The app trap: Why consumer messaging apps raise business data security fears

Consumer apps such as WhatsApp are widely used by businesses as a free and easy method of mobile communication, but they have a downside – they aren’t fully secure and they aren’t GDPR compliant when used in the work place.

 In July 2018 WhatsApp was named by mobile device security company, Appthority, as one of the apps most often blacklisted by businesses. The reasons companies gave for avoiding a range of different apps included concerns around information security, particularly where contacts, location and other sensitive data could be accessed. Facebook Messenger was also high on the list.

These issues aren’t new. WhatsApp, for example, was never built for business. It has been widely adopted by companies because its user-friendly services – including instant messaging, voice calls and group chats – help senior managers, fieldworkers and everyone in between stay productive on the move. But for the reasons highlighted by Appthority, businesses are starting to turn against it.

German automotive company Continental AG banned WhatsApp and Snapchat from an estimated 36,000 company devices in June 2018 after information security concerns were repeatedly raised in the courts and by data protection authorities.

Continental’s main concern was that the apps access the sender’s address book without the permission of those listed. Once those contacts are in the hands of WhatsApp (now owned by Facebook) you can’t fully control who they will be shared with or, in the future, sold to.

Inadvertently surrendering the control of data is, of course, completely at odds with data protection principles. Look at it this way, how could you correct or delete data or stop it being used for marketing purposes if you don’t know where it’s gone, have no control over it and aren’t authorised to get it back?

 Continental’s solution was to switch to ‘more secure alternatives’. Given the potential for large fines and loss of reputation (under GDPR rules businesses have just 72 hours to report misuse of data to the Information Commissioner’s Office) more businesses are likely to follow suit. So, what can businesses do to ensure they aren’t compromised by their use of consumer grade apps?

One option would be to follow Continental’s lead and find alternatives that protect data and fully secure those sensitive corporate conversations between the chief executive and chief finance officer about mergers and acquisitions, intellectual property, financial transactions or that worrying hole in the budget!

 When selecting an app, think about how it could help you comply with GDPR. For example, you might want to choose applications that won’t ever sell your data, that are safe, even over untrusted WiFi, that fully secure your metadata (such as contact list, location and caller identity) or enable messages to be ‘burnt’ after reading.  Apps verified by third parties, such as the National Cyber Security Centre, give an additional layer of assurance.

Where staff use their own phones for work (this is known as BYOD – Bring Your Own Device), it is possible to manage those devices using what is known as a mobile device management (MDM) platform. These services create a separate, safe and controlled zone for business contacts and communications, free from unauthorised apps. When a staff member leaves the organisation, the entire business section can be remotely wiped. Additional advice on securing information held on BYODs is available from the Information Commissioner’s Office.

However, a technical approach will only take you so far. Embedding best practice is about raising awareness through effective communication so that everyone in your organisation understands the importance of information security and supports any technical and policy upgrades. Data protection training and guidance from cyber security professionals are other potential options.

 Chief executives are ultimately responsible for protecting the data held by their organisation.  Mobile-friendly, free products such as WhatsApp are legitimate, convenient and can boost productivity, but some aren’t fully secure or GDPR compliant when used in enterprises. It’s convenience at a price that more and more companies aren’t willing to pay.



By Peter Matthews, CEO, Metro Communications

The largest data protection, privacy and security event of 2020, now available on-demand!

Featuring four whole days of keynote sessions, panel debates, and an opportunity to network and chew over all things data-related through discussions in public boards and virtual booths, PrivSec Global is now available to watch on-demand.

You can access the content from all four days, by registering for access to our PrivSec Global platform below.

Learn More and Register

We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.