Lessons from the Signal Incident: Why Cybersecurity Education Must be a Priority

“Security is not just about strong tools but about strong habits. A secure app in the hands of an untrained user is still a risk.”

What Happened?

In March 2025, the U.S. government experienced a significant security lapse when sensitive military updates were unintentionally exposed via a group chat on the encrypted messaging app Signal. Senior officials had been using the app to discuss ongoing military operations, but due to a simple, yet catastrophic mistake, a journalist was accidentally added to the group chat, gaining access to confidential discussions.

While the information shared was not exactly a classified war plan, it was never intended for public consumption. The incident sent shockwaves through national security circles, not because Signal was hacked or exploited, but because basic cybersecurity principles were ignored. Now another alarming incident has come to light involving a high-ranking official; reports indicate that sensitive details of a planned military operation were shared via a Signal chat that included personal contacts. This second breach has intensified scrutiny on the use of commercial messaging apps for discussing sensitive information and has led to calls for stricter cybersecurity protocols within the government.

Not Technological, but Human Failure

“The breach didn’t happen because of Signal—it happened despite its encryption.”

Let it be clear: Signal, as a technology, did what it was built to do, that is encrypt messages end-to-end. The problem was not the app, but how people used it, this breach showing a clear example of poor Operational Security (OpSec), shadow IT in action, and a fundamental breakdown in cybersecurity hygiene. Worse, there apparently was no proper validation/verification as to whom was being added to the conversation.

These are basic cybersecurity failures, and they speak to a much broader issue: people in critical roles were not trained enough or reminded about what secure communication looks like.

Why Is This Alarming?

We often focus on malware, zero-days, and nation-state threat actors. But what happened here is a reminder that the most dangerous vulnerabilities are not in our tools, they are in our behavior.

This was not a case of cybercriminals breaching a secure system, but of government personnel bypassing official communication channels for convenience. In other words, shadow IT: the use of unauthorized apps or systems to handle official work.

Shadow IT introduces enormous risks in government environments, especially those involved in military or classified operations, as by stepping outside the bounds of approved platforms, the individuals involved effectively removed all layers of organizational oversight, that is no audit trails, no access controls, no compliance enforcement, and no ability to intervene once a mistake was made.

Anatomy of a Shadow IT Incident

“Shadow IT isn’t just a nuisance, but a security breach waiting to happen.”

1. Lack of Training and Awareness

The discussion of operational details on a personal device using a non-sanctioned app underscores a broader issue: if individuals were unaware of the risks, this points to an organizational gap in education and accountability. Cybersecurity is not solely the responsibility of IT departments, but a shared mindset that must be cultivated across all levels of the organization.

Security training often focuses on passwords and phishing emails, but this is not enough. Personnel, especially those in high-stakes roles, need scenario-based training that reflects real-world decisions, so when they find themselves in these situations, they wonder: "Which tool should I use to update my team about a mission when I’m out of the office; "How do I verify who is been added to a secure conversation?"; and, "What are the consequences of using personal devices for sensitive discussions?"

2. Shadow IT Behavior

When secure tools are too slow or inconvenient, users will find workarounds; that is exactly what happened here. Signal was likely chosen because it was fast, familiar, and easy although not approved for this type of use. The danger is not just the tool itself but the behavior. When users bypass official channels, they also bypass security policies, monitoring, and safeguards. In environments dealing with Controlled Unclassified Information (CUI) or higher, this is unacceptable.

3. Inadequate Access Control

The incident ultimately hinged on one critical mistake: adding the wrong person to a group chat. This highlights the need for strong access control policies—not just on systems, but in day-to-day decision-making.

Even if Signal had more granular admin controls, the real failure was in the lack of protocol: no verification of who was being added, no peer review, and no oversight. In high-trust environments, we still need Zero Trust thinking: Assume nothing. Validate everything.

What Should Government Agencies Do?

This is not just about preventing future Signal-like incidents. It is about rethinking how secure communication is managed, enforced, and embedded into government culture.

Reinforce Cybersecurity Training as a Mission-Critical Priority

Training must go beyond compliance checkboxes and needs to focus on behavior change.

