Many businesses use consumer-standard messaging apps, often inadvertently, but this is risky. In this article I share where the dangers lie, and how to avoid them.
It’s no surprise that Facebook/Meta-owned WhatsApp is the world’s most popular messaging application; as of 2022 it has around 2 billion users. Millions of organisations have downloaded the enterprise-specific WhatsApp Business app too (Meta also sells a WhatsApp API), but importantly these are tools for use in customer engagement and customer service, not for internal comms.
It’s not hard to see why it’s so well-loved: the consumer version of WhatsApp is free to download and use, and lets you message, share cat videos and send gifs all day long. For many of us it has replaced SMS and become the daily norm.
Unfortunately, the convenience, ubiquity and familiarity of WhatsApp mean it has organically moved towards being used at work, whether informally between teams or worse even – a strategic decision! That can be a very bad move. As HM Government and banking giant JP Morgan Chase (to name just two) have discovered, your organisation’s or staff members’ use of WhatsApp can get your business into some very hot water indeed.
Why is WhatsApp not fit for internal comms at work?
Although standard WhatsApp promises end-to-end encryption, it is nowhere near robust enough for internal comms at work.
Not only are consumer-grade messaging apps too insecure for work, but they are also long-established and relatively easy targets for malware and other cybercrime. Businesses have a duty to protect their stakeholders, clients, partners, and employees by providing all of their personnel with secure devices and platforms, and consumer-grade messaging apps don’t meet that need.
The UK’s Information Commissioner explained this very clearly in Behind the screens: maintaining government transparency and data security in the age of messaging apps, a July 2022 report into government’s use of private correspondence channels during the COVID-19 pandemic. The ICO found that officials had used messaging apps, including WhatsApp, in ways that risked data transparency, confidentiality and security, and called for a review into the associated risks and areas for improvement.
Meanwhile, in the US, the practice of using WhatsApp and other platforms in ways that circumvented federal record-keeping laws led to $200 million dollars-worth of fines for bankers JP Morgan Chase.
These cases, while high profile, are not astoundingly unusual. Around 53% of front-line staff in retail, hospitality and entertainment worldwide use unapproved apps for work communications daily, while a study of 1,261 UK workers found that 41% were using WhatsApp for work purposes. As well as being an obvious security risk, this practice can also hold the business back by creating silos of information known only to members of (unofficial, unaccountable) messaging groups.
It is likely that, in many cases, staff have decided to use WhatsApp for reasons of ease and convenience, and managers may be unaware of the practice. But that doesn’t matter. When business data is compromised or security breached, ultimately the buck stops with the business.
What are the risks?
Security is just one of the risks inherent in consumer messaging apps. Other dangers include the lack of a coherent audit trail, a lack of integration with wider business systems, the near impossibility of knowing who is in any given messaging group, and the difficulty of ensuring that former staff members or have been removed from all groups (and even if they have, they may still have retained downloaded messages on a device to which you have no access).
Consumer-grade messaging apps also create potential for sensitive business data to be shared and stored offline without your knowledge. While classic WhatsApp messages are encrypted, backups and messages downloaded onto devices are not – and in many cases they will exist on personal devices, which cannot be centrally managed.
What is the solution?
While WhatsApp is the platform that’s so widely known and talked about, it is advised that consumer-grade messaging apps like this one are not appropriate for business use as they generate unnecessary risk. There are many other communications platforms available that are designed for business – often tailored for specific sectors, use cases and devices – which are secure, GDPR-compliant, and efficient, providing business communications that can be integrated with existing software and systems.
A tailor-made platform that offers more value add than just messaging and video is also a very good productivity investment, while ensuring that there is no risk of employees mixing work with pleasure – potentially being communicated with outside of office hours, or while on holiday.