Should IT departments call time on WhatsApp?

IT departments have long-struggled with bring your own device (BYOD) policies, especially when it comes to personal mobile phones being used for remote work – not least during the coronavirus pandemic.

Such a dilemma has been thrown into stark focus thanks to a recent change to messaging giant WhatsApp’s terms and conditions, which saw users being asked to share certain aspects of data with parent company, Facebook, if they still wished to use the platform.

While this change won’t affect those in the UK or Europe specifically, a pop-up notification still appeared on the app for everyone – bringing fears over the security and privacy of BYOD again to the fore.

In many parts of the world, WhatsApp rivals Signal and Telegram saw a sudden surge in new users. However, given they raise similar issues for businesses to WhatsApp, is this situation a timely reminder for IT department s whose employees routinely use messaging apps on their personal devices to “talk” work?

Rowan Troy, Cyber Security Consultant at managed IT provider Littlefish, says organisations should “exercise caution” when allowing the use of consumer communication tools such as WhatsApp.

“We would call it ‘shadow IT‘ because there is no way for central IT departments to monitor what is transmitted through the application. If a company wishes to allow the use of WhatsApp, careful consideration should be given to what, via company policy, users can send.

“The new data-sharing agreement between WhatsApp and Facebook might increase the risk of personal data being shared that contradicts company policy or compliance legislation relevant to the organisation.”

Robert Rutherford, CEO of QuoStar, suggests one solution is to migrate employees to platforms that offer “usability and business grade security and control” such as Slack and Microsoft Teams.

“WhatsApp is not suitable for business communications. Even if devices used are company-owned, the security and privacy threats are manifold,” he adds

Can WhatsApp usage for work ever be rolled back?

For many people, their personal daily communications with family and friends are ingrained in apps, which raises the question of how easy (or, more likely, difficult) it would be to transition work communications away.

Shifting such perceptions means difficult conversations, says Jonathan Phillips, head of consulting at SimplyCommunicate, a consultancy for those who work in internal comms. 

“It’s a hard conversation to have as there are so many open questions,” he says. “Foremost, it’s not possible to know exactly how information, or what information, is being shared. 

“The emphasis for our IT teams needs to be on working with internal communications colleagues to help people understand the drawbacks and potential impact [that] using shadow communications tools can have on the business.”

Ironically, WhatsApp’s especially secure end-to-end encryption can represent one of the biggest headaches.

Ian Jennings, co-founder of BlueFort Security, explains: “The challenge for IT teams is that it’s very secure, possibly too secure. What this means from an enterprise security perspective is that anything sent via WhatsApp simply cannot be seen by the IT team. 

“Not only could this be a potential data leak prevention (DLP) issue, but compliance questions could be raised too.”

He adds: “A potential alternative could be to use iMessage on company-owned devices or within a mobile device management (MDM) solution. This approach combines a company-owned device with a company-owned ID, giving oversight, but also ensuring confidentiality.”

Are professional opt-in networks the answer to this problem?

One British app trying to challenge the status quo is Guild, an independent and ad-free messaging platform for professional groups, networks and communities.

Early last year its research found 41% of professionals admitted to using WhatsApp for work purposes, rising to 53% for the under 45s. 

Founder Ashley Friedlein, who previously created digital marketing best practice company Econsultancy, believes that in many organisations, policies on the correct use of messaging, and which messaging apps are allowed, either doesn’t exist, lacks clarity, or is perilously weak – making it almost impossible to keep track of who is in what groups on apps such as WhatsApp.

“You can’t revoke access to business information, so if an employee leaves a company, they will still have access to potentially sensitive data, and there is nothing you can do about it,” he says.

“While a user can be removed if you have the right permissions, all the messages they received or sent while in the group will be stored locally on their device. It is also possible to make a backup of conversations, which then puts the business at further risk from that data being accessed by bad actors across multiple locations.

“Businesses have a duty to record conversations that their employees/business have in case of problems like harassment and legal challenges. If there is no audit trail of the communications then you have no idea what is going on, and so are being negligent.”

However, Keven Knight, COO of Sy4Security, suggests the genie may now be out of the bottle. “As a business should [you] be concerned? Yes and no. With a remote workforce it’s reasonable to assume people are using these platforms more, so the risks of sharing information and not knowing about this risk is still there.

“But as a business in the modern world, where people can operate these on their own devices, especially when working remotely, can [you] truly enforce a solution that bans them?”