Everyone from cabinet officials to support staff should regularly engage in realistic, evolving training that emphasizes the dangers of shadow IT, proper usage of communication platforms, secure handling of metadata and operational details and device hygiene and app vetting. Regular tabletop exercises and real-world scenarios are vital for developing muscle memory and awareness. Government employees should also have a clear understanding of the consequences of data leaks and breaches; national security risks are a major concern, as breaches can expose sensitive information and create significant counterintelligence threats. Additionally, leaked personal information can lead to identity theft and fraud, causing financial loss and damage to credit scores. Government employees may face challenges in securing their personal information and recovering from such incidents. Career impacts are also significant, especially for those in positions requiring security clearances, as the exposure of sensitive information can make them targets for recruitment by foreign intelligence agencies. The psychological stress resulting from the fear of personal information being misused can affect the overall well-being and job performance of affected employees. Furthermore, data leaks can disrupt government operations, leading to increased scrutiny and additional security measures, which can affect the efficiency and effectiveness of government services. These consequences underscore the importance of robust cybersecurity measures to protect sensitive information and mitigate the risks associated with data leaks.

Eliminate Shadow IT by Offering Usable, Yet Secure Alternatives

“The best security tool is the one people will use.”

People will avoid secure systems if they are difficult to use. That is why secure communication platforms in government need to prioritize user experience as much as security.

Agencies should deploy tools that are approved under frameworks like FedRAMP, Federal Information Security Management Act (FISMA), and National Institute of Standards and Technology (NIST) SP 800-53, integrate secure communication tools with Unified Endpoint Management (UEM) systems to enforce Data Loss Prevention (DLP) policies and app whitelisting and ensure that secure options are faster, easier, and more intuitive than consumer-grade alternatives.

Only a few solutions like BlackBerry SecuSUITE currently meet the National Security Agency (NSA) Commercial Solutions for Classified (CSfC) standards for secure VoIP communication, as these platforms are built from the ground up to integrate into government cybersecurity ecosystems.

Centralized Control for All Devices

Whether BYOD is allowed or not, all devices used in government contexts should be enrolled in a centralized UEM platform that enforces application restrictions, data encryption, remote wipe capabilities and role-based access (RBA) policies, ensuring visibility and control even on mobile endpoints.

Enforce Peer Verification

No one should be able to unilaterally grant access to secure channels, especially in high-level groups. Group communications involving sensitive content should require admin or peer verification before new members are added, leverage MFA, digital identity checks, and audit logs, as well as be routinely reviewed for access hygiene.

Monitor Application Vulnerabilities

Even tools with strong encryption like Signal can be compromised through features like linked devices or third-party integrations. Agencies should maintain a regular cadence of security reviews for all apps in use, subscribe to threat intelligence and CVE updates and involve legal and operational leaders in risk assessments.

The Signal incident should serve as a powerful reminder that even the most advanced encryption is no match for poor decision-making. The real lesson here is that technology is only as secure as the people using it. Government agencies must prioritize cybersecurity training as a mission-critical activity, ensuring that all personnel, from senior officials to support staff, are well-versed in secure communication protocols and the dangers of shadow IT. Regular, realistic training sessions and tabletop exercises are essential for fostering a culture of vigilance and preparedness.

Moreover, it is crucial to eliminate shadow IT by providing secure, user-friendly alternatives that meet stringent security standards. Centralized control over all devices, robust access verification processes, and continuous monitoring of application vulnerabilities are necessary to maintain a secure communication environment.

The consequences of failing to adhere to proper training and protocols are severe, ranging from national security risks to personal and career impacts. Government employees must understand that cybersecurity is not optional but a fundamental aspect of their roles. By embedding cybersecurity hygiene into the organizational culture and enforcing strict protocols, government agencies can prevent incidents like the Signal breach and ensure the security of sensitive information. The team at ISEC7 Government Services can help If you have questions or concerns about cybersecurity and want to ensure that your organization’s cyber hygiene and security posture remain strong and endure through best practices.

Ultimately, you do not secure the mission by downloading an app—you secure it by building a culture and ecosystem where mistakes like this cannot happen. Because when the stakes are this high, cybersecurity is not optional—it is mission-critical.