WhatsApp is one of the most popular messaging apps in the world, with monthly active users reaching 2 billion.
Indeed, organizations targeting growth in overseas markets will find that WhatsApp is the most widely adopted messaging app in 180 countries, including all of Latin America and much of Europe, Africa, and Southeast Asia. WhatsApp Business, the brand’s dedicated app for business communication, now has more than 18 million downloads.
However, WhatsApp security risks pose challenges to enterprise risk teams regarding information security and compliance. The worst risks of using WhatsApp for business emerge when workers use the app unsanctioned because, when this happens, security and compliance teams have no visibility into risk exposure.
Case in point: the US Securities and Exchange Commission (SEC) and the Commodity Futures Trading Commission (CFTC) levied an almost-$2B fine against 16 Wall Street banks and financial institutions because they had been using WhatsApp and other “off-channel” services to communicate, violating recordkeeping policies.
Despite security and compliance challenges, as the world’s most popular instant messaging apps, WhatsApp is simply too big to ignore in certain markets. In Brazil, for example, 96% of smartphone owners use WhatsApp as their primary communications channel. In India, the average smartphone user spends 38 minutes every day on the app. These statistics drive companies to continue adopting WhatsApp for business communication.
These statistics simply force companies to continue adopting WhatsApp for business communication.
The enormous reach of WhatsApp in the countries they dominate translates into some serious economic impact. From cementing superior brand connections to interacting with customers through the platforms they’re already on, WhatsApp has become a critical tool in global engagement.
Ignoring WhatsApp for business communication can severely hamper your marketing and customer support teams, However, to ensure security and compliance, businesses must also find ways to deal with WhatsApp safety concerns. The dangers of WhatsApp, if not mitigated properly, can outweigh its benefits and bring severe consequences.
So how secure is WhatsApp? Generally, the platform applies end-to-end encryption to the messages users send. However, there are three main WhatsApp security issues and compliance concerns: lack of visibility, scalable analytics, and archiving capabilities.
A lack of visibility into communications continues to be one of the key WhatsApp security issues for teams. Companies that lack visibility often allow their employees to use WhatsApp on an unmanaged device without endpoint protection.
What worsens this is the unpredictable nature of WhatsApp malware attacks. Sometimes other platforms are looped into a multi-vector attack, sometimes, they aren’t; sometimes, phishing is required, and sometimes it isn’t. But WhatsApp is so ubiquitous that it’s easily looped into bad actors’ attempts to compromise targets with malware.
A key example: Lazarus Group, the infamous North Korean threat actor, recently leveraged WhatsApp to deliver malicious payloads to their victims. Lazarus frequently profiles and connects with enterprise employees on LinkedIn and lures them to WhatsApp, where they are hit with malware-laced messages and content.
No Scalable Analysis for Multi-Language Environments
While business operations may be global, often risk teams aren’t equipped with native speakers to translate suspicious messages into various languages. Phishing and social engineering attacks can come from anywhere and convince employees to give out sensitive data in exchange for something they think benefits them. This risk of data leakage is apparent in various communication and social media platforms today. Cases in point:
Email, chat, and social media scams have increased eight-fold since the Russia-Ukraine war began. Various scammers, mostly from Russian threat actors speaking their native tongue, have capitalized on the chaos through phishing scams like the “Help, help, I’m stuck here” scam – where scammers use photos or videos of your loved ones and trick you into thinking they’re stuck in Ukraine or Russia and need money to get out – or donation scams that say, “We need your support now more than ever,” but are actually wired to the threat actors’ own bank accounts.
In November 2022, a threat actor claimed they were selling a database of 487 million WhatsApp user mobile numbers. These included contacts from various countries like Egypt, France, Italy, Saudi Arabia, Turkey, and more. Although the scammer himself was not using the numbers, other threat actors could buy the database and perform phishing attacks on the contacts across a range of locations and languages.
Brazil saw a 124% increase in coronavirus-related phishing scams during the height of the pandemic. According to reports, many cybercriminals were sending convincing messages to steal personal data from WhatsApp users to either use in other attacks or make victims download other apps, so attackers get paid by affiliation programs. These attacks were executed in Portuguese and would evade scanning technologies limited to English.
No Archiving Capability
One of the most serious risks of using WhatsApp for business is the lack of archiving capabilities. Many industries have strict regulations on how companies communicate with customers and individuals. Record keeping must capture all content in native format and for all communications, not just detected risks. For certain enterprises, data archives are vital for investigation and audit purposes. Without communication archiving, businesses suffer compliance exposure and data retention violations. A good example is pharmaceuticals.
To take someone from our client portfolio: A Global100 Pharmaceutical Leader’s large Brazilian field force generated over 100,000 WhatsApp messages monthly. However, the pharmaceutical industry has strict guidelines around how reps can and cannot discuss adverse events, off-label usage, and other topics. Until they implemented the right protection, the company couldn’t ensure their WhatsApp communications were compliant. The manual review would never be able to keep up. A handful of troublesome messages amongst 100,000 could present a serious potential risk.
There are many other industries where the content of WhatsApp communications risks breaching compliance laws: healthcare, finance, government, energy, and more. Security teams cannot guarantee compliance, and regulatory risks aren’t appearing in WhatsApp correspondence without the right tools.
Success Story: Learn how a global pharma leader
deploys automated security and compliance solution for WhatsApp
In a word, no. Risk teams need absolute visibility into their communications, and that requires a way to centralize data for threat monitoring and governance requirements.
The problem with WhatsApp and similar instant messaging platforms is this: In-app security and privacy settings might give users some control over how safe their data is, but the truth is that platform settings are designed to protect the platform owner, not end users’ business data.
Does this mean you should stop using mainstream instant messaging apps in your company? Fortunately, no. Doing so could cut you off from many customers, particularly in the case of companies using WhatsApp for business communication across broader international markets. However, WhatsApp security risks open companies to possible data breach, and this can have an even greater impact on your bottom line.
The challenge lies in establishing a way to use these technologies safely. Instant messaging apps like WhatsApp lie beyond normal perimeter security, which means the security of WhatsApp messages and the data it handles typically isn’t overseen by your own security protocols. Because of this, businesses need a way to analyze data before it ends up being transmitted through such apps.
Extending security to your instant messaging channels provides multiple business benefits. It also encourages the responsible use of apps that could otherwise end up causing more harm than good.
To ensure extended security across the enterprise, companies need an AI-powered solution with total oversight, contextual analysis capabilities, and Natural Language Understanding (NLU). These capabilities will empower businesses to understand risks from the intent and context, not just within WhatsApp but other communication channels.
With the right technology on your side, there’s no reason you can’t retain full control over your corporate data, even if you are using platforms that might otherwise present instant messaging security issues and serious privacy concerns.
SafeGuard Cyber provides security and compliance solutions for WhatsApp so that businesses can use these leading technologies to drive growth. Request your demo today to find out how it works.
If you are interested in learning more about the SafeGuard Cyber solution, you can take a quick 5-minute tour.