Around 2 billion of us use WhatsApp. It’s a cost-effective and convenient way to keep in touch with family and 
friends, to organise events and share videos. However, it’s very risky to use WhatsApp (or any consumer-grade messaging app) for internal comms at work – but that doesn’t stop lots of people doing it anyway. In this article, I’ll explain the five key risks that messaging apps bring to the workplace, and why you should be looking at the (many) alternatives instead.
It’s not unusual to find colleagues using the standard version of WhatsApp to share work-related information, and it’s easy to understand why. WhatsApp is very convenient, and most of your contacts probably use it. However, a quick look at the app’s terms of service show that Facebook/Meta does not permit ‘non-personal use’, while its privacy policy for Europe passes a fair volume of liability onto the user, and includes data-sharing policies that organisations will be uncomfortable with. In other words, it’s pretty clear that the world’s most popular app is not intended for business use.
Of course, Meta also sells WhatsApp Business app and WhatsApp API, but these are designed for customer engagement and customer service, not internal comms.
And while you may say, ‘I can see that Meta is avoiding liability, but surely messaging apps are fine for work use, really?,’ I am here to tell you that no, they’re not. Let me present the five key risks involved.
1. Consumer messaging apps (like WhatsApp) are very insecure
Messaging apps are insecure in two ways. The first is that, even with end-to-end encryption (which WhatsApp offers), you cannot guarantee the security of your data. The second is that, whenever your information is sent via private message and read, it is downloaded onto somebody’s mobile device – and at that point, you lose control. The recipient can share, forward, manipulate or tamper with your data, and you cannot stop them.
What’s more, consumer apps often allow group messaging. It’s incredibly hard to know who is in a messaging group at any given time, and almost impossible to police. Your data could be shared with a disgruntled ex-employee, or the former staff member who now works for a rival. This can go on for months, even years. And, because it’s relatively unusual for groups to stick purely to the topic they’re concerned with, the ‘innocuous’ WhatsApp group set up to swap shifts or arrange rotas likely contains the odd snippet of gossip or commercial information, too.
2. Cyber-criminals target messaging apps
The popularity of messaging apps makes them a perfect target for cyber-criminals, who are constantly developing new ways to attack, and their use for work is now expanding the criminals’ horizons and letting them focus on harming businesses as well as individuals.
This weakness is shared among the consumer-grade messaging apps; although WhatsApp is the most frequently targeted (because it is the market leader), the other consumer-focused messaging apps are being hacked as well. There is no way to use these apps and avoid the risk of cybercrime, and any consequent liability.
3. You will lose corporate data
Just ask Boris Johnson. In 2021 the former prime minister’s phone number was released online, and a clean-up operation began. Unfortunately, Mr Johnson had used consumer messaging apps for work, and those messages were lost. Clearly, the official policy – that messages sent privately should be copied to a government archive – had failed.
If your organisation has a similar attitude, i.e. acceptance that messages are sent through non-official channels but policy stating they should be formally recorded, how certain can you be that all of your data is on record?
WhatsApp also generates the risk of data loss through account deletion. Inactive accounts are deleted after 120 days without alerting the user, meaning your organisation could lose data and know nothing of it – until it’s too late.
4. You may face legal, regulatory and/or financial sanctions
When the Information Commissioner’s Office (ICO) investigated internal government communications during the Covid-19 pandemic, it found multiple risks arising from use of consumer messaging apps, including WhatsApp. The ICO found that this had compromised data transparency, confidentiality and security, and called for greater regulation.
In the US, the use of WhatsApp and other tools in ways that circumvented federal record-keeping laws led to fines of $200 million for bankers JP Morgan Chase. Despite this, a survey conducted soon after revealed that a mere 14% of companies in the financial sector were actively monitoring the use of consumer messaging apps for work.
As if to underline the failure to understand the risks, some of the biggest names in banking now face similar fines for exactly the same offences!12
5. You may fail in your duty of care
Organisations have a duty to protect their stakeholders, clients, partners and employees by using only secure devices and platforms.
Consumer-grade messaging apps are not compatible with that, and that incompatibility is not just about data management.
For example, the use of messaging apps for both work-related and personal communications blurs the boundaries between work and personal time. In one study, of 1,000 UK workers, a crazy 73% said they are contacted by work during their annual leave. That risk of liability (for causing workplace stress, etc.) could be removed by using a centrally managed messaging system.
What is the solution?
There is no need for organisations to be running the risks that WhatsApp and other consumer-grade messaging apps bring with them; there are plenty of communications platforms available that have been designed for business use, and many are tailored for specific sectors, use cases and devices. These are secure, GDPR/UK GDPR- and DPR-compliant and can be integrated with your existing software and systems. A tailor-made messaging platform offers more than just messaging and video – it reduces risk, and is a great productivity investment.
