Skip to main content

Relying on free tools for your critical communication is a risky business

(Image credit: Image Credit: Gilles Lambert / Unsplash)

What has gone unnoticed in the recent story about the disgraceful burning of a Grenfell Tower effigy on a bonfire in South East London is that this event was almost certainly never intended to be made public. One of the people involved filmed the event on their smartphone and then posted it to what was very likely meant to be a private WhatsApp group. Someone in the private group then forwarded the video onto at least one other person outside of the group and any control over distribution was lost from that point onwards. The video went viral and the fury of the country descended upon them. No sympathy from me on this point. The massive outpouring of public anger that led to their subsequent arrest by the police, was the least that they deserved.

That is interesting you might say, but what relevance is it to readers of IT Pro Portal? Well, a recent survey carried out by Crises Control showed that 56 per cent of SMEs use WhatsApp for critical communications when an incident has left them without access to their normal IT or telecoms. In my view this is a very risky course of action.

The Grenfell Tower incident highlights one of the dangers of using free tools like WhatsApp for critical communications purposes, which is that WhatsApp groups lack enterprise level administrator control over what happens to the information that is shared via the application. Any user can post messages and media attachments to the group. And once posted to the group, these media attachments, such as videos, are downloaded as default to all user devices, so your media attachments are effectively given to everyone in the group. This means that they can then easily be shared inside the platform with other people outside of the original group. They can also be shared outside of the platform by e-mail or via social media platforms such as Instagram, Facebook or Twitter.

Encryption useless?

WhatsApp makes a big deal of its end-to-end encryption, claiming that not even they can see what messages and media you are sending out. This is a very useful security function, but it becomes useless if the attachments can be downloaded outside of the encrypted platform and the messages can be forwarded onto someone outside of your group or even your company. At this point the encryption security is completely bypassed and you lose any control over what happens to your data. This represents a serious risk of data breach involving data that it highly likely to be commercially sensitive if it concerns a critical business incident.

You also need to consider what could happen to your data if any of your group users loses their mobile device or has it stolen. If the information was held on a critical incident communication platform then a login and password would be needed to access the application, and an administrator would be able to remotely disable the individual user account if it was thought to have been compromised.

But if the data has been stored on a free communications tool, such as WhatsApp, then the security identification is the device itself and no further login or password is required. Even if the SIM is disabled by the phone company, which is the action that most people would take on losing their phone, the WhatsApp account can still be accessed using wi-fi.

Neither is there a user or company administrator function to remotely disable the WhatsApp account away from the device on which it is held. WhatsApp can do that themselves, but only upon receipt of a request to them. This means that you are reliant on every user within your group acting promptly to notify WhatsApp, rather than simply telling their phone company about the lost phone. Even if the user account is disabled, then the message history will still remain on the lost phone, as will all of the downloaded media attachments. If the user account is not disabled, then it could still be used to send out group messages and access group contact data.

Lacking enterprise class administration

Whilst I am on the subject, there are other problems with using WhatsApp for critical mass communications. Although they have now increased the maximum limit on group numbers from 100 to 256, this is still clearly not enough for all most enterprises when you consider the need to contact not just employees, but suppliers and customers as well. The only way around this limit of group numbers is to create multiple groups, which quickly becomes both impractical and inefficient. If you 1,000 stakeholders, then you will need to create a minimum of four groups and replicate all information across all the groups.

Summing this all up, WhatsApp and other free tools lack is enterprise class administration, with no administrator portal to ensure easy roll-out, transparent monitoring, company-wide communication policies, user management, user support, comprehensive access control and compliant archiving.

As a tool for talking to your friends, or even your work colleagues, about low level non-critical issues, WhatsApp is a great free tool. We all use it! But if you are thinking about translating that personal use into critical business communications, please think again. WhatsApp has not been designed as an enterprise application with enterprise class security and administration.

To provide these enterprise functions is expensive to support and starts to compromise the simplicity of WhatsApp that makes it such a great tool for talking to your friends. These expensive support functions do not fit into the freemium business model.

There are critical communications platforms on the market that do provide enterprise class security, administration and multi-channel communication that can guarantee the critical message gets through and do not expose the business to unacceptable data security risks. Our survey found that only 32 per cent of SMEs currently use them, against the 56 per cent that use WhatsApp and the incredible 68 per cent that still use old-fashioned call trees.

If you are responsible for enterprise critical event management, please don’t rely on WhatsApp and phone call trees. You will come to regret it.

Shalen Sehgal, Managing Director, Crises Control (opens in new tab)
Image Credit: Gilles Lambert / Unsplash