Businesses use such platforms as unapproved means of communication.
WhatsApp has shared certain data with its owner Facebook since 2016, but users previously could opt out. From 8 February, however, users will have to accept the updated terms to keep using the app.
Whilst messages on WhatsApp are encrypted and Facebook will not be able to see them, the former will still have collected data that can be shared to its parent company.
Ernst & Young (EY) consulting leader on Asia-Pacific cybersecurity risk Richard Watson noted that despite the encrypted messages on WhatsApp, employees may unwittingly be disclosing information they are not aware of to third parties, including device metadata, phone numbers, and business information.
“Social media platforms of this nature are often mixed between business and pleasure, increasing the risk of sensitive information being disclosed to the wrong party,” he said.
The use of encryption has increased dramatically in APAC in response to regulation which requires it, particularly upon the need to pass personally identifiable information to third parties. Many commonly used business software platforms automatically encrypt information, which has increased its take up.
Watson explained, however, that attackers can still access business data once inside the corporate environment as much corporate “data at rest” is still unencrypted.
Meanwhile, Kaspersky senior researcher Anna Larkina shared that nothing is truly free in social media platforms.
“Unfortunately, the current business model for free services means that, essentially, we pay with our data. Social networks, some messengers and search engines make money off of advertising, and the more personalized it is the better,” Larkina said.
She described how Facebook and other companies have been collecting data through its services even before, with most companies being transparent about its policies. These apps only trace “technical and account information.”
Law enforcement on cybersecurity
There is no separate law in Hong Kong regulating cybersecurity. However, if a business is in a regulated industry such as financial services, both the Hong Kong Monetary Authority and the Securities and Futures Commission have recently issued new communications on cybersecurity or updated their existing cybersecurity frameworks.
“The ever-increasing laws and regulations are a clear signal that cybersecurity issues and breach incidents are becoming increasingly commonplace,” Lee said.
She added that despite such occurrence, the risks for companies in areas like human.error, regular software updates, cybersecurity incident plans, and cyber insurance are still the same as before.
Taking holistic approach to data sharing
Watson emphasised that whilst some regulations require encryption of data, other regulations forbid it in certain jurisdictions.
“The encryption debate is particularly hot in areas of law enforcement, where you get the tension between users who want communications to be private and law enforcement agencies who want access to that data, generally in the fight against terrorism and crime,” he said.
With this, Lee noted that companies should take a holistic approach in data sharing between businesses, taking into consideration the agreement on data sharing between the parties, what is permissible under the relevant laws, what the company’s communications to the user say and if it is clear enough, and what is actually shared by companies with others.
“It is important for a company’s communication to its users to be clear and transparent, and for this to be followed through in its data sharing agreements with other businesses as well,” she said.
Lee also advised companies to regularly remind employees on safe internet and cybersecurity practices.
Do you know more about this story? Contact us anonymously through this link.