Over the weekend, we received word that Rep. Elijah Cummings (D-MD), who chairs the House Oversight and Reform Committee in Congress, had sent a letter to the White House regarding the use of a private email account by presidential advisor Ivanka Trump to conduct official business. The letter also asked about the use of the WhatsApp messaging app by advisor Jared Kushner to conduct sensitive diplomatic communications with people outside the U.S.
According to multiple news reports, the recipient of some of Kushner’s messages was Saudi Crown Prince Mohammed bin Salman, the same Saudi official who ordered the killing of Washington Post journalist Jamal Khashoggi. The fact that Kushner uses Facebook’s WhatsApp to communicate official business is giving security experts within the government and elsewhere nightmares.
Why? First of all, WhatsApp messages aren’t part of the official White House messaging infrastructure, and that means that they aren’t being preserved as required by the Presidential Records Act. Kushner’s lawyer has told the committee that Kushner sends screen shots of the messages to his official White House email, but as a number of officials have noted, that doesn’t preserve the entire communication.
WhatsApp is Encrypted, but That Doesn't Mean the Message is Safe
But a worse problem is the security. While WhatsApp is encrypted end to end, it’s a commercial app intended for use by consumers. It has no means of protecting the communications on either end of the line. In any case, being encrypted isn’t the same thing as being safe. After all, WhatsApp is owned by Facebook, a company for whom security and privacy are, at best, theoretical concepts.
On the other end of the line, cracking mobile phone security is a major industry in the Middle East, and some of that activity is operated under the auspices of the Saudi government. How hard would it be for a Saudi government official to install malware that affects both ends of the messaging link?
So what does this have to do with you? Actually, a lot. Even if your company doesn’t deal with highly classified information, you still have information you don’t want to be made public. In addition, you may find yourself in a situation in which your communications are legally binding, such as when you agree to a purchase using email.
Just as in the case of the White House, you don’t want to find out that one of your employees used an insecure messaging platform that enabled a breach. Likewise, you don’t want to find out that your executives’ private discussions were sharing a messaging service with the babysitter.
Legal Consequences a Major Factor
If you’re engaging in some activity that’s got a legal consequence, such as negotiations for a merger, an HR situation or even an order for paper for the copier, you want to make sure you have a copy of that communication.
The way to accomplish this in business depends on whether you let your employees use their own phones and computers. If you provide those for the employees to use, then you can take charge of the applications that are installed on their devices. You can also lock down the device so that employees can’t add applications, which will make it less convenient to use things like WhatsApp.
On the other hand, if your organization has gone fully into the BYOD world, then you’re going to deal with a more complicated problem. Since you don’t own the device, your control over the apps that are installed is limited. In this case, your best chance is in the realm of HR policy.
Your rule forbidding the use of personal messaging for company business may not prevent its use, but it will give you some recourse if your employees ignore the policy and use it anyway. For example, you may want to make it a matter of policy that the employee is personally responsible for financial transactions conducted outside of official channels. Then you can control the outcome when they submit their expenses.
Consider the Nature of the Infraction First
It’s important to the nature of the infraction. For example, an employee setting up lunch with a prospective customer over a Facebook Messenger account isn’t exactly an egregious failing. But using WhatsApp to tell their friends about company activities probably is a policy violation.
The best way to handle this issue is to make it easy for your employees to follow the rules. For example, make sure that their company email will work from their mobile device in addition to their computer at work. Set clear guidelines for the use of messaging and social media when it involves the company, and include a description of the consequences if your employees don’t follow the rules. Then enforce the rules.
While you can use the right technology to determine whether employees are using social media or a messaging app from the company network by using an NG firewall, it may not be worth the effort. Your employees can bypass your firewall by simply turning off WiFi on their devices.
Instead, help your employees comply with your policies by providing them the means to follow them and by educating them on how to accomplish that. Like everything else in security, it helps a lot if your staff is working on your behalf.