Organisations are always on the lookout for efficient and accessible communication tools, and due to their widespread use and user-friendly interfaces, peer to peer messaging apps like WhatsApp, Telegram, and Signal often seem like perfect choices for both internal and external communication . As most people are already familiar with these apps, they find them easy to use and comfortable for communication anytime, anywhere. However, despite their convenience, using these platforms for business purposes carries significant risks that may jeopardise security, compliance, and operational integrity.
Security Risks: Infiltration and Bad Actors
One of the primary concerns for businesses using instant messaging apps is the risk of infiltration by bad actors. Accounts are often linked to phone numbers, which can be easily obtained or spoofed. This opens the door for hackers to infiltrate group chats, posing as legitimate members. Once inside, these bad actors work to access sensitive information, introduce malware, or manipulate communications for fraudulent activities.
The end-to-end encryption that many of the platforms boast, while providing a layer of security, is not foolproof nor a defence against many attacks. If a device, user or user account is compromised, the encryption becomes irrelevant as attackers can read information directly or from the device. Businesses might not have the necessary controls to monitor and protect every device their employees use, increasing the vulnerability to such breaches. Many employees may use their personal devices for business communication, which often lack the robust security measures found in corporate-managed devices, escalating the risk of data breaches.
"Your mobile device is the Trojan horse in your pocket." – Bruce Schneier, Security Technologist and Author
Identity Verification: Who Are You Really Talking To?
Another significant risk is the difficulty in verifying the identity of the person you are communicating with. Unlike business communication systems that use domain or other user verification which are defined by policy and controlled by IT departments, instant messaging apps do not provide a robust mechanism for identity verification. This makes it challenging to ascertain whether the person or group you are communicating with is indeed who they claim to be.
Phishing attacks exploit this vulnerability. By creating fake profiles or hijacking existing accounts, attackers deceive employees into sharing confidential information or performing actions that compromise the business. The lack of a formal verification process makes such platforms an attractive target for malicious activities.
It is alarmingly simple for bad actors to steal photographs and gather personal information from social media platforms to create convincing fake profiles. By combining a stolen image with a spoofed phone number, an attacker can easily impersonate a trusted colleague, brand or contact. This impersonation can easily deceive employees into believing they are communicating with a legitimate individual, making it much easier for the attacker to extract sensitive information or distribute malicious links.
Phishing: A Growing Threat
Phishing remains a pervasive threat on all communication platforms, with attackers using phishing techniques to trick employees into clicking malicious links, downloading harmful attachments, or divulging sensitive information. These attacks can be highly sophisticated, often mimicking legitimate communications from colleagues or business partners.
Since communication sent on instant messaging apps is generally perceived as more personal and less formal than emails, employees might be less vigilant when interacting on this platform. This relaxed attitude can lead to lapses in judgement, making them more susceptible to phishing scams.
Spear Phishing, where context and tone of voice are used to defraud the victim is made easier with access to rich conversation and activity histories shared online.
Compliance and Legal Concerns: Terms of Service
Beyond security risks, there are significant legal and compliance concerns associated with using peer to peer apps for business communications. For example, according to WhatsApp's terms of service, the app is not intended for business use unless through a WhatsApp Business account. Regular accounts used for business purposes violate these terms, potentially leading to account suspension or termination. This is generally the case across all similar platforms.
Using these tools without adhering to their terms also poses compliance risks, particularly for industries with strict regulatory requirements. For instance, financial services, healthcare, and legal sectors have stringent data protection and communication archiving mandates. This twinned with the lack of formal oversight and control mechanisms on instant messaging apps makes it difficult for businesses to comply with these regulations, exposing them to legal penalties and damage to their reputation.
Data Privacy and Retention Issues
Messages sent via instant messaging apps are stored on individual devices and on the service providers servers. Businesses have limited control over how data is stored, accessed, and shared. This decentralised approach to data management increases the risk of data leaks and unauthorised access.
If your organisation need to retain communication records for auditing and legal purposes, you will find that most instant messaging apps do not provide tools to efficiently archive and retrieve messages, or identify sensitive data, making it challenging to meet legal and regulatory requirements for data retention.
When sensitive business data and conversations are conducted on personal devices, companies lose control over content and have no means of monitoring or accessing what has been discussed. This fragmentation leads to significant gaps in security and accountability, making it difficult to enforce corporate policies and ensure compliance with legal and regulatory requirements. Without centralised control and oversight, organisations are unable to maintain a cohesive record of communications, potentially leading to mismanagement, data leaks, and an inability to respond effectively to security incidents.
"Effective oversight of staff communications is crucial for maintaining security, compliance, and operational integrity." – Theresa Payton, former White House CIO
A Need for Caution
While instant messaging apps offer convenience and widespread adoption, their use for business communication comes with significant risks. Security vulnerabilities, identity verification challenges, phishing threats, and compliance issues mean they should be carefully considered, and subject to clear policy guidance. Businesses should consider more secure and compliant communication tools designed specifically for corporate use. These tools offer better control, monitoring, and security features, ensuring that business communications remain protected and compliant with relevant regulations.
It's important that whatever your policy, the tools you use reflect those priorities and any gaps in enforcement can be easily identified and mitigated.
In summary, while instant messaging apps can be handy tools for informal and personal communication, businesses must exercise caution and should seek alternative solutions that prioritise security, compliance, and data integrity. By doing so, they will protect their operations, reputation, and bottom line from the myriad risks associated with using instant messaging apps for business purposes.
If you'd like to talk to us about how digital transformation can help your organisation discover better ways to communicate, book a meeting by clicking here!
References
Star fund manager Nick Train impersonated in WhatsApp scam | MoneyWeek
13 WhatsApp scams to know and avoid in 2024 - Norton
'I had £3,000 stolen via WhatsApp job scam message' - BBC News
Whatsapp users issued urgent warning over scam message they need to delete | The Independent
