Is it time for IT departments to call time on WhatsApp?

For many, it's their go-to messaging app for business and social contacts, but recent privacy changes could put an end to that

IT departments have long-struggled with bring your own device (BYOD) policies, especially when it comes to personal mobile phones being used for remote work – not least during the coronavirus pandemic.

Such a dilemma has been thrown into stark focus thanks to a recent change to messaging giant WhatsApp's terms and conditions, which saw users being asked to share certain aspects of data with parent company, Facebook, if they still wished to use the platform.

While this change won't affect those in the UK or Europe specifically, a pop-up notification still appeared on the app for everyone – bringing fears over the security and privacy of BYOD again to the fore.

In many parts of the world, WhatsApp rivals Signal and Telegram saw a sudden surge in new users. However, given they raise similar issues for businesses to WhatsApp, is this situation a timely reminder for IT department s whose employees routinely use messaging apps on their personal devices to "talk" work?

Rowan Troy, Cyber Security Consultant at managed IT provider Littlefish, says organisations should “exercise caution” when allowing the use of consumer communication tools such as WhatsApp.

"We would call it 'shadow IT' because there is no way for central IT departments to monitor what is transmitted through the application. If a company wishes to allow the use of WhatsApp, careful consideration should be given to what, via company policy, users can send.

"The new data-sharing agreement between WhatsApp and Facebook might increase the risk of personal data being shared that contradicts company policy or compliance legislation relevant to the organisation."

Robert Rutherford, CEO of QuoStar, suggests one solution is to migrate employees to platforms that offer "usability and business grade security and control" such as Slack and Microsoft Teams.

"WhatsApp is not suitable for business communications. Even if devices used are company-owned, the security and privacy threats are manifold," he adds

Can WhatsApp usage for work ever be rolled back?

For many people, their personal daily communications with family and friends are ingrained in apps, which raises the question of how easy (or, more likely, difficult) it would be to transition work communications away.

Shifting such perceptions means difficult conversations, says Jonathan Phillips, head of consulting at SimplyCommunicate, a consultancy for those who work in internal comms. 

"It's a hard conversation to have as there are so many open questions,” he says. “Foremost, it's not possible to know exactly how information, or what information, is being shared. 

"The emphasis for our IT teams needs to be on working with internal communications colleagues to help people understand the drawbacks and potential impact [that] using shadow communications tools can have on the business."

Ironically, WhatsApp's especially secure end-to-end encryption can represent one of the biggest headaches.

Ian Jennings, co-founder of BlueFort Security, explains: "The challenge for IT teams is that it's very secure, possibly too secure. What this means from an enterprise security perspective is that anything sent via WhatsApp simply cannot be seen by the IT team. 

"Not only could this be a potential data leak prevention (DLP) issue, but compliance questions could be raised too."

He adds: "A potential alternative could be to use iMessage on company-owned devices or within a mobile device management (MDM) solution. This approach combines a company-owned device with a company-owned ID, giving oversight, but also ensuring confidentiality."

Are professional opt-in networks the answer to this problem?

One British app trying to challenge the status quo is Guild, an independent and ad-free messaging platform for professional groups, networks and communities.

Early last year its research found 41% of professionals admitted to using WhatsApp for work purposes, rising to 53% for the under 45s. 

Founder Ashley Friedlein, who previously created digital marketing best practice company Econsultancy, believes that in many organisations, policies on the correct use of messaging, and which messaging apps are allowed, either doesn't exist, lacks clarity, or is perilously weak – making it almost impossible to keep track of who is in what groups on apps such as WhatsApp.

"You can’t revoke access to business information, so if an employee leaves a company, they will still have access to potentially sensitive data, and there is nothing you can do about it,” he says.

"While a user can be removed if you have the right permissions, all the messages they received or sent while in the group will be stored locally on their device. It is also possible to make a backup of conversations, which then puts the business at further risk from that data being accessed by bad actors across multiple locations.

"Businesses have a duty to record conversations that their employees/business have in case of problems like harassment and legal challenges. If there is no audit trail of the communications then you have no idea what is going on, and so are being negligent."

However, Keven Knight, COO of Sy4Security, suggests the genie may now be out of the bottle. “As a business should [you] be concerned? Yes and no. With a remote workforce it’s reasonable to assume people are using these platforms more, so the risks of sharing information and not knowing about this risk is still there.

"But as a business in the modern world, where people can operate these on their own devices, especially when working remotely, can [you] truly enforce a solution that bans them?"

Featured Resources

Security analytics for your multi-cloud deployments

IBM Security QRadar SIEM solution brief

Download now

Five reasons to move to the cloud

Join the enterprises moving their workloads to the cloud

Download now

Architecting hybrid IT and edge for digital advantage

Why business leaders should consider a hybrid IT strategy

Download now

Six reasons to accelerate remote asset monitoring with AI

How to optimise resources, increase productivity, and grow profit margins with AI

Download now

Recommended

Should IT departments call time on WhatsApp?
communications

Should IT departments call time on WhatsApp?

15 Jan 2021
WhatsApp partners with CEQUENS to ease enterprise communication
business communications

WhatsApp partners with CEQUENS to ease enterprise communication

3 Nov 2020
WhatsApp will roll out Disappearing Messages feature
communications

WhatsApp will roll out Disappearing Messages feature

3 Nov 2020
WhatsApp flaw leaves users open to 'shoulder surfing' attacks
hacking

WhatsApp flaw leaves users open to 'shoulder surfing' attacks

21 Apr 2020

Most Popular

How to build a CMS with React and Google Sheets
content management system (CMS)

How to build a CMS with React and Google Sheets

24 Feb 2021
Oxford University COVID lab falls victim to hackers
hacking

Oxford University COVID lab falls victim to hackers

26 Feb 2021
Npower shuts down app after hackers steal user data
hacking

Npower shuts down app after hackers steal user data

25 Feb 2021