HR Grapevine - What HR needs to know about the WhatsApp hack

An extract from another interesting article from the team at "HR Grapevine". Click on the link to find our more or register for their regular updates:

Yesterday, popular messaging app WhatsApp revealed that a major security breach allowed hackers to install spyware on users’ phones by simply calling them.

The spyware can trawl through calls, texts and other data, activating the phone’s camera and microphone and performing other malicious activities, according to reports.

For employers, this news needs to be taken seriously. A recent study by Skeakap revealed that 53% of global frontline workers use WhatsApp and other messaging apps to discuss work-related matters with one in ten worried that, due to this usage, sensitive data could be left exposed.

Yet, HR is often in the dark with regards to how staff communicate. 16% of those using WhatsApp, or similar applications, for work admit that their HR departments are not aware of such usage.

Why is this news important to HR?

Figures show that WhatsApp is used by the majority of workers for business needs yet, according to some commentators, WhatsApp is designed for consumer use and shouldn’t be used to share business information. This poses as a major data security risk.

Dan Boddington, Systems Engineer at StarLeaf, told HR Grapevine: “The data [potentially] acquired [by hackers], in many circumstances, can be some of the most sensitive corporate information available.”

This could have a big impact for the business. With HR at the centre of data compliance and corporate comms, they have to ensure that everyone in the firm knows the risks.

“For example, when customer data is comprised, this can irreparably damage the reputation of the business and more problematically be accessed by those malicious individuals,” Boddington added.

What can be done to mitigate against security issues?

In this particular instance, Facebook, who own WhatsApp, advise updating the app to get rid of the issue.

Boddington added that companies should consider using other communication tools specifically designed for the enterprise.

Alternately, Barry Stanton, Head of Employment Group at law firm Boyes Turner added that HR and IT need to be aware of how data is being used and where it is used to ensure it is being kept secure – with employees at the forefront of this.

“We have all become used to having social media apps on phones and in many cases having one device for work and social purposes, blurring the line between work and home life,” Stanton explained.

“Business needs to consider how far, if at all, that line should be blurred. How important is data security to it and therefore what apps employees can download onto devices used for work purposes?

“Every employee who handles personal data is at the forefront of data security. There was a lot of noise about GDPR a year ago - data security [should be] at the heart of everything that a business does, including the use for personal or business purposes of mobile devices.”

So, what can HR do?

Alastair Brown, Chief Technological Officer at BrightHR said clear rules around communication should be explained to staff.

He said: “Employees play an important role as the first line of defence and they should be reminded to keep information private. It may be wise to provide specific training on ‘phishing’ messages, which can enable third parties to surreptitiously gain access to sensitive data, as well as the dangers of accessing private messages in public spaces and what protocol to follow if they misplace a work device.

“Ultimately, employers need to consider that no form of electronic communication is likely to be 100% secure and therefore it is worth considering whether using instant messaging platforms is really worth the risk. Whilst this risk can be reduced significantly with the help of a stringent IT departments and employee cooperation, employers should always ensure they keep data protection at the forefront of their mind. “

Additionally, Boyes Turner’s Stanton added that staff need to be aware of the potential punishments that GDPR can impose.

With maximum fines of either £17million (€20million) or four per cent of global turnover, as well as untold damage to a company’s standing, GDPR ensured that firms take data security seriously.

“GDPR raised the bar in terms of the importance of such breaches both in terms of the level of fine that may be imposed,” he added. Employees are also liable, something which HR needs to be central in communicating.

 “HR need to be at the forefront of communicating the urgent need to update software to ensure devices are not compromised,” Stanton concluded.