Our communications need to be both private and secure. The recent uproar about WhatsApp's changes to its privacy policy is a good reminder of that fact. While the changes had implications for consumers who use WhatsApp, the concerns also made their way into the enterprise. CISOs have seen discussions quickly morph from personal concerns about privacy to enterprise security concerns about using WhatsApp for business communications.
The common question: Is WhatsApp "safe" to use for business communications? Consider a follow-up question: What do we do, and what can we do, about it?
Understand the risks to the business to help make the case for change
Your business is exposed to privacy, security, reputation, and compliance risks when employees use consumer tools for business purposes. If someone is targeting your organization specifically, it is useful to know that employees regularly communicate business info freely on such a channel. It likely wouldn't be too difficult to discover if employees talk about it as a tool they use for work or encourage customers or others to use it to communicate with them.
Consumer apps aren't built for business use. End-to-end encryption protects data in transit and the app provider doesn't see the content yet data is still vulnerable on devices. Malware on phones enables hackers to read messages. Someone else picking up an employee's phone may be able to see messages if there's no PIN protecting access on the phone or for the app. There is also no guarantee that an individual is using two-step verification[1] or not automatically backing up their messages to the cloud. They could also save messages to share with others outside of the company, or screenshot freely, and the recipient can do whatever they wish with them. Additionally, vertical-specific compliance guidelines, such as those of