Technology provides a wide variety of benefits, but many come with caveats or pitfalls as well. When it comes to communication, technology enables us to engage with just about anyone, anywhere in the world, at any point in time—but the same technology can also put your communications at risk of unauthorized access or exposure.
WhatsApp built an audience for its instant messaging platform around the concept of encrypting communications and protecting privacy. No software is invulnerable, though, as WhatsApp (and WhatsApp users) recently learned the hard way when a simple buffer overflow vulnerability allowed attackers to spread spyware to mobile devices with just a phone call.
I sat down with William MacDonald, CTO of Starleaf, to talk about WhatsApp and how organizations can do a better job of protecting data and privacy.
Tony Bradley (TB): Why is the recent WhatsApp flaw important for those who share sensitive or corporate data and communications on a work phone?
William MacDonald (WM): Instant messaging has become a huge part of how we communicate with each other, but consumer social platforms are not suitable for business purposes. The latest WhatsApp exploit is an extremely severe security hole and clearly demonstrates that there are many organizations—malicious or otherwise—aggressively hunting for flaws in these consumer applications. The data acquired, in many circumstances, can be some of the most sensitive corporate information available. For example, when customer data is compromised, this can irreparably damage the reputation of the business and more problematically be accessed by those malicious individuals.
TB: What can be done to mitigate it?
WM: Users should regularly keep application versions up to date and always check for unusual patterns on your mobile device. Seek help from your mobile provider or check with security experts to determine if you are a victim of cybercrime. However, when it comes to business usage, the best practice for employees is to not use consumer apps but adopt secure messaging and communication tools specifically engineered for the enterprise. Every employee has a responsibility for data security and by using dedicated solutions, the workforce will be mobilized to meet and message more effectively, as well as keep this data safe from malicious individuals.
TB: Does this show the importance of data protection?
WM: This incident involving WhatsApp absolutely underlines the importance of data protection. Vulnerabilities within messaging services raise serious concerns around the protection platforms, such as WhatsApp. Smart hackers choose to target these platforms because they contain weak security, granting an open door to steal valuable data. With regulations like GDPR in force, it is no longer acceptable for businesses to rely on consumer-grade applications to transfer confidential data. They need to use properly secured messaging platforms that will keep their data, and the data of their customers, protected from any potential leaks or malicious hackers. The design process of consumer-grade applications typically prioritizes other features ahead of security; hence, this is why it is imperative to choose the right enterprise-grade tool when communicating and transmitting sensitive data.
TB: Does it reveal the important part every employee plays in data protection?
WM: Bad practice and complacent user behavior are often the gateways to a major breach. It is all very well companies putting in place data protection policies and procedures, but if employees do not adopt the right solutions to minimize risk and protect company data, let alone their own personal credentials, then users are in danger of placing themselves and their employer at a substantial risk of data breaches and cybersecurity incidents. People often pick a tool based on what allows them to work in the most effective way possible, without considering the security implications. It is the responsibility of everyone involved from manufacturers, vendors, IT directors and through to end users to be vigilant and provide the appropriate tools for all business communications.
It seems particularly egregious that an app like WhatsApp—engineered for security and privacy—would fall victim to a simple buffer overflow vulnerability. That is why the WhatsApp incident is a good example of how no software is perfect, and why MacDonald believes consumer applications should not be trusted with sensitive data or confidential company communications.