Messaging app WhatsApp has over a billion global users sending around 55 billion messages daily. It’s free, easy to use and has no advertising, so no wonder it’s so popular. Clearly, Facebook also saw the potential, paying $19 billion for the business back in 2014. But, are there security issues and can these huge numbers also mean there is a disaster waiting to happen?
Certainly, many risk managers will be aware that many more employees are using WhatsApp at work. It’s increasingly preferred to email, being more informal and snappier, since users are not locked into a cycle of replies and threads.
Although it has been reported that WhatsApp can be a security risk, the reality is encryption has been improved. Last February, it launched two-step verification and there has even been criticism from government that it is too difficult for the intelligence services to access, as they would want to for terrorist investigations.
But, the main concern for risk managers is less about hacking and more about careless talk. This was illustrated very clearly last March, when banker Christopher Niehaus was fined £37,198 by the Financial Conduct Authority for sharing confidential client data via WhatsApp with a friend – this was the regulator’s first action connected to a messaging app.
Niehaus was managing director at Jefferies investment banking firm and in 2016, he shared information in messages on numerous occasions about his business transactions.
This was confidential information and the friend in question was highly interested in the detail, as they were a competitor of the client being discussed. Niehaus provided facts such as the fee Jefferies would be charging and the nature of the deal. As can happen, the messages came to light and the regulator also noted that Niehaus adopted a boastful tone, saying he would be able to pay off his mortgage if the deal went through.
Although the FCA asserted Niehaus was not messaging for financial gain – it seems he was showing off – this foolish behaviour resulted in him being prosecuted under Principle 2 of the Code of Practice for Approved Persons for failing to act with due skill, care and diligence.
This may have been the first case of this nature, but it is unlikely to the last – and one of the main reasons why careless messaging is such a difficult area to control is that people invariably have multiple devices with blurred lines between work and personal lives.
A number of financial institutions such as Goldman Sachs and Deutsche Bank have banned WhatsApp from work mobile devices, but they can’t stop their employees from communicating on those owned personally.
So, a ban is unlikely to succeed. There is also an argument that taking too draconian an approach can be counter-productive, making employees feel they are back at school. Encouraging them to act responsibly with all social media may be a better way forward, and some of the areas that employees should be reminded about include:
- Be aware messages can be leaked – caution should also be excised with any content, whether it is potentially confidential or if the intention is to be humorous – jokes can backfire.
- If confidentiality is breached, the individual can face serious consequences, including losing their job. The regulator is increasingly focusing on individuals’ behavior and wants to see personal accountability.
- WhatsApp users should also watch out for malicious scams and chain-letters, since being duped by these can mean personal information is stolen. A recent example appeared to come from the Adidas website and to offer free trainers – it was in fact being controlled by criminals seeking data.
Sending messages quickly and with too little thought can mean employees can all too easily fall foul of company guidelines. WhatsApp may be a handy tool at work, but it carries risks and this having a clear policy in place could be a useful strategy to minimize these.