WhatsApp is free, popular and convenient. If you want to catch up with friends, share memes or make plans for that important family event, it’s great. But WhatsApp is not appropriate for internal comms at work – and failure to realise this has cost several organisations and individuals a great deal. In this article, I explain why using popular messaging apps for work is risky, and how there are better options.
The standard (consumer-grade) version of WhatsApp is the world’s most popular messaging application, with around two billion users. There’s a good chance, though, that Boris Johnson regrets downloading it.
Back in 2021, the former prime minister’s phone number was listed online, and a damage-limitation exercise began. Consequently, officials discovered that messages and data that should have been preserved, were lost – in part because Mr Johnson had used unofficial, consumer-grade, messaging apps for work.
Later, an investigation by the Information Commissioner’s Office (ICO) found that inappropriate use of instant messaging apps, including WhatsApp, had compromised the transparency, confidentiality and security of government data during the COVID-19 pandemic, and called for better regulation.
It’s easy to see why Boris and others fell into using WhatsApp for work. It’s free, you probably use it daily, you can easily create chat groups and most of your contacts will have it installed. But with this convenience and accessibility comes the other side of the sword – some pretty serious risks.
Consumer messaging apps are risky for business
Like most consumer messaging apps, standard WhatsApp is not intended for business use. Indeed, WhatsApp’s terms of service specifically ban its use for ‘non-personal use’, while its privacy policy for Europe passes a fair volume of liability onto the user, and includes data-sharing policies that organisations may be uncomfortable with. Using it also generates the risk of data loss; inactive accounts are deleted after 120 days without alerting the user. So, your organisation could easily lose vital data, and know nothing about this until it’s too late. And that can be a problem – just ask the UK government.
Of course, Meta/Facebook (which owns WhatsApp) also sells a WhatsApp Business app and WhatsApp API, but these are designed for customer engagement and customer service, not internal comms.
While many people don’t recognise the dangers of using consumer messaging apps for internal comms, and do so without thinking, some organisations actively strategise their use or develop policies that endorse it. The UK government knew that messaging apps were being used within its departments, and had a policy that directed ministers and others to copy all messages sent via private accounts to a government archive. But, judging by the ICO’s investigation and a later legal challenge, that ‘management’ failed.
That provides an important warning for any organisation that uses such apps, knowingly or otherwise. Even if you have policy in place, by using consumer-grade messaging you are taking a major risk – and for absolutely no good reason. There are much better options available.
Financial and legal risks of using messaging apps
Boris Johnson et al. are not the only ones to fall foul of messaging apps. In the US, banking giant JP Morgan Chase was fined an eye-watering $200 million because its staff used WhatsApp and other messaging tools in ways that circumvented federal record-keeping laws. Yet, a survey conducted soon after that scandal found that just 14% of companies in the financial sector were actively monitoring the use of consumer messaging apps for work within their business. Thus, a staggering 86% of respondents were ignoring the problem, even though one of their peers had just been fined hundreds of millions of dollars.
Also astonishing is the recent news that some of the biggest names in banking now face similar fines for the same offences!
In financial services, there is clearly either widespread failure to respond to the problems caused by consumer messaging apps, and/or a staggering lack of awareness. And when we consider that finance is among the most regulated and audited sectors around, it seems logical to assume that the problem is at least as bad, if not worse, in other sectors.
Consumer messaging apps bring many risks
Traceability is not the only problem that arises when you use consumer messaging apps for internal comms. Here are some more:
- WhatsApp offers end-to-end encryption, but this alone is insufficient for business messaging. Remember, WhatsApp terms specify that it’s only for private use, and the buck stops with the employer if anything goes wrong.
- Consumer-level messaging apps are prime targets for cyber-criminals, who have a track record of developing malware and other nasties specifically for them.
- The use of groups is customary with messaging apps, and it’s incredibly difficult to monitor or control who is in a group at any given time. For example, if a staff member is leaving to work for your rival, you may put them on gardening leave, yet still feed them information via a messaging group. This can go on for days, weeks, months … even years.
- Once readers have downloaded messages onto their mobile device, your company has no way of deleting or modifying them.
- You may lose data due to the app’s auto deletion policies or device failure.
If your data is on messaging apps, you may not be able to produce an audit trail when you need it: this could be catastrophic if you are audited or investigated. - Consumer apps generally cannot be integrated with your wider business systems; this can reduce the quality of your business data and any decisions made on the basis of that.
- Your organisation cannot block or restrict the sharing of messages when the apps are used informally (and often, even if the company permits them).
- You may find it impossible to enforce security measures, such as password or fingerprint protection for devices, especially if the WhatsApp account your staff use for work is also their personal account. This leaves you vulnerable to information theft, or prosecution for failure to protect your data.
- If staff use WhatsApp for work as well as in their personal lives, this may blur the lines between the two and cause stress. In one study I came across, of 1,000 UK workers, a crazy 73% said they are contacted by work during their annual leave. If an employer is accused of causing unnecessary stress or contacting a staff member too frequently or inappropriately, the use of a consumer-grade messaging app is unlikely to help their cause
Ultimately, the employing organisation or business is almost always legally responsible for the information it holds– including internal and staffing data – and will be held liable if it is compromised.
Consumer-level messaging apps are simply not robust enough for work, because they leave gaps where an audit trail is needed and ‘hide’ information that could be useful, if fed into company-wide systems. Consumer messaging apps simply aren’t compatible with an efficient organisation.
But what’s the alternative?
Business-specific messaging gives business-wide benefits
While there are clearly benefits associated with messaging apps (speed, convenience, ubiquity, affordability), the risks outweigh the benefits and there is no point and no need for organisations to be running the risks that consumer-grade messaging apps bring with them. There are plenty of communications platforms available that have been designed for business use, and many are tailored for specific sectors, use cases and devices. These are secure, GDPR/UK GDPR- and DPR-compliant, and can be integrated with existing software and systems. A tailor-made messaging platform offers far more value than messaging and video alone. A business-specific messaging solution not only reduces corporate risk, but, when its use is strategised and planned, it is also a great productivity investment.
