Using Signal or WhatsApp for Work? Here's a Checklist of Compliance and Security Considerations
Consumer privacy: better than nothing...
Consumer messaging apps like Signal and WhatsApp prioritize individual privacy through end-to-end encryption. That means that messages are fully encrypted before leaving your mobile device and aren’t decrypted until after reaching your recipient’s device.
But, they lack centralized enterprise controls that are crucial for regulatory, statutory, and legal compliance, as well as best practices for organizational security and policy requirements, because they were designed for consumers and not enterprise needs.
- Determine involved conversation participants
- Notify conversation owners for participant removal
- Alert owners when to shut down specific conversations
- Reevaluate participant presence in conversations
Collect phones of participants
Manually review and capture relevant communications
Exclude non-relevant communications
Assign responsibility for this activity
Securely store and verify newly reconstructed archives
- Utilize Disappearing Messages (Note: Can impact audit trails)
- Adopt Mobile App/Device Managers (Note: May incur costs)
- Implement Endpoint Management
- Use Mobile Application Management (Note: Costs may apply and may not suit new IR devices)
Define authorization for adding external participants
Establish conversation participation moderation/termination
Report unknown/unverified participant additions
But my team insists we use XYZ...
We get it. Sometimes, you have to do what you have to do. We’re here to help!
Here’s a handy checklist of what your organization should consider addressing through policies, procedures, and compensating technologies if you’re planning to use consumer privacy focused apps like Signal or WhatsApp in an enterprise context.