The allure of instant messaging is undeniable in the modern workplace. Platforms like WhatsApp have woven themselves into the fabric of our daily routines, offering a familiar and frictionless way to connect with colleagues.
According to the 2025 KnowBe4 Africa Annual Cybersecurity survey, 93% of African professionals now use the app for work, even surpassing traditional email and dedicated tools like Microsoft Teams.
Yet, this convenience, so prized by employees, casts a long shadow over organisational security, opening a Pandora’s box of cyber risks that leaders can no longer ignore. The very qualities that make these apps so popular, their speed and informality, are also their greatest weaknesses.
They were designed for consumers, not for the boardroom, and therefore lack the robust privacy and control features inherent in enterprise-grade systems.
This creates a dangerous gap. When official communications migrate to personal devices and informal platforms, they slip beyond the organisation’s view, creating a significant ‘shadow IT’ problem.
The consequences of this can be disastrous, from the accidental or intentional leakage of confidential client details and financial figures to the exposure of critical internal strategies.
The informal nature of these platforms leaves no audit trail, making it nearly impossible for companies in highly regulated sectors like finance to demonstrate compliance with strict data-handling requirements.
Furthermore, they have become a fertile hunting ground for cybercriminals. Weak identity verification on these apps makes impersonation scams alarmingly common. Hackers, often gaining access through methods like SIM swaps, can lock the legitimate user out of their account, gaining a treasure trove of past conversations, contacts, and files. They then proceed to impersonate the victim, deftly deceiving colleagues and clients into handing over money or sensitive information.
Recent headlines provide sobering evidence of these threats. WhatsApp messages are increasingly being used as evidence in employee tribunals and legal cases, prompting some institutions, like the British bank NatWest, to impose outright bans on apps like WhatsApp.
The problem is not confined to the corporate world; a major leak of top-secret military plans on the Signal app earlier this year demonstrated how easily critical information can spiral out of control, inadvertently reaching unintended audiences.
For organisations looking to reclaim control, the solution is not a simplistic ban but a strategic and empathetic approach. The first step is to provide a secure, company-endorsed alternative that is just as easy to use. Simply telling employees what not to do is ineffective; they must be given a better, sanctioned option that is readily accessible and actively promoted.
Employees need to truly understand the ‘why’ behind the policy. Training should move beyond dry rules to instill principles of digital mindfulness: the habit of pausing before sending, critically thinking about what information is being shared and with whom, and recognising the emotional triggers, like urgency or fear, that scammers so expertly exploit.
