Messengers and Shadow IT: The Risks

What Is Shadow IT?

The term “shadow IT” refers to software and hardware used by employees without their company’s knowledge or approval. A common example is the use of messaging services like WhatsApp for communication with co-workers and customers. Shadow IT is sometimes not just adopted by individual employees, or groups thereof, but by entire departments.

Typical examples:

• Software:
  • Instant messengers like WhatsApp or Telegram for business communication
  • Cloud services (e.g., Google Drive or OneDrive) to store documents
  • Video-conference tools (e.g., Zoom or MS Teams)
  • File-sharing services (e.g., Dropbox or iCloud Drive) to transfer documents
  • Private email accounts
• Hardware:
  • Private smartphones
  • Private laptops

Why Do Employees Resort to Shadow IT?

One reason for the rise of shadow IT is the increasing number of cloud services, “software as a service” solutions, and messenger apps targeted at consumers. Employees have a plethora of easy-to-use options at their fingertips, and they already know how to use many of them from personal experience. If a process doesn’t run smoothly and no assistance from the IT department is available, employees are tempted to address the problem by resorting to their own tools.

Working from the home office also fosters the growth of shadow IT. As far as their personal use of software is concerned, employees might not have the strictest standards in terms of security and privacy, and the Corona pandemic has led to a further increase of under-the-radar IT in companies.

The Risks of Using Consumer Messengers in the Workplace

The use of one’s personal chat app (such as WhatsApp or Telegram) in professional environments involves significant risks for companies.

Insufficient Protection of Corporate Data

When using consumer messengers for business purposes, internal data can end up unprotected in the hands of third-party IT services. Not even moderate security requirements are met in this scenario, and internal data can leak easily.

Using an enterprise messenger prevents corporate data from circulating in unprotected or private channels. For exceptional security requirements, an on-premises solution and, if necessary, a closed user group should be considered.

Furthermore, many chat apps are subject to US data-protection laws, which are not compatible with the GDPR since US services are required to grant local intelligence agencies access to customer data. The use of US chat services therefore poses a data-security risk.

Consumer Messengers’ Lack of Administration Features

Instant messengers that are targeted at consumers are not suitable for business purposes due to poor data protection, but they also lack the administration features companies require. For example, it’s not possible to pre-configure consumer messengers or to restrict certain features for specific users. If an employee leaves the company, there is no way to revoke access to the chat app and the company data it may contain – this data will forever reside on the personal device of the former employee.

Disclosure of Customer Data by Means of Shadow IT

If employees use WhatsApp to communicate with co-workers or customers, they upload contact information to Facebook (i.e., WhatsApp's parent company) without the contacts’ consent, and Facebook may use this information for marketing purposes.

How to Avoid Shadow IT: Introduce a Company Messenger

Because using consumer messengers in work environments poses considerable data-protection risks, companies have good reason to provide an internal messenger to their staff. This is the best way to prevent employees from using chat apps that lack proper security and don’t comply with applicable data-protection regulations. Instant messaging can increase the efficiency of work processes thanks to fast and straightforward information exchange, and with a suitable company messenger, the required data security is ensured.

What to Look for in a Corporate Messenger

Chat apps that are suitable for secure and GDPR-compliant business communication are characterized by the following features:

• End-to-end encryption: Messages can only be read by the conversation participants; i.e., there’s no way for the service provider to decrypt messages.
• Open source: The source code is publicly accessible; therefore, the app’s mechanics are transparent and open to review by external experts.
• Privacy by Design: Misuse of data is ruled out from the outset because data reduction and privacy protection are inherent to the app’s DNA.
• Data-privacy compliance: The service is fully compliant with progressive data-protection laws such as the GDPR.
• Self-hosting: To protect highly sensitive data and company information in the most effective way, it’s vital to host the messenger on an internal company server (“on premises“). A closed user group increases the system’s security to the absolute maximum.
• User management: An administration console that allows companies to pre-configure the chat app for their employees (and restrict certain features).
• Usability and features: The most secure chat app is useless if its feature set and usability don’t meet the employee’s needs.