Across government agencies and critical infrastructure organizations, security leaders report high confidence in the security of their messaging and communications. The challenge is that this confidence is often based on assumptions or vendor assurances, rather than on the capabilities and architecture required in today\u2019s threat environment.<\/p>\n
Today, BlackBerry released The State of Secure Communications 2026, a survey of 700 security decision-makers across government and critical infrastructure in the United States, United Kingdom, Canada, and Singapore. The findings highlight a clear tension: mission-critical organizations rely on messaging tools that were designed for convenience, not for the operational, sovereignty, and threat requirements of secured environments.<\/p>\n
The ‘App’ in the Room: WhatsApp, Signal and the Illusion of Security<\/p>\n
Let’s start with the number that should give every security leader pause: 83 percent of respondents report that WhatsApp is being used for sensitive discussions inside their organizations.<\/p>\n
This isn’t a fringe behavior. It’s mainstream. And it’s happening as intelligence agencies in the United States, United Kingdom, and Europe are issuing fresh advisories about state-backed espionage campaigns specifically targeting WhatsApp and Signal accounts<\/a> belonging to public officials and journalists.<\/p>\n The threat landscape has expanded \u2014 attacks increasingly target not only networks, but also the accounts, devices, and applications embedded in daily operations<\/p>\n Encrypted Does Not Equal Secure: Confidence Built on Blind Spots<\/p>\n 88 percent of security leaders express confidence in their current messaging app security \u2014 but that confidence often reflects outdated assumptions about what encryption is designed to protect.<\/p>\n The report identifies material gaps in how encryption capabilities are understood and operationalized by security leaders.<\/p>\n 52 percent mistakenly believe encryption protects metadata, including location data, IP addresses, and communication patterns<\/p>\n<\/li>\n 47 percent incorrectly believe it prevents impersonation, deepfake, or spoofing attacks<\/p>\n<\/li>\n 41 percent assume communications remain secure even after a device has been compromised<\/p>\n<\/li>\n<\/ul>\n End-to-end encryption (E2EE) protects message content in transit. It does not protect metadata. It does not verify who is at the other end of a conversation. And it cannot protect communications once a device has been compromised \u2014 a scenario increasingly exploited by both criminal and state\u2011aligned actors.<\/p>\n Over time, the label “encrypted” has become shorthand for “secure”, obscuring important architectural and operational limitations.<\/p>\n The Sovereignty Paradox: Wanting Control, Choosing Dependency<\/p>\n The findings reveal a deeper structural contradiction. 55 percent of respondents say sovereign control is a priority for their communications systems, including domestic data residency, domestic infrastructure, and reduced exposure to foreign legal jurisdiction.<\/p>\n Yet 98 percent of those same organizations are using consumer messaging platforms that operate on foreign-owned infrastructure. Their servers and data centers sit in foreign countries and are subject to foreign laws. This isn’t a compliance gap a policy update can close. It’s an architectural impossibility.<\/p>\n The risk extends beyond data access. Foreign-hosted platforms can be throttled, suspended, or shut down based on the host country’s foreign policy decisions, with no domestic legal recourse. During a geopolitical crisis, the moment when secure communications matter most, the availability and continuity of those services may be affected.<\/p>\n Meanwhile, 52 percent of respondents are concerned that telecom networks could be monitored or disrupted, a risk already demonstrated by campaigns like Salt Typhoon and, more recently, UNC3886 in Singapore. \u00a0But the attack surface is widening rapidly. Attackers no longer rely solely on network access, but increasingly targeting the layers around it: accounts, devices, and the apps people use every day.<\/p>\n The Gap Between Confidence and Capability<\/p>\n These vulnerabilities become most dangerous when organizations are under pressure. 90 percent say they are confident in their ability to manage a major incident, yet only 49 percent report having a unified platform to coordinate crisis response.<\/p>\n When crises hit, most fall back on group chats, email threads, and phone trees: familiar tools that were never designed for real-time command and control or secure cross-agency coordination.<\/p>\n The “Good Enough” Trap<\/p>\n Taken together, these findings suggest many organizations are operating on assumptions rather than continuously validated capabilities. 96 percent of security leaders support mandating verified, secure devices for sensitive communications, yet 41 percent simultaneously believe their current encryption already provides that protection<\/p>\n They want sovereign infrastructure but use platforms that can’t deliver it. They’re confident in crisis readiness but lack the systems to back it up.<\/p>\n The issue is not encryption alone, it is architecture. Consumer platforms generate and retain metadata, operate under foreign data-access laws, and lack the oversight, audit trails, and identity verification that high-security environments require<\/p>\n The failure is not in the security technologies themselves. The failure is in translation: between what security tools actually do and what security leaders believe they do.<\/p>\n Three Questions Every Security Leader Should Ask Today<\/p>\n What specific threats do our current communications tools address, and which require separate controls? Don’t assume “encrypted” means “secure.”<\/p>\n<\/li>\n Does our infrastructure match our sovereignty requirements? If your policy demands domestic control, but your platforms run on foreign servers, that gap is architectural, not procedural.<\/p>\n<\/li>\n If a crisis happens tomorrow, do we have a unified system for coordinated response?\u00a0 Or are we relying on group chats and email threads?<\/p>\n<\/li>\n<\/ol>\n These challenges point to a broader requirement: communications systems engineered for high\u2011consequence environments, with verified identity, controlled metadata, auditability, and jurisdictional clarity.<\/p>\n Purpose-Built for What’s at Stake<\/p>\n BlackBerry\u00ae Secure Communications is designed to meet these requirements, providing government\u2011grade secure communication and crisis management with verified identity, strong encryption, and configurable sovereign infrastructure.<\/p>\n The State of Secure Communications 2026<\/a><\/strong> is available now<\/a><\/strong>. Read the full report to benchmark your organization\u2019s communications risk posture and understand what secure\u2011by\u2011design communications delivers. <\/p>\n","protected":false},"excerpt":{"rendered":"Across government agencies and critical infrastructure organizations, security leaders report high confidence in the security of their messaging…\n","protected":false},"author":2,"featured_media":908802,"comment_status":"","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[5311],"tags":[49,978,659],"class_list":{"0":"post-908801","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-united-states","8":"tag-united-states","9":"tag-us","10":"tag-usa"},"share_on_mastodon":{"url":"https:\/\/pubeurope.com\/@uk\/116442393897110944","error":""},"_links":{"self":[{"href":"https:\/\/www.europesays.com\/uk\/wp-json\/wp\/v2\/posts\/908801","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.europesays.com\/uk\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.europesays.com\/uk\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.europesays.com\/uk\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.europesays.com\/uk\/wp-json\/wp\/v2\/comments?post=908801"}],"version-history":[{"count":0,"href":"https:\/\/www.europesays.com\/uk\/wp-json\/wp\/v2\/posts\/908801\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.europesays.com\/uk\/wp-json\/wp\/v2\/media\/908802"}],"wp:attachment":[{"href":"https:\/\/www.europesays.com\/uk\/wp-json\/wp\/v2\/media?parent=908801"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.europesays.com\/uk\/wp-json\/wp\/v2\/categories?post=908801"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.europesays.com\/uk\/wp-json\/wp\/v2\/tags?post=908801"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}\n
\n