Downsides of WebWhatsapp on Corporate Network
I am working as a Network Security Admin at a healthcare center.
I have been asked by the medical center management to allow Web whatsapp on specific employees corporate desktop PCs as messaging communication tool to exchanges between employees.I oppose this request. I am not quite getting how to explain the management the security risks by allowing whatsapp on corporate connected computers.
Appreciate I can get any help to explain the downsides to non technical audience.
I have been asked by the medical center management to allow Web whatsapp on specific employees corporate desktop PCs as messaging communication tool to exchanges between employees.I oppose this request. I am not quite getting how to explain the management the security risks by allowing whatsapp on corporate connected computers.
Appreciate I can get any help to explain the downsides to non technical audience.
bbao
can i first know what your concerns are against WhatsApp web?
ASKER
thanks for your prompt reply
I have cyber security concerns.
Silly users clicking malicious/phishing/spma links or messages and/or downloading malicious received files, which could use a weapon to plant malware or exploit zero day vulnerabilities within browser.
Please feel free to add any other security implications.
I have cyber security concerns.
Silly users clicking malicious/phishing/spma links or messages and/or downloading malicious received files, which could use a weapon to plant malware or exploit zero day vulnerabilities within browser.
Please feel free to add any other security implications.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
@ste5an
Thats very fair point, however employees most likely do not share patient data, perphaps they need it just because to ease the communication between colleagues.
Thats very fair point, however employees most likely do not share patient data, perphaps they need it just because to ease the communication between colleagues.
Having no email, and only Whatsapp is actually a better way to communicate, as spamfilters have shown that many still pass the filiters. And with email, it's harder for "normal" users to know which are real and which are fake (sender can easily be spoofed).
Spoofing in Whatsapp is far less common. If users only chat with their known contacts, and never with new incoming uknown ones, user education should be easier.
Clicking links, running downloaded apps or installing apps, should already be prohibited in the first place in any corporate network.
Spoofing in Whatsapp is far less common. If users only chat with their known contacts, and never with new incoming uknown ones, user education should be easier.
Clicking links, running downloaded apps or installing apps, should already be prohibited in the first place in any corporate network.
Thats very fair point, however employees most likely do not share patient data, perphaps they need it just because to ease the communication between colleagues.Most likely means it can happen. Then the only question is: Are you liable? If you argue with GDPR, then just get a written order which says you're not. In all scenarios. Then you don't need to worry.
ASKER
@Kimputer:
We use email with anti-spam filtering on cloud, it works well.
We do restrict downloading or installing apps for any user by default but still there are opportunities to get breached. For example, user can download doc file with macros enabled and get hacked.
Employees uses personal whatsapp so they are not restricted to chat with knowm employees or people
We use email with anti-spam filtering on cloud, it works well.
We do restrict downloading or installing apps for any user by default but still there are opportunities to get breached. For example, user can download doc file with macros enabled and get hacked.
Employees uses personal whatsapp so they are not restricted to chat with knowm employees or people
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Don't you have available GDPR chat clients for the EU now?
GDPR compliance of whatsapp has been passed to the user.
https://www.pridatect.co.uk/how-to-comply-with-the-gdpr-if-you-use-whatsapp-in-your-company/
You should probably consult your organization's lawyer for your country.
There's rocket chat https://docs.rocket.chat/legal/gdpr as well as others.
GDPR compliance of whatsapp has been passed to the user.
https://www.pridatect.co.uk/how-to-comply-with-the-gdpr-if-you-use-whatsapp-in-your-company/
You should probably consult your organization's lawyer for your country.
There's rocket chat https://docs.rocket.chat/legal/gdpr as well as others.
ASKER
Hi Folks
Health businesses required to enable Chat/IM with its patients to interact.
Since whatsapp is popular and widely used messaging app, can we consider to be used in healthcare with backend business chat platforms.
Any suggestions ?
Health businesses required to enable Chat/IM with its patients to interact.
Since whatsapp is popular and widely used messaging app, can we consider to be used in healthcare with backend business chat platforms.
Any suggestions ?
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
if you really need to allow a well known messaging client (to be honest i see no reason why they do not stick with regular text messages), the solution might be to isolate it from the network by running it on separate hardware or more realistically in a vm or some sort of container. possibly on the users desktops.
depending on how much you trust the users, a browser or web app running in a dedicated low privilege user context (maybe guest) can be good enough.
a separate actual whatsapp running on an emulated android might be a decent option too
note : as a non