Messaging Apps In The Workplace: Where Are We Now?
The COVID-19 pandemic has emptied office spaces and forced millions of people to work remotely from home. To cope with the lack of live physical interactions, workers increasingly rely on consumer messaging apps like Facebook Messenger, WhatsApp, Telegram, Signal, WeChat, and others to connect with their colleagues for work-related purposes.
Already in 2019, before the pandemic, a research study conducted by Speakup found that 18% of remote workers used one or more consumer messaging apps as the primary channel to communicate with their colleagues and supervisors. In addition, 53% of remote workers reportedly used messaging apps for work-related matters between one and six times per day on average. More concerningly, 16% of the remote workers who participated in the research study reported that their respective HR and Internal Communications departments were not aware of their use of these apps.
More than one year into the pandemic, those statistics are probably outdated, and more organizations might be unaware of how extensively their workers use consumer messaging apps for work-related activities. Mobile messaging apps are easy to use without any oversight. They provide a good platform to help workers quickly discuss how to solve unforeseen business problems, especially when working remotely and BYOD (Bring Your Own Device) policies are the new norm.
Data Protection and Privacy Risks
Organizations face severe Privacy and Data Protection risks when it comes to the unapproved use of these apps for work-related communications.
For starters, all applications can suffer confidential and personal data leaks – accidental or intentional. A data breach might be more problematic when workers rely on consumer messaging apps since in the event of a lost or stolen device, it would be impossible for the IT department to remotely delete all sensitive business and personal data from the messaging apps on the affected device. In the same way, the lack of proper access management capabilities would prevent the IT department from blocking the unauthorized use of messaging apps.
Consequently, such data leaks would immediately trigger breach notification obligations and requirements under applicable data protection and privacy laws such as the EU General Data Protection Regulation (GDPR), Canada's Personal Information Protection and Electronics Documents Act (PIPEDA) and the California Data Breach Law.
Furthermore, organizations operating in highly regulated industries such as healthcare, financial services and defence, could face even direr consequences from their workers' unauthorized use of consumer messaging apps. Since governments, public authorities and sectoral regulation could by default consider some of these apps inadequate to protect sensitive information and to be appropriately audited; organizations could be imposed hefty fines and stripped of their ability to bid for government contracts. Therefore, these organizations should consider outright banning the use of consumer messaging apps for work-related purposes.
These are only some of the risks that organizations of all sizes and across all industries face due to the unaware and unauthorized use of consumer messaging apps. Since most organizations do handle sensitive information and personal data that require an adequate level of privacy and data protection, it is essential to assess and mitigate the risks brought by consumer messaging apps.
How Can Organization Measure and Address These Risks?
How can organizations measure and address the level of privacy and data protection risk brought by messaging apps?
In a nutshell, Organizations must ensure that they apply the same standards and diligence for protecting the confidentiality, integrity, and availability of the personal data transiting over mobile messaging apps as they do for all other forms of corporate communication.
CISOs, CTOs and information security decision-makers are aware that software or applications that are always fully secure do not exist. For this reason, organizations almost always assess the security and privacy risks brought by emailing, web browsing and social media and implement ad hoc policies, measures, and controls to mitigate the assessed risks and maximize privacy and security.
Bringing mobile messaging's security and privacy on a par with corporate emailing, web browsing, and social media should be a priority for organizations.
To do so, organizations must assess the data protection, security, privacy, and compliance risks generated by the use of consumer messaging apps for work-related activities.
As a first step, since many organizations are unaware of how extensively workers rely on mobile messaging apps, IT departments should use mobile device management solutions to assess the number of devices running messaging apps.
As a second step, organizations can conduct anonymous surveys to obtain insights into how messaging apps are used within the organization.
As a third step, there is no need to track the volume of messaging traffic to determine the level of risk of unapproved mobile messaging applications. Instead, organizations should seek external expert advice to perform tailored assessments to determine the level of risk associated with each consumer messaging application. Such assessments should be performed based on the organization's security and privacy posture, risk appetite, and compliance framework. Internal IT security, privacy, and compliance decision-makers should cooperate in providing external experts with the best possible insights into how the organization manages data protection and privacy risks and challenges.
These steps should be sufficient for organizations to clarify which messaging apps their workers can use for work-related purposes, and thus draft policies to regulate their useth. On top of these policies, organizations can increase workers' awareness of the privacy and data protection risks associated with messaging apps by carrying awareness campaigns and dedicated training sessions.
Why You Should Consider Implementing A Secure Messaging Tool
There is a common denominator among all organizations facing risks due to their workers relying on non-authorized mobile messaging app: They have not yet deployed a secure and private enterprise messaging application.
These messaging solutions add critical capabilities to business communication and bridge the gap left by email and phone calls. They do so through secure and private real-time communication that enhances employee interaction and productivity.
Many secure and private messaging applications support all the necessary use cases for business purposes, leading to efficient communication and collaboration. For instance, they are integrated with workflow tools and business applications, which leads to a positive impact on productivity.
Email and phone are undeniably tied to office work. Working from home is here to stay and will inevitably be part of the "New Normal." The use of mobile messaging apps for work-related communication will continue to expand at an increasing rate for the foreseeable future.
Therefore, organizations should act now to ensure that their data protection and privacy posture can cope with the risks brought by the increasing reliance on mobile messaging in the workplace.
For optimal results, organizations should:
 for example, customers information, intellectual property data, financial reporting, contracts and memoranda, patents, trade secrets, and M&A deals
 This would be impossible to do unless devices are connected to a corporate Wi-Fi network