How to balance WhatsApp's convenience with security in the workplace

Highlighting this threat, Meta recently announced that it had removed more than 6.8 million scam-linked WhatsApp accounts worldwide in the first half of this year alone. 

Despite these security challenges, WhatsApp remains deeply ingrained in professional communication across Africa. The annual 2025 KnowBe4 African cybersecurity survey reveals that 93% of respondents use WhatsApp for work communications, surpassing email and Microsoft Teams. 

Table: Lisakanya Venna

Source: 2025 KnowBe4 Africa Cybersecurity and Awareness Report

“Many people prefer WhatsApp because it’s fast, familiar and frictionless,” said Anna Collard, SVP content strategy and evangelist at KnowBe4 Africa, adding that these apps “are already on our phones and embedded in our daily routines”.

However, Collard warned bluntly that “WhatsApp wasn’t built for internal corporate use but as a consumer tool” and therefore “doesn’t have the same business-level and privacy controls embedded in it that an enterprise communication tool, such as Microsoft Teams or Slack, would have”.

The convenience of WhatsApp comes at the cost of control and compliance, restricting organisational oversight.

Data leaks the most pressing threat

The biggest organisational risks were data leaks.

“Accidental or intentional sharing of confidential information, such as client details, financial figures, internal strategies or login credentials, on informal groups can have disastrous consequences.” 

This situation is aggravated by the fact that up to 80% of respondents in the study use personal devices for work, many of which are unmanaged, creating significant blind spots for organisations.

Nicol Myburgh, head of the human resource business unit at CRS Technologies, echoed this concern: “Sensitive information can easily be shared with unintended recipients or stored on personal devices without proper encryption or retention controls.” 

Read more: Cybercrime’s double target — seniors and Gen Z in the firing line

Myburgh emphasised that while WhatsApp has end-to-end encryption, this does nothing when a device has been compromised with malware. 

Personal devices not governed by IT policies posed “a big risk, for instance, employee payslips, banking details, ID numbers and more”.

This uncontrolled environment created critical compliance risks around data protection laws such as Popia (Protection of Personal Information Act), with the risk to individuals being intense, potentially leading to identity theft and fraud.

Phishing, account takeovers, identity theft on the rise

Collard revealed further dangers, stating that attackers love platforms where identity verification is weak.

She recounted that, in her personal network, at least 10 people have reported being victims of WhatsApp impersonation and takeover scams.

Adding to this, Meta announced that “every day criminal scammers attempt to play on people’s economic anxiety to trick people with too-good-to-be-true offers and pyramid schemes to earn quick money”.

As part of ongoing efforts to protect users, Meta has introduced new anti-scam tools on WhatsApp, such as safety overviews for group invites and alerts when messaging unknown contacts, aiming to help users identify and avoid scams before they happen.

Lack of oversight and policy gaps

Notwithstanding these enhancements, WhatsApp’s lack of comprehensive audit trails remains a critical issue.

“Informal platforms lack the audit trails necessary for compliance with regulations, particularly in industries like finance with strict data-handling requirements,” Collard explained.

This impedes organisations’ abilities to demonstrate lawful handling of sensitive data.

Myburgh stressed the need for clear policies: “A communication channel policy should be in place to govern what communication happens where.” 

How companies can establish secure communication practices

Myburgh said additional measures companies can implement include:

• Disabling auto-downloads;
• Not sharing passwords, sensitive files, or login details via chat;
• Enabling two-step verification;
• Conducting ongoing microlearning campaigns on secure communication and phishing awareness;
• Using interactive simulations and role playing to train executives and frontline staff;
• Establishing clear escalation procedures to verify requests involving payments or sensitive data; and
• Encouraging a “pause and verify” culture where employees feel empowered to question unusual requests, even from leadership.

In addition to these procedural steps, understanding WhatsApp’s built-in security features is crucial.

WhatsApp encryption explained

Myburgh agreed that while WhatsApp offers security tools, they should complement, not replace, organisational awareness and governance strategies. 

Tools such as WhatsApp’s enhanced encryption transparency and safety overview “are helpful but should be seen as complementary to broader awareness and governance strategies, not replacements for them”. 

WhatsApp’s default security includes end-to-end encryption (E2EE), which encrypts messages on the sender’s device and decrypts them only on the recipient’s device, preventing anyone else – including WhatsApp itself – from accessing the conversation content.

This encryption relies on cryptographic key exchanges between devices and employs the widely respected Signal Protocol to ensure message confidentiality during transit. Users can also opt for end-to-end encrypted back-ups to protect chat history from unauthorised access.

“This protects the message in transit, but the fatal flaw lies with the individuals sharing the information and the devices storing the information,” Myburgh warned. 

Insider tip: However, if your company has a group chat, everyone in the group needs to have e2ee activated for the chat to be considered secure. If even one person in the group chat does not have e2ee activated, the WhatsApp chat will not be secure. DM