You may know people who have used WhatsApp for sensitive business communications because it was familiar and convenient. I was even told of a board of directors who had got tired of waiting for IT to come up with a secure messaging service, and decided, against IT’s advice, to use WhatsApp as their standard communication tool.
A security expert could fill you in on the strengths and weaknesses of WhatsApp, but the more important insight is that employees are bound to use non-corporate communication tools (everything from a messaging service to a USB to a file transfer app) because the corporate tools are not convenient enough.
You can ban the use of non-approved communication methods—and companies do things like locking down PCs so they can’t use USBs. That makes sense as a policy; at the same time, we need to accept that humans will inevitably circumvent the policy. That means we need a second layer of defense.
The second layer of defense is education. It’s uncomfortable, but not the end of the world if employees’ grade levels are revealed. On the other hand, if employees’ compensation data or medical data or psychometric assessment data is revealed, then that’s much more serious. HR professionals need to be educated and reminded which data is so sensitive that they must never take a risk with it.
There is a bit of subtlety to the message. You don’t want people to walk away thinking, “I need to be careful with this HR data, and I can be cavalier with this other HR data.” Simply, stress the risks of non-approved communication methods, and give examples of the sort of data that would cause the greatest harm if it gets out into the world.
Data security and data privacy are ever more important for HR. We need to have a breadth of understanding of what security tactics work in a world where employees are human.