IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

Should IT departments call time on WhatsApp?

For many, it's their go-to messaging app for business and social contacts, but recent privacy changes could put an end to that

IT departments have long-struggled with bring your own device (BYOD) policies, especially when it comes to personal mobile phones being used for remote work – not least during the coronavirus pandemic.

Such a dilemma has been thrown into stark focus thanks to a recent change to messaging giant WhatsApp's terms and conditions, which saw users being asked to share certain aspects of data with parent company, Facebook, if they still wished to use the platform.

While this change won't affect those in the UK or Europe specifically, a pop-up notification still appeared on the app for everyone – bringing fears over the security and privacy of BYOD again to the fore.

In many parts of the world, WhatsApp rivals Signal and Telegram saw a sudden surge in new users. However, given they raise similar issues for businesses to WhatsApp, is this situation a timely reminder for IT department s whose employees routinely use messaging apps on their personal devices to "talk" work?

Rowan Troy, Cyber Security Consultant at managed IT provider Littlefish, says organisations should “exercise caution” when allowing the use of consumer communication tools such as WhatsApp.

"We would call it 'shadow IT' because there is no way for central IT departments to monitor what is transmitted through the application. If a company wishes to allow the use of WhatsApp, careful consideration should be given to what, via company policy, users can send.

"The new data-sharing agreement between WhatsApp and Facebook might increase the risk of personal data being shared that contradicts company policy or compliance legislation relevant to the organisation."

Robert Rutherford, CEO of QuoStar, suggests one solution is to migrate employees to platforms that offer "usability and business grade security and control" such as Slack and Microsoft Teams.

"WhatsApp is not suitable for business communications. Even if devices used are company-owned, the security and privacy threats are manifold," he adds

Can WhatsApp usage for work ever be rolled back?

For many people, their personal daily communications with family and friends are ingrained in apps, which raises the question of how easy (or, more likely, difficult) it would be to transition work communications away.

Shifting such perceptions means difficult conversations, says Jonathan Phillips, head of consulting at SimplyCommunicate, a consultancy for those who work in internal comms. 

"It's a hard conversation to have as there are so many open questions,” he says. “Foremost, it's not possible to know exactly how information, or what information, is being shared. 

"The emphasis for our IT teams needs to be on working with internal communications colleagues to help people understand the drawbacks and potential impact [that] using shadow communications tools can have on the business."

Ironically, WhatsApp's especially secure end-to-end encryption can represent one of the biggest headaches.

Ian Jennings, co-founder of BlueFort Security, explains: "The challenge for IT teams is that it's very secure, possibly too secure. What this means from an enterprise security perspective is that anything sent via WhatsApp simply cannot be seen by the IT team. 

"Not only could this be a potential data leak prevention (DLP) issue, but compliance questions could be raised too."

He adds: "A potential alternative could be to use iMessage on company-owned devices or within a mobile device management (MDM) solution. This approach combines a company-owned device with a company-owned ID, giving oversight, but also ensuring confidentiality."

Are professional opt-in networks the answer to this problem?

One British app trying to challenge the status quo is Guild, an independent and ad-free messaging platform for professional groups, networks and communities.

Early last year its research found 41% of professionals admitted to using WhatsApp for work purposes, rising to 53% for the under 45s. 

Founder Ashley Friedlein, who previously created digital marketing best practice company Econsultancy, believes that in many organisations, policies on the correct use of messaging, and which messaging apps are allowed, either doesn't exist, lacks clarity, or is perilously weak – making it almost impossible to keep track of who is in what groups on apps such as WhatsApp.

"You can’t revoke access to business information, so if an employee leaves a company, they will still have access to potentially sensitive data, and there is nothing you can do about it,” he says.

"While a user can be removed if you have the right permissions, all the messages they received or sent while in the group will be stored locally on their device. It is also possible to make a backup of conversations, which then puts the business at further risk from that data being accessed by bad actors across multiple locations.

"Businesses have a duty to record conversations that their employees/business have in case of problems like harassment and legal challenges. If there is no audit trail of the communications then you have no idea what is going on, and so are being negligent."

However, Keven Knight, COO of Sy4Security, suggests the genie may now be out of the bottle. “As a business should [you] be concerned? Yes and no. With a remote workforce it’s reasonable to assume people are using these platforms more, so the risks of sharing information and not knowing about this risk is still there.

"But as a business in the modern world, where people can operate these on their own devices, especially when working remotely, can [you] truly enforce a solution that bans them?"

Featured Resources

Accelerating AI modernisation with data infrastructure

Generate business value from your AI initiatives

Free Download

Recommendations for managing AI risks

Integrate your external AI tool findings into your broader security programs

Free Download

Modernise your legacy databases in the cloud

An introduction to cloud databases

Free Download

Powering through to innovation

IT agility drive digital transformation

Free Download


Meta launches free WhatsApp Cloud API
cloud management

Meta launches free WhatsApp Cloud API

20 May 2022
WhatsApp secures permission to challenge €225 million GDPR fine
General Data Protection Regulation (GDPR)

WhatsApp secures permission to challenge €225 million GDPR fine

10 Nov 2021
'Changing name to Meat': Industry reacts to Facebook's Meta rebrand
Business strategy

'Changing name to Meat': Industry reacts to Facebook's Meta rebrand

29 Oct 2021
WhatsApp launches multi-device beta with support for end to end encryption

WhatsApp launches multi-device beta with support for end to end encryption

15 Jul 2021

Most Popular

Actively exploited server backdoor remains undetected in most organisations' networks
cyber attacks

Actively exploited server backdoor remains undetected in most organisations' networks

1 Jul 2022
Macmillan Publishers hit by apparent cyber attack as systems are forced offline

Macmillan Publishers hit by apparent cyber attack as systems are forced offline

30 Jun 2022
Former Uber security chief to face fraud charges over hack coverup
data breaches

Former Uber security chief to face fraud charges over hack coverup

29 Jun 2022