights a major issue that often gets ignored: people can be the weakest link in an organization’s security.
In the public sector, many individuals have access to sensitive information—like MPs, local officials, and government workers—but they’re not treated like regular employees. Often, they miss out on onboarding due to their status. Temporary workers, contractors, and interns also find themselves in a similar boat, holding legitimate access but lacking adequate training in information security.
It’s easy to think that high-ranking officials should inherently know better. But remember, they haven’t necessarily received any formal training in cyber security. Politicians may be influential, but they aren’t cyber experts and often handle sensitive data without understanding the associated risks.
Take the recent example of a university student at GCHQ who pleaded guilty to transferring sensitive documents to personal devices. Despite going through vetting, the student didn’t fully grasp the operational boundaries and protocols. This reflects the same issue as the Signal leak: those outside traditional employment structures often navigate a grey area in information security. They might have access but lack tailored education, which can lead to unintentional security breaches.
For Chief Information Security Officers (CISOs), the question is clear: how do you create a culture of security awareness among people who are hard to reach through typical training?
The answer lies in using clear and relevant language. Senior leaders are often short on time and focused on objectives. To connect, security messages need to be framed in terms of risk, reputation, and leadership responsibilities, moving away from dry compliance jargon. It’s crucial to position security not just as an IT concern but a leadership priority.
Another takeaway from the Signal incident is that banning communication tools doesn’t work. Platforms like WhatsApp and Signal aren’t flawed; they offer solid encryption and are widely used. The issue isn’t the tools themselves but how we govern their use.
Instead of trying to eradicate these platforms, organizations should integrate them into official communication policies. This means defining which types of information can be shared and setting up audits where possible.
Best practices now demand that organizations adapt to the tools people actually use, while ensuring they have proper governance and accountability in place. It also means recognizing that anyone with access to sensitive data deserves security training—not just full-time employees.
The Signal leak serves as a wake-up call: even secure platforms can turn into vulnerabilities when human factors get ignored. For CISOs, this incident should push a reevaluation of onboarding, education, and communication strategies, particularly for those at the highest levels.