%3Aquality(100)&w=640&q=75){kind=logo}
The State of Secure Communications 2026 Study: Gaps Between Confidence and Capability
Misplaced trust in consumer messaging apps leaves governments and critical infrastructure exposed.
Apr 21, 2026
·Blog
·Christine Gadsby
%3Aquality(100)&w=3840&q=75)
Across government agencies and critical infrastructure organizations, security leaders report high confidence in the security of their messaging and communications. The challenge is that this confidence is often based on assumptions or vendor assurances, rather than on the capabilities and architecture required in today’s threat environment.
Today, BlackBerry released The State of Secure Communications 2026, a survey of 700 security decision-makers across government and critical infrastructure in the United States, United Kingdom, Canada, and Singapore. The findings highlight a clear tension: mission-critical organizations rely on messaging tools that were designed for convenience, not for the operational, sovereignty, and threat requirements of secured environments.
The 'App' in the Room: WhatsApp, Signal and the Illusion of Security
Let's start with the number that should give every security leader pause: 83 percent of respondents report that WhatsApp is being used for sensitive discussions inside their organizations.
This isn't a fringe behavior. It's mainstream. And it's happening as intelligence agencies in the United States, United Kingdom, and Europe are issuing fresh advisories about state-backed espionage campaigns specifically targeting WhatsApp and Signal accounts belonging to public officials and journalists.
The threat landscape has expanded — attacks increasingly target not only networks, but also the accounts, devices, and applications embedded in daily operations
Encrypted Does Not Equal Secure: Confidence Built on Blind Spots
88 percent of security leaders express confidence in their current messaging app security — but that confidence often reflects outdated assumptions about what encryption is designed to protect.
The report identifies material gaps in how encryption capabilities are understood and operationalized by security leaders.
52 percent mistakenly believe encryption protects metadata, including location data, IP addresses, and communication patterns
47 percent incorrectly believe it prevents impersonation, deepfake, or spoofing attacks
41 percent assume communications remain secure even after a device has been compromised
End-to-end encryption (E2EE) protects message content in transit. It does not protect metadata. It does not verify who is at the other end of a conversation. And it cannot protect communications once a device has been compromised — a scenario increasingly exploited by both criminal and state‑aligned actors.
Over time, the label "encrypted" has become shorthand for "secure", obscuring important architectural and operational limitations.
The Sovereignty Paradox: Wanting Control, Choosing Dependency
The findings reveal a deeper structural contradiction. 55 percent of respondents say sovereign control is a priority for their communications systems, including domestic data residency, domestic infrastructure, and reduced exposure to foreign legal jurisdiction.
Yet 98 percent of those same organizations are using consumer messaging platforms that operate on foreign-owned infrastructure. Their servers and data centers sit in foreign countries and are subject to foreign laws. This isn't a compliance gap a policy update can close. It's an architectural impossibility.
The risk extends beyond data access. Foreign-hosted platforms can be throttled, suspended, or shut down based on the host country's foreign policy decisions, with no domestic legal recourse. During a geopolitical crisis, the moment when secure communications matter most, the availability and continuity of those services may be affected.
Meanwhile, 52 percent of respondents are concerned that telecom networks could be monitored or disrupted, a risk already demonstrated by campaigns like Salt Typhoon and, more recently, UNC3886 in Singapore. But the attack surface is widening rapidly. Attackers no longer rely solely on network access, but increasingly targeting the layers around it: accounts, devices, and the apps people use every day.
The Gap Between Confidence and Capability
These vulnerabilities become most dangerous when organizations are under pressure. 90 percent say they are confident in their ability to manage a major incident, yet only 49 percent report having a unified platform to coordinate crisis response.
When crises hit, most fall back on group chats, email threads, and phone trees: familiar tools that were never designed for real-time command and control or secure cross-agency coordination.
The "Good Enough" Trap
Taken together, these findings suggest many organizations are operating on assumptions rather than continuously validated capabilities. 96 percent of security leaders support mandating verified, secure devices for sensitive communications, yet 41 percent simultaneously believe their current encryption already provides that protection
They want sovereign infrastructure but use platforms that can't deliver it. They're confident in crisis readiness but lack the systems to back it up.
The issue is not encryption alone, it is architecture. Consumer platforms generate and retain metadata, operate under foreign data-access laws, and lack the oversight, audit trails, and identity verification that high-security environments require
The failure is not in the security technologies themselves. The failure is in translation: between what security tools actually do and what security leaders believe they do.
Three Questions Every Security Leader Should Ask Today
What specific threats do our current communications tools address, and which require separate controls? Don't assume "encrypted" means "secure."
Does our infrastructure match our sovereignty requirements? If your policy demands domestic control, but your platforms run on foreign servers, that gap is architectural, not procedural.
If a crisis happens tomorrow, do we have a unified system for coordinated response? Or are we relying on group chats and email threads?
These challenges point to a broader requirement: communications systems engineered for high‑consequence environments, with verified identity, controlled metadata, auditability, and jurisdictional clarity.
Purpose-Built for What's at Stake
BlackBerry® Secure Communications is designed to meet these requirements, providing government‑grade secure communication and crisis management with verified identity, strong encryption, and configurable sovereign infrastructure.
The State of Secure Communications 2026 is available now. Read the full report to benchmark your organization’s communications risk posture and understand what secure‑by‑design communications delivers.
The State of Secure Communications 2026 Study: Gaps Between Confidence and Capability
Misplaced trust in consumer messaging apps leaves governments and critical infrastructure exposed.
Apr 21, 2026
·Blog
·Christine Gadsby
Across government agencies and critical infrastructure organizations, security leaders report high confidence in the security of their messaging and communications. The challenge is that this confidence is often based on assumptions or vendor assurances, rather than on the capabilities and architecture required in today’s threat environment.
Today, BlackBerry released The State of Secure Communications 2026, a survey of 700 security decision-makers across government and critical infrastructure in the United States, United Kingdom, Canada, and Singapore. The findings highlight a clear tension: mission-critical organizations rely on messaging tools that were designed for convenience, not for the operational, sovereignty, and threat requirements of secured environments.
The 'App' in the Room: WhatsApp, Signal and the Illusion of Security
Let's start with the number that should give every security leader pause: 83 percent of respondents report that WhatsApp is being used for sensitive discussions inside their organizations.
This isn't a fringe behavior. It's mainstream. And it's happening as intelligence agencies in the United States, United Kingdom, and Europe are issuing fresh advisories about state-backed espionage campaigns specifically targeting WhatsApp and Signal accounts belonging to public officials and journalists.
The threat landscape has expanded — attacks increasingly target not only networks, but also the accounts, devices, and applications embedded in daily operations
Encrypted Does Not Equal Secure: Confidence Built on Blind Spots
88 percent of security leaders express confidence in their current messaging app security — but that confidence often reflects outdated assumptions about what encryption is designed to protect.
The report identifies material gaps in how encryption capabilities are understood and operationalized by security leaders.
52 percent mistakenly believe encryption protects metadata, including location data, IP addresses, and communication patterns
47 percent incorrectly believe it prevents impersonation, deepfake, or spoofing attacks
41 percent assume communications remain secure even after a device has been compromised
End-to-end encryption (E2EE) protects message content in transit. It does not protect metadata. It does not verify who is at the other end of a conversation. And it cannot protect communications once a device has been compromised — a scenario increasingly exploited by both criminal and state‑aligned actors.
Over time, the label "encrypted" has become shorthand for "secure", obscuring important architectural and operational limitations.
The Sovereignty Paradox: Wanting Control, Choosing Dependency
The findings reveal a deeper structural contradiction. 55 percent of respondents say sovereign control is a priority for their communications systems, including domestic data residency, domestic infrastructure, and reduced exposure to foreign legal jurisdiction.
Yet 98 percent of those same organizations are using consumer messaging platforms that operate on foreign-owned infrastructure. Their servers and data centers sit in foreign countries and are subject to foreign laws. This isn't a compliance gap a policy update can close. It's an architectural impossibility.
The risk extends beyond data access. Foreign-hosted platforms can be throttled, suspended, or shut down based on the host country's foreign policy decisions, with no domestic legal recourse. During a geopolitical crisis, the moment when secure communications matter most, the availability and continuity of those services may be affected.
Meanwhile, 52 percent of respondents are concerned that telecom networks could be monitored or disrupted, a risk already demonstrated by campaigns like Salt Typhoon and, more recently, UNC3886 in Singapore. But the attack surface is widening rapidly. Attackers no longer rely solely on network access, but increasingly targeting the layers around it: accounts, devices, and the apps people use every day.
The Gap Between Confidence and Capability
These vulnerabilities become most dangerous when organizations are under pressure. 90 percent say they are confident in their ability to manage a major incident, yet only 49 percent report having a unified platform to coordinate crisis response.
When crises hit, most fall back on group chats, email threads, and phone trees: familiar tools that were never designed for real-time command and control or secure cross-agency coordination.
The "Good Enough" Trap
Taken together, these findings suggest many organizations are operating on assumptions rather than continuously validated capabilities. 96 percent of security leaders support mandating verified, secure devices for sensitive communications, yet 41 percent simultaneously believe their current encryption already provides that protection
They want sovereign infrastructure but use platforms that can't deliver it. They're confident in crisis readiness but lack the systems to back it up.
The issue is not encryption alone, it is architecture. Consumer platforms generate and retain metadata, operate under foreign data-access laws, and lack the oversight, audit trails, and identity verification that high-security environments require
The failure is not in the security technologies themselves. The failure is in translation: between what security tools actually do and what security leaders believe they do.
Three Questions Every Security Leader Should Ask Today
What specific threats do our current communications tools address, and which require separate controls? Don't assume "encrypted" means "secure."
Does our infrastructure match our sovereignty requirements? If your policy demands domestic control, but your platforms run on foreign servers, that gap is architectural, not procedural.
If a crisis happens tomorrow, do we have a unified system for coordinated response? Or are we relying on group chats and email threads?
These challenges point to a broader requirement: communications systems engineered for high‑consequence environments, with verified identity, controlled metadata, auditability, and jurisdictional clarity.
Purpose-Built for What's at Stake
BlackBerry® Secure Communications is designed to meet these requirements, providing government‑grade secure communication and crisis management with verified identity, strong encryption, and configurable sovereign infrastructure.
The State of Secure Communications 2026 is available now. Read the full report to benchmark your organization’s communications risk posture and understand what secure‑by‑design communications delivers.
%3Aquality(100)&w=3840&q=75)