Should IT departments call time on WhatsApp?

For many, it's their go-to messaging app for business and social contacts, but recent privacy changes could put an end to that

IT departments have long-struggled with bring your own device (BYOD) policies, especially when it comes to personal mobile phones being used for remote work – not least during the coronavirus pandemic.

Such a dilemma has been thrown into stark focus thanks to a recent change to messaging giant WhatsApp's terms and conditions, which saw users being asked to share certain aspects of data with parent company, Facebook, if they still wished to use the platform.

While this change won't affect those in the UK or Europe specifically, a pop-up notification still appeared on the app for everyone – bringing fears over the security and privacy of BYOD again to the fore.

In many parts of the world, WhatsApp rivals Signal and Telegram saw a sudden surge in new users. However, given they raise similar issues for businesses to WhatsApp, is this situation a timely reminder for IT department s whose employees routinely use messaging apps on their personal devices to "talk" work?

Rowan Troy, Cyber Security Consultant at managed IT provider Littlefish, says organisations should “exercise caution” when allowing the use of consumer communication tools such as WhatsApp.

"We would call it 'shadow IT' because there is no way for central IT departments to monitor what is transmitted through the application. If a company wishes to allow the use of WhatsApp, careful consideration should be given to what, via company policy, users can send.

"The new data-sharing agreement between WhatsApp and Facebook might increase the risk of personal data being shared that contradicts company policy or compliance legislation relevant to the organisation."

Robert Rutherford, CEO of QuoStar, suggests one solution is to migrate employees to platforms that offer "usability and business grade security and control" such as Slack and Microsoft Teams.

"WhatsApp is not suitable for business communications. Even if devices used are company-owned, the security and privacy threats are manifold," he adds

Can WhatsApp usage for work ever be rolled back?

For many people, their personal daily communications with family and friends are ingrained in apps, which raises the question of how easy (or, more likely, difficult) it would be to transition work communications away.

Shifting such perceptions means difficult conversations, says Jonathan Phillips, head of consulting at SimplyCommunicate, a consultancy for those who work in internal comms. 

"It's a hard conversation to have as there are so many open questions,” he says. “Foremost, it's not possible to know exactly how information, or what information, is being shared. 

"The emphasis for our IT teams needs to be on working with internal communications colleagues to help people understand the drawbacks and potential impact [that] using shadow communications tools can have on the business."

Ironically, WhatsApp's especially secure end-to-end encryption can represent one of the biggest headaches.

Ian Jennings, co-founder of BlueFort Security, explains: "The challenge for IT teams is that it's very secure, possibly too secure. What this means from an enterprise security perspective is that anything sent via WhatsApp simply cannot be seen by the IT team. 

"Not only could this be a potential data leak prevention (DLP) issue, but compliance questions could be raised too."

He adds: "A potential alternative could be to use iMessage on company-owned devices or within a mobile device management (MDM) solution. This approach combines a company-owned device with a company-owned ID, giving oversight, but also ensuring confidentiality."

Are professional opt-in networks the answer to this problem?

One British app trying to challenge the status quo is Guild, an independent and ad-free messaging platform for professional groups, networks and communities.

Early last year its research found 41% of professionals admitted to using WhatsApp for work purposes, rising to 53% for the under 45s. 

Founder Ashley Friedlein, who previously created digital marketing best practice company Econsultancy, believes that in many organisations, policies on the correct use of messaging, and which messaging apps are allowed, either doesn't exist, lacks clarity, or is perilously weak – making it almost impossible to keep track of who is in what groups on apps such as WhatsApp.

"You can’t revoke access to business information, so if an employee leaves a company, they will still have access to potentially sensitive data, and there is nothing you can do about it,” he says.

"While a user can be removed if you have the right permissions, all the messages they received or sent while in the group will be stored locally on their device. It is also possible to make a backup of conversations, which then puts the business at further risk from that data being accessed by bad actors across multiple locations.

"Businesses have a duty to record conversations that their employees/business have in case of problems like harassment and legal challenges. If there is no audit trail of the communications then you have no idea what is going on, and so are being negligent."

However, Keven Knight, COO of Sy4Security, suggests the genie may now be out of the bottle. “As a business should [you] be concerned? Yes and no. With a remote workforce it’s reasonable to assume people are using these platforms more, so the risks of sharing information and not knowing about this risk is still there.

"But as a business in the modern world, where people can operate these on their own devices, especially when working remotely, can [you] truly enforce a solution that bans them?"

Featured Resources

Consumer choice and the payment experience

A software provider's guide to getting, growing, and keeping customers

Download now

Prevent fraud and phishing attacks with DMARC

How to use domain-based message authentication, reporting, and conformance for email security

Download now

Business in the new economy landscape

How we coped with 2020 and looking ahead to a brighter 2021

Download now

How to increase cyber resilience within your organisation

Cyber resilience for dummies

Download now

Recommended

Splunk debuts a new suite of cloud security solutions
Security

Splunk debuts a new suite of cloud security solutions

22 Jun 2021
Nvidia Jetson chips make IoT devices vulnerable to attack
vulnerability

Nvidia Jetson chips make IoT devices vulnerable to attack

22 Jun 2021
Cryptocurrency crimes have increased 12-fold since 2016
cryptocurrencies

Cryptocurrency crimes have increased 12-fold since 2016

22 Jun 2021
University Medical Center Mainz taps IBM to secure health care data
cloud security

University Medical Center Mainz taps IBM to secure health care data

21 Jun 2021

Most Popular

How to find RAM speed, size and type
Laptops

How to find RAM speed, size and type

16 Jun 2021
What is HTTP error 400 and how do you fix it?
Network & Internet

What is HTTP error 400 and how do you fix it?

16 Jun 2021
Ten-year-old iOS 4 recreated as an iPhone app
iOS

Ten-year-old iOS 4 recreated as an iPhone app

10 Jun 2021