The perils of using consumer messaging apps for business
Former Trump campaign manager Paul Manafort thought his encrypted WhatsApp messages were safe from FBI investigators, forgetting they could be retrieved from each recipient. Moreover, Mr Manafort’s WhatsApp was configured to automatically backup to iCloud. Deleting messages on a single device did not destroy them entirely as Mr Manafort discovered.
A recent survey suggested that 32% of organisations use consumer apps for commercial communications. The advent of GDPR coupled with the increasing prevalence of ‘Bring Your Own Device’ (‘BYOD’) in the workplace means that organisations would be well advised to lock down what, how and to whom commercial information can be shared – particularly sensitive personal information.
An Egress Data Privacy Survey of 1,000+ corporate IT professionals found 64% of organisations share sensitive data externally without encryption despite GDPR legislation recommending encryption at least four times in GDPR legislation. Can you answer the following questions about your own organisation:
- Is any commercial information stored locally on a mobile device which could be retrieved from a lost/stolen handset ?
- Does each user have appropriate security measures on their device to remotely lock or wipe a lost/stolen handset ?
- Have you set a policy defining what platforms are deemed suitable for commercial communications – if for no other reason than a record can be kept of what data was sent, when and by whom ?
- Do your staff use messaging apps such as WhatsApp, Instagram, Facebook Messenger, Signal, Telegram, Dust etc for business purposes ? (Facebook Messenger, WhatsApp and Instagram are all Facebook-owned and set to merge in the future).
Hi-risk professions are increasingly using Mobile Device Management (‘MDM’) software to enforce security protocols such as preventing the installation of certain apps or disabling the ‘copy-paste’ facility. If all else fails employers can lock, track and wipe errant devices. A comparison of MDM packages can be found here.
If you have concerns about mobile device security please contact Steven Godfrey.
The information contained in this article is for discussion purposes only. Auditel does not offer regulatory or legal advice and qualified professional guidance should be sought where appropriate.