With over 1.5 billion users, Facebook-owned WhatsApp is the world’s most popular messaging app. WhatsApp, which uses the internet to instantly transmit text, videos, images and even documents as attachments, is free, easy and convenient. Users can communicate with individuals and groups using any kind of mobile device to chat, set up meetings or appointments, manage orders and deliveries, and transmit product and marketing messages.
But is WhatsApp an asset or a liability in the workplace? Multi-national companies like Continental, Deutsche Bank and Goldman Sachs are so concerned about the risks, they have actually banned employees from using free messaging systems like WhatsApp and Snapchat.
End-to-end encryption and the illusion of safety
WhatsApp’s end-to-end encryption protocol is a key attraction for many users. End-to-end encryption means data and information is converted to code (encrypted) throughout the entire transmittal phases so that only the communicating users can read the messages. Not even telecom and internet providers, or WhatsApp itself, can access the messages.
‘This encryption protocol can give users a false sense of security and privacy,’ says Daniel Muchow, RiskLogic’s Head of Cyber Consulting. ‘Even though the encrypted information is deleted at that point from the WhatsApp server, the information or data may remain on the recipient’s device indefinitely.’
Penetrating the impenetrable
With so much emphasis on end-to-end encryption, it’s easy to overlook the fact that not all information WhatsApp collects is inaccessible or private. ‘WhatsApp stores contact details and address books which may contain confidential corporate and customer data,’ confirms Mr Muchow. ‘For organisations, this raises serious privacy concerns.’ WhatsApp may also retain data about who has communicated with whom and when this communication took place.
While the end-to-end encryption process offered by WhatsApp might sound watertight, attackers and scammers can and do intercept and manipulate messages to create and spread misinformation from what appear to be trusted sources. On investigating the app, Check Point Research found several vulnerabilities including the ability for an attacker to use the ‘quote’ feature in a group conversation to change the identity of the sender, even if that person is not a member of the group. They can also alter the text of someone else’s reply, or send a private message to another group participant disguised as a public message for all, so when the targeted individual responds, it’s visible to everyone in the conversation.
Handing the control of corporate information to employees
There is another immediate challenge for organisations. Employers have obligations to their clients about storing information and need to be able to monitor, manage and archive transmitted information appropriately. This level of organisational visibility and communication management is not possible with messaging apps like WhatsApp.
Unlike corporate email, which is transmitted via the employer’s server, there is no way for employers to track communications, or remotely access or delete messages transmitted by WhatsApp. ‘This lack of transparency gives employees enormous control of company information,’ says Mr Muchow. ‘If the device is lost or stolen, business data and content may be gone forever or used in a damaging way.’
Inappropriately sharing information can also have serious consequences. For example, a former UK Jefferies bank investment managing director was recently fined £40,000 by the Financial Conduct Authority for sharing confidential client information over WhatsApp because he wanted to “impress” recipients.
When a free service costs more than it’s worth
If the communication system is down or there are technical issues, organisations need access to immediate support at any time of day or night. This 24-hour support by dedicated personnel is not available with free messaging apps like WhatsApp but may be critical for an organisation to maintain business continuity.
While WhatsApp and other free messaging services may be attractive to users, there is a serious hidden potential cost to employers. The lack of control and transparency of these free messaging services not only poses financial risk, but may result in a serious privacy breach and reputational damage.
For advice setting up a secure and resilient messaging service in your organisation and increase your cyber security response preparedness, contact RiskLogic today.