While WhatsApp is a consumer-grade application, many people are using it for business purposes. It’s free and it’s easy to use – most people are probably already using it – so it seems like the ideal communication tool, particularly now many employees are working remotely. 

But is WhatsApp really suitable for business communication? 

Privacy Policy Updates

WhatsApp was acquired by Facebook in 2014. At the time, CEO Jan Koum stressed how deeply he valued the ‘principle of private communication’. However, just two years later, in 2016, both apps announced they would be ‘coordinating more’– but did give users the option to opt-out of sharing their personal data with Facebook.  

This time around, there is no opt-out. 

Users who want to continue using WhatsApp after May 15th 2021, have to agree to the updates made to its terms and privacy policy. This means being prepared to share their personal information such as names, profile pictures, status updates, phone numbers, contacts lists, and IP addresses, as well as data about their mobile device, with Facebook and its wider companies. Users who don’t accept the new terms will be blocked from using the app. The new policy, which applies to all users outside of Facebook’s European Region (including the UK), also means that simply deleting the app from the device will not prevent WhatsApp from retaining a users’ private data.  

Since the privacy policy changes were announced, WhatsApp has now said that it will not be sharing personal data from people who previously opted out of sharing their information with Facebook. According to The Register, this setting will be apparently be honoured going forward next month, even if you agree to the new policy. For all other users though, there is no opt-out.  

A WhatsApp spokesperson also said this update ‘primarily centres around sending messages to businesses to get answers and support’, claiming there will be no change in data-sharing for non-business chats and account information. However, there has been much criticism and concern about the update online.  

Update: 12th May 2021

Originally, WhatsApp planned to roll out its privacy policy update on February 8th 2021. However, due to huge public backlash and confusion, they opted to delay until mid-May. Through a series of updates, WhatsApp attempted to clarify its position, reiterating that the update is mainly meant for businesses using its messaging platform. But nonetheless, WhatsApp stated that the change would not impact “how people communicate with friends or family” on the platform. The company also specified in a blog post that it would continue to provide end-to-end encryption for private messages, and it didn’t keep logs of its users’ messaging and calling.

However, despite the clarification around data sharing, there are still plenty of reasons why businesses should stop using WhatsApp for business-related communication

GDPR Compliance and Liability

WhatsApp makes it abundantly clear that the app is designed for personal use in their Terms of Service. 

“Legal And Acceptable Use. You must access and use our Services only for legal, authorized, and acceptable purposes. You will not use (or assist others in using) our Services in ways that: … or (f) involve any non-personal use of our Services unless otherwise authorized by us.” 

After installing WhatsApp on your device, you’ll receive a pop-up asking for your permission for the app to access your contact. It requests that you ‘Upload your contacts to WhatsApp’s servers to help you quickly get in touch with your friends and help us provide a better experience”. Agreeing to this means that all your phone contacts are accessible in the app. The problem is, it doesn’t distinguish between personal contacts and business ones. Your contacts haven’t given permission for a third party to access their personal data, which could be a potential breach of GDPR.  

WhatsApp has been clear that is for personal use. Users must agree to these terms and conditions before they can access the service and WhatsApp can access the users’ contacts. Therefore, the responsibility for GDPR lies with the user, not the app. 

Individuals who use WhatsApp for any business communications are in breach of the terms of service. This limits WhatsApp liability for GDPR because they have given the user all the responsibility for seeking the permission of their contacts.  

Security Risks of WhatsApp

Using WhatsApp for business communications is fraught with security risks too. While the app famously boasts security due to its end-to-end encryption, there have been plenty of reported hacks and flaws.  

Just last October, security researchers revealed that links to thousands of WhatsApp chats were accessible online. Although there was a quiet change to stop the links from being indexed by Google, the information was still readily available on other search engines. The group’s title, image, description and owner’s phone number were all readily accessible, you didn’t even need to actively join the group.    

WhatsApp communications are also notoriously difficult for companies to monitor. It may be possible if they are taking place on a corporate-owned device, but even then, there are multiple hoops to jump through. Companies could require the employee to surrender the device, but to access the content itself, there would need to be an IT policy that states WhatsApp as an acceptable communication channel for business purposes. Although, this policy would be in breach of WhatsApp’s acceptable usage policy. The IT policy should be crystal clear about the firm’s right to access and for what purposes (ensuring these are proportionate), so the employee has no expectation of privacy.  

Things get even more complex if the employee owns the device and WhatsApp has been installed outside of a mobile device management (MDM) container installed as part of a BYOD policy. The same policy that applies to the corporate-owned device could be extended to employee-owned ones as well. However, given the device is owned by the employee and used predominantly for personal use, it is doubtful whether a forced surrender and access could be seen a legally proportionate.  

If there’s no BYOD policy in place? Access is near impossible. As a personal device, the employee would have much higher expectations of privacy and there would need to be an extremely compelling reason, akin to a criminal offence, for an employer to try and obtain access.

What should you use instead of WhatsApp?

While you could write WhatsApp into your IT policies as an acceptable communication channel for business communications, you would knowingly be in breach of the app’s acceptable usage policy.  

Plus, even with that in place, there is still a myriad of security, privacy, monitoring and accessibility concerns linked to the app’s business usages. That’s before you even begin to factor in cultural problems potentially caused by the informal nature of the app. Employees could post personal messages to work chats by mistake, accidentally share their live location, or information could get lost between multiple group chats. 

Instead, it’s much better to opt for a business-grade secure communication solution. Many of these solutions function in the same way as consumer-grade apps, giving users a familiar interface so they can get started immediately, but with much stronger security. Solutions are available across multiple devices and will protect your voice, video and text data in transit and at rest, preventing accidental leakage or malicious attack.  

What is a Chief Information Officer?

A Chief Information Officer (CIO) is usually the most senior member of a company’s IT team. The CIO handles the corporate IT strategy and determines areas for improvement in IT systems and processes.

Whilst in most cases the CIO reports to the Chief Executive Officer (CEO). It’s also common for a CIO to report to the Chief Finance Officer (CFO) or Chief Operating Officer (COO) instead.

The title of CIO is often interchanged with ‘IT Director’. Unfortunately, IT Director is also the name of a separate role. If a company has both a CIO and IT Director, the IT Director likely focuses on the day-to-day IT operations and reports to the CIO, who focuses on the long-term strategy and major IT projects.

What does a Chief Information Officer do?

1. Evaluates new technology

A CIO’s main responsibility is to be aware of emerging technologies and determining how (or if) they can be of benefit to the business. For example, a CIO might look at how to utilise AI, blockchain or the Internet of Things (IoT). Looking for a possible competitive advantage and/or financial benefit it could deliver for the business.

A good CIO can see past the hype of new technologies and takes a level-headed approach when determining a business case. This makes an understanding of business, as well as technical IT knowledge, necessary.

2. Manages the IT strategy

The CIO is also responsible for the creation of a business’s IT strategy. This includes infrastructure refreshes, upgrades to hardware and integrating new systems into the business’ operations. The mark of a good CIO in this area is their ability to align the IT strategy with the wider business strategy.

Thanks to being in regular contact with the CEO, the CIO will be able to communicate the needs of the IT department to the C-suite and the needs of the wider business back to the IT teams. This enables both the business and IT strategy to work in unison, rather than against each other.

3. Oversees IT projects

When the business is undertaking a major IT project, it’s usually the CIO who manages the implementation strategy. They’re also often the one who signs off the decided solution and who is accountable for the actual implementation.

For example, if the project was selecting a new line of business application, the CIO’s knowledge and their experience of technology, operations and commercial understanding are important to get the right business-enhancing solution.

How can I get a CIO?

The process of hiring a CIO can be a daunting prospect for any business, but it’s also difficult for a growing business. Since a full-time CIO’s salary ranges from £70,000 to over £240,000, procuring the funds or providing the right environment to attract and keep a candidate with the required knowledge of both IT and business plus several proven years of experience in similar sectors can be challenging.

The advantages of an outsourced CIO

For businesses in this situation, an alternative is to outsource the CIO function. This approach has a few notable advantages over hiring an in-house CIO.

• It’s less expensive as you usually only pay for the time when you use their services, rather than a salary.
• It can be easier and much less expensive to switch who fulfils the CIO function when you outsource. It’s also usually possible to switch to another CIO Service without changing your outsourcing provider if the problems were a result of a poor culture fit. This saves the hassle of beginning a CIO search again and eliminates resulting HR issues.
• You can hire individual CIOs from many providers for specialist projects. Allowing you to not rely on a single individual having every skill required for every project you want to undertake.
• An outsourcing provider offering a CIO Service often has many CIOs who can work together or combine their knowledge to provide you with a solution. Essentially giving you the expertise of multiple CIOs for the price of one.

There are some disadvantages to consider, such as only having part-time availability. But, since the CIO role is strategic, they’re not typically required at the drop of a hat. So it’s unlikely to have a significant impact.

For a growing business, the benefits of outsourcing the CIO function far outweigh the negatives. It’s an effective way of gaining an expert to assist with the IT side of the business, without the traditional costs and HR headaches.

Patches are the name for software changes which are designed to update, fix or improve that software’s functionality. Patches are deployed for various reasons including fixing security vulnerabilities and bugs, improving the user experience or increasing performance.

What is patch management?

Patch management is an automatic update process for every node on the corporate network. This includes endpoints in physically inaccessible locations such as remote laptops and mobile devices.

Deploying patch management means that staff will not need to manually check for and deploy software patches, which will typically be an exhaustive, time-consuming task – except for the very smallest of businesses.

How does patch management work?

There are different methods of patch deployment and they vary depending on the infrastructure design for each company information system.

Most companies with large infrastructures implement automated patch management systems which reduce the manpower requirements of manual implementation. Other companies will outsource this function to a trusted third party. Often, if your IT support is fully outsourced, patch management will be included as part of this service.

An automated patch management system requires the installation of a client agent. This enables network administrators to manage patch distribution from a centralised interface. They can configure the settings for patch distribution, generate reports on the status of patches and set distribution at different levels to cover different applications and devices.

Why is patch management important?

New vulnerabilities are discovered every day and unpatched systems are one of the easier attack vectors for cyber-criminals to take advantage of. Companies continually release new patches as vulnerabilities are uncovered by researchers and hackers and if your business does not apply these updates then cyber-criminals have an easy entry point into your network.

Furthermore, patch management also ensures that your enterprise technology continues to function as it should. Software bugs, even minor ones, can cause headaches and impact employee productivity so automatic patching ensures that these problems can be resolved as soon as possible.

What are the benefits of patch management?

Patch management ensures that all pieces of software – even those which are rarely used – remain up to date, ensuring that they don’t introduce major security holes within your business.

Automatically deploying updates also frees up a vast amount of time, allowing staff to focus on more productive areas of the business. Rather than checking through update lists, they can work on getting the most business benefit from the IT systems or looking into ways to further modernise the systems through digital transformation. Furthermore, if you have staff working remotely or from mobile devices, patch management ensures that these devices remain up to date regardless of location.

What are the consequences of not deploying patch management?

An average of 50 new major vulnerabilities are discovered each day, the majority of which are addressed in patches. While patch management is not a cast-iron guarantee against every potential vulnerability out there (or which may arise in the future), it is a preventative measure to protect the integrity and security of your network infrastructure and information systems.

However, it’s clear that many are still not implementing security patches. This can be seen by the fact that one of the most popular vulnerabilities to exploit is a remote code execution in the Windows common controls, known as CVE-2010-2568. An exploit which was patched in 2012.

If a vulnerability does arise, having a solid patch management system in place means that the network is being constantly monitored. This especially important when it comes to preventing a “Zero-Day Attack”, which is an exploit which can occur while a patch is in the process of being produced to repair it.

How can you ensure your patch management is effective?

While automatic updates are beneficial, the best patch management strategy is one which balances automatic and manual updates.

Automatic updates are not a cure-all and can sometimes cause problems without proper vetting. Microsoft, in particular, has a track record of having to roll out patches to fix the bugs introduced in their patches.

The most effective way to manage patches will vary between each organisation, but there are a few key factors which apply to all:

1. Critical security fixes should be applied as soon as possible.
2. For all other patches, consider how often the software is used and how business-critical it is to decide how urgent the patching is.
3. Where possible, ensure that patches are installed outside of working hours to minimise disruption to business workflows.

The key concern for most businesses is the number of patches and the manpower required to deal with them, however, with patch management and new technologies, patches can be managed much more effectively.

Security as a service (SECaaS) is the outsourced management of business security to a third-party contractor. While a cyber-security subscription may seem odd, it’s not much different from paying for your anti-virus license. The difference is that SECaaS is the combination of a lot of security products wrapped up into one more central service.

The range of security services provided is vast and goes down to a granular level. Examples range from simple SPAM filtering for email, all the way through to cloud-hosted anti-virus, remote automated vulnerability scanning, managed backups, cloud-based DR and business continuity systems and cloud-based MFA systems.

The services are either delivered directly from the vendor where the reseller takes a commission or they are delivered from specialist firms who have the in-house skills capable of building, integrating and managing specialist security services for their customers.

Just a note here: you may have heard of SaaS (software as a service). This is different to SECaaS.

1. Is SECaaS dangerous?

Putting your security in the hands of another business may seem like a big risk. And if done incorrectly, it’s almost guaranteed to have a less than ideal outcome. But businesses have had success with SECaaS and there’s no reason you can’t either.

The most likely cause for an issue is choosing a supplier based solely on price. A business offering SECaaS that’s been around for a few years and has a range of clients but charges £50 per user per month is going to be very different from the business that offers “cloud-based security” for £10.99 per user per month.

Do not instantly go for the cheapest option when considering SECaaS.

Sure, you might be paying nearly 5 times as much. But if your SECaaS provider has the lowest price on the market they’re skimping on something. And if there’s one thing you don’t want to skimp on, it’s your cyber-security.

2. What are the advantages of SECaaS?

Cost-saving

Despite what was just said about avoiding cost-cutting when it comes to cyber-security, one of the main draws of SECaaS is the long term price savings it can have. Because you don’t actually own the infrastructure, you don’t need to pay for its floorspace or for its upkeep (prices which can fluctuate based on external factors). Instead, you only pay a flat rate that is unlikely to change.

Fully managed

Your provider is the person keeping up to date with the changing threat environment, not you. That means that you can focus more on your own business goals instead of diverting time towards understanding the various threats out there and ensuring that your defences deal with them.

Greater expertise

A good SECaaS provider is going to consist of people who know everything there is to know about cyber-security and regularly keep up with trends and changes in that area. As a result, they’ll have a much greater range of expertise which you can utilise to keep your business safe. This also lets you keep your core employee focus on your own sector rather than branching out and getting a dedicated cyber-security expert.

Frees up time from repetitive tasks

Time-consuming admin tasks that need to be done can be performed by your SECaaS provider instead. This can be things like reading system logs or monitoring the overall network status.

3. What are the disadvantages of SECaaS?

Reliant on SECaaS provider acting

This is the main reason that you should be choosing a high-end SECaaS provider.

Because SECaaS providers are the holders of a lot of data, they (and as an extension, you) become lucrative targets for cyber-criminals. If they are breached then you are breached so ensuring they have made big investments into their security is paramount.

To make sure that your chosen provider is continually investing in their security, be sure to keep in regular contact with them. Ask questions about what they are doing to address the latest types of exploit or flaw and dig deep into the specifics of what type of security they have in place on their own systems. Is it minimal or is it high-grade and comprehensive?

Whilst in the decision stage you should also be asking each provider exactly what kind of security they have in place or what is their policy is around topics like staff training. If they can’t prove that they are taking their own security seriously, you can bet that they won’t be taking yours seriously either.

Increases vulnerability to large scale attacks

The uniform security measures SECaaS providers have over multiple clients allow them to keep up a comprehensive level of security. But it also means that if a vulnerability is found for a business who use the same SECaaS provider as you, then that same vulnerability can be used against your security.

Because one vulnerability gives so many potential attacks for a hacker, probing the security of the SECaaS provider is much more rewarding for cyber-criminals. This means they put in a more concerted effort towards breaching the SECaaS provider’s security. This can inadvertently make you a prime target for cyber-attacks.

Be aware though, as a business (even a 2-10 employee one) you’re already a prime target for cyber-attacks. If done properly, the perceived increased danger of choosing SECaaS can be made negligible. Especially when compared to the increased overall security you would receive from a high-quality SECaaS provider.

3. Why is SECaaS being offered more often?

Security providers are becoming aware that with the rise of small businesses. There’s a growing market for security services that don’t need expensive internal employees or risky infrastructure investments.

Many growing businesses also don’t have the up-front funds to develop a hardware heavy security system. Therefore, they find a monthly plan to be much more manageable for their finances. For example, implementation of two-factor authentication and disaster recovery may have cost £100K five years ago. But SECaaS can deliver the same project on a £1,000 budget with no CapEx.

Because of the flexible nature of SECaaS, many of the decisions can now be addressed head-on. There is no longer the same level of risk anymore surrounding topics like setting up security infrastructure. Businesses can switch SECaaS providers more easily. So, this ‘de-risking’ of cyber-security has made the SECaaS market ideal for businesses who want to avoid making a bad decision.

Finally, with the rise of the cloud and increased internet speeds. Services offered over the internet are now on a par with in-house solutions. This has meant that cyber-security being offered as a service is now very feasible and is genuinely useful.

Conclusion

So, you may now be asking yourself if you should consider SECaaS for your business. Unfortunately, there’s no comprehensive answer. If you want to improve your security, without draining your budget, then it’s worth reviewing. But if you already have a fairly comprehensive security setup in place it may be better to ensure that it actually is as comprehensive as you think it to be and then just sticking with what you have, upgrading it and maintaining it as you already are. Alternatively, you could look into a UTM system for your business if you’re uncomfortable with SECaaS but want to make your security more comprehensive.