All your employees know WhatsApp, most of them use it… and that may be precisely your biggest problem when considering its use at a corporate level.

In our first study on Unified Communications and Collaboration in LATAM, presented a few months ago, we were able to verify that the use of WhatsApp among workers of large companies is widespread, even in companies that offer their workers similar solutions for corporate use.

Other news, from institutions that should be especially sensitive in matters related to the security of their communications, such as the confirmation by the Spanish army of the official use of WhatsApp, contributes to fueling a false sense of security, around the corporate use of this tool. In fact, the Government of Spain has maintained conflicting policies over time regarding the use of the Meta app. Already in 2016 the Civil Guard advised against its members the use of this tool. Although it is true that in the years that separate both news, some important measures have been taken to improve the privacy of WhatsApp, the reality is that it is difficult to guarantee the confidentiality of the information transmitted by this channel, which leads us to to think that the Minister of Defense herself, enters into a contradiction when making the following recommendation:

“you can use the Facebook application to send information to WhatsApp groups as long as it is based on “voluntariness, not transmitting sensitive information and transmitting messages to inform, coordinate and anticipate actions”.

In the first place, it is to imagine thinking that in the communications related to actions of an army, there is no sensitive information. On the other hand, if its use is voluntary, and even, as claimed by ATME, it cannot be verified if the message is received or if the person who answers is the interested party, it is not conceivable that such coordination exists either.

The argument in favor is easy to understand and even empathize with, although its effectiveness is overestimated by not taking its limitations into account:

“…from the department headed by Margarita Robles, they point out that “the usefulness of this means of communication”, nor the “regularity” of its use, which “results in the speed of communication and the efficiency of the service”.

Bearing in mind that Meta also imposes a very “Americanized” framework of collaboration with “law enforcement”, this permissibility is even more striking.

In this post, I will try to shed some light on this issue, so that whatever you decide, at least do it in an informed way and with a broad perspective on the matter:

53% of frontline workers use messaging apps like WhatsApp and Facebook Messenger up to six times a day for work-related reasons, but 68% of them said they would stop if they were given communication tools internal communication approved”. [Google 2019]

Before proceeding, it is worth clarifying this point. We are always talking about the conventional version of WhatsApp, since the Business version is, as we have seen in previous posts, oriented to B2C communications.

Although the possibility of using a different phone number than the mainstream app might seem like a determining factor, it would not make sense to consider using W.B. since there is a cost associated with the exchange and reception of messages, limitations on the volume of messages exchanged, the obligation to start conversations with template messages, etc.

The use of WhatsApp for corporate communications could be framed within a supposed BYOD strategy, but it is questionable whether allowing the indiscriminate use of a tool, without control of policies, backup copies, access control… can be considered an IT strategy . In many cases, it is a permissive attitude, based on tacit consent (for example, “the boss also uses it”), and which leaves this tool out of the scope of normal computer security activities.

A private user receives about 27 messages per day via WhatsApp, the noise level can be considerable if We share personal and professional channel.

It is a fact that we have become accustomed to living with a certain level of FOMO, but it does not seem that combining the Personal and corporate channels can help reduce stress by constantly receiving notifications on our devices. In fact, this combination is incompatible with the popular right to disconnection digital, which has led so many debates throughout Europe.

In any case, logic invites us to think that the most suitable for effective communications is to avoid channels saturated with high levels of noise. A recommendation that will surely have an impact on improving the productivity of more focused workers.

Every time we get distracted, check social media or check email, our brain needs 23 minutes and 15 seconds to refocus. [+]

A basic activity of an instant messaging service is the ability to send files between the parties involved. These files can be of a different nature (videos, .pdfs, images…), but in any case, in a context of business use, these files are part of the company’s assets and may contain sensitive information that must be protected, indexed and stored correctly.

E2EE encryption offers certain guarantees between the interception of data while it travels from one point to another, since it is encrypted with a unique key… but, and it is not a small but, it cannot protect us against unauthorized access to the destination or source device of the message. In other words, if I can access your mobile or its backup copy, I can see your messages, or even if you leave a WhatsApp Web session started in a browser (remember that it can last open for up to 14 days) I could access a good part of your last messages without you noticing any irregularity.

In addition, the weakness is double, since the sent file happens to exist at two points, instead of being accessible from a central system, with its access log. Sending a file via Whatsapp is cloning it, and consequently losing control over the copy. Even if we forget about security, the loss of control over the changes made is already a relevant disorder in itself.

The use of WhatsApp transfers part of the complexity of communication management to device management.

Since all the information is stored locally, it is necessary to manage each device separately to audit the type of information that is being saved and to protocolize the way to delete or archive it.

WhatsApp backups are potentially vulnerabilities, which can expose information that the user considered deleted from their device.

There are some solutions on the market that try to alleviate these deficiencies in terms of compliance, installing software that is responsible for creating the corresponding file, or even allowing a second application with a different numbering for corporate use. This allows to centralize some level of control, but it seems really limited.

Possibly, this is the easiest point to comment on, since it simply does not exist, and this means giving up day-to-day capabilities such as: transferring a call to another colleague, leaving a call on hold, calling a landline, using the routing criteria of your PBX, have some metrics on the status of the service and its level of use, etc.

Lastly, in highly regulated sectors, such as the financial sector, the use of this tool entails enormous risks in terms of legal compliance. A topic that we will address in depth in future posts.