The corporate IT landscape has materially changed this year, with suddenly working from home employees pushing IT departments to flex enterprise-grade security to cope. This is achievable when we’re talking Office 365, Zoom, Teams and Meet—these are centrally managed enterprise applications after all. But 2020 has also seen huge growth in the use of consumer messengers between employee—the same platforms they use for personal communications. And that’s a major security risk.
Top of the pile when it comes to consumer messengers now being used in the workplace is WhatsApp. Credit where it’s due—employees know it’s end-to-end encrypted, that “security is in its DNA,” and so they assume they’re doing the right thing to keep enterprise information safe. Except that’s not the case, of course. The risk from employees shifting from enterprise to consumer platforms is huge. Think of all that sensitive data outside the fence—no audit trails, no backups, no security.
WhatsApp wins out on its user base alone. You can be fairly sure your colleagues, suppliers and customers will have it on their phones. But, ironically, when it comes to workplace tools, that users base of 2 billion and counting aside, WhatsApp is missing some fairly fundamental features—no multiple device access, no fully secured backups, no mandatory 2FA, images saved by default, lack of metadata protection.
“WhatsApp is designed for consumer use,” warns Joel Wallenstrom, CEO of rival messenger Wickr, “and like other consumer products, security takes a back seat to fun. Despite this, its use has proliferated across all industries, including the U.S. military, because it was first to market and heavily promoted by Facebook—the most persuasive influencing machine in history.” Wickr is a messenger to watch. Think Signal for the enterprise. It has the same security-first approach, but despite having a consumer app called Wickr Me, it’s really designed for companies not individuals. Like Signal, Wickr has now secured several million installs and is growing fast.
Putting aside Wickr Me, there are three enterprise-grade Wickr options. The default option is a hosted SaaS messaging platform called AWS Wickr, then there’s an unusual option for an enterprise to bring the messaging infrastructure in house and “self-host,” dubbed Wickr Enterprise, and finally there is Wickr RAM, built around the needs of the U.S. government. This is messaging for special ops and intel.
“Being a security first company is important,” Wallenstrom tells me. “We publish how to defeat our product and the steps we’ve taken to harden against these processes. We then have third parties test our implementation and publish the reports. This keeps us from making product decisions like the MP4 video file vulnerability in WhatsApp—a buffer overflow introduced because it made WhatsApp more fun and stickier. This is the difference between a security company like Wickr and a monetization machine like Facebook… The risks of a company trusting the likes of Facebook or Zoom with protecting critical IP or a warfighting unit from harm are simply too great.”
The first time I came across Wickr—some years ago now, it was because it was the only off the shelf messenger accredited by an intel agency my company was working with. Wickr RAM has brought this differentiation into a product designed for government use—open protocol, FEDRAMP-approved data hosting, FIPS 140-2 compliance, mission data retention.
“Wickr is absolutely secure enough for the intelligence community,” Wallenstrom says, “and is currently sanctioned for use in special operations units and across the DoD, particularly in the warfighter community. Wickr RAM has been vetted and validated by the NSA as the only tool with full functionality to meet all security criteria… This is where it has unique capabilities that WhatsApp, Facebook, Signal and Telegram will never provide.”
But, despite this, WhatsApp is used extensively by military personnel. “The use of WhatsApp violates the strict compliance requirements across most government agencies like the DoD,” Wallenstrom says. “Consumer products like WhatsApp have no interest in adhering to the compliance rules that govern a large organization. When members of the military, or anyone in the national security apparatus, use WhatsApp they increase the probability of critical information being exploited by bad actors. This is why DoD leadership is making a concerted effort to move troops away from WhatsApp and onto Wickr RAM—a product purpose-built for military-grade, secure end-to-end communications.”
Defense and intel users is one thing, but these same risks have now materially escalated within enterprises. “The unsanctioned use of consumer-grade messaging apps like WhatsApp in corporate settings has created incredibly challenging shadow IT problems for organizations of all sizes,” Wallenstrom says. “CISOs know the risk of employees conducting sensitive business on systems where the service provider is both listening and responsible for security. We have encountered multi-national organizations with sales operations relying on WhatsApp, despite a policy that specifically prohibits it.”
The challenge for Wickr, though, is that it is an enterprise platform and users view communication on enterprise platforms as different to “private” alternatives. The lightweight chatter between staff on WhatsApp is rarely replicated on email, Slack, Teams. The question is whether this inhibits team building in our new, fragmented working environment or better protects individuals from overbearing colleagues that break corporate rules or worse. “The trick is to ensure total transparency to the end user,” Wallenstrom tells me. “Most employees understand that there are times when their work needs to be recorded.”
Although Wallenstrom is disparaging about WhatsApp, he’s complimentary about Apple and its iMessage platform. “Apple does some very cool things and I’m constantly tracking all the patents they file around homomorphic encryption,” he says. “But they build things that work within their walled garden.” The issue, of course, is that iMessage fits within the iOS versus Android macro battle for users, “there is no interest in extending security or privacy promises to other platforms,” pushing the use ‘over the top’ messengers like WhatsApp.
Wallenstrom also acknowledges Google’s long-awaited move to add end-to-end encryption to Android Messages. “I’m both optimistic and wary… I think it’s safe to say that there is very little appetite at Google to restrict their access to user data. But given the political climate, they might give the currently emasculated privacy team some ability to turn off the money spigot and protect end user data from Google.”
But it’s WhatsApp that both Wickr and Signal need to chase, whether for individuals or the companies whose employees turn to that platform first. “Consumer products like WhatsApp,” Wallenstrom warns, “have no interest in adhering to the compliance rules that govern a large organization.” As for individuals, “if you are a consumer who wants to take privacy more seriously, then try to avoid using products from companies who are monetizing end user data, like Google or Facebook. We built Wickr Me for users who prefer not to expose personal information like phone numbers.”
Wallenstrom also sounds an unsurprising warning over the encryption debate now raging in the U.S. and elsewhere. “We cannot understate the danger of lawmakers around the globe pushing legislation that would require technology companies to build so-called ‘backdoors’ into their software. The impact of this would have a devastating impact on all facets of society, particularly on federal agencies that rely on the integrity of E2EE to carry out high-stakes missions and ensure that their units return safely. Breaking E2EE would also come with tremendous risks to global businesses, jeopardizing the lifelines of modern society—critical innovations in industry, global commerce and financial transactions, to name a few.”
Most of us now use WhatsApp at work—it has helped push more of an immediacy and ease of communications than staid enterprise applications, email included. But, the fact that this is (for now) a Facebook-owned platform that exists entirely outside the enterprise is a major risk for employers and their data. But unless and until a platform can genuinely balance employer security with employee usability, this won’t be fixed. There are new platforms that do enable enterprises to let employees use WhatsApp within a secure and compliant framework, but they’re rarities still.
So, yes, you probably should stop using WhatsApp at work—but you won’t. You should give some thought to what you’re sharing and with whom, though, remembering that WhatsApp is a Facebook-owned consumer product, not an enterprise application, and that all that data and those attachments you have sent now sits outside the corporate ecosystem on all those people’s personal devices, in their cloud backups and with anyone they may have forwarded those messages onto without you realizing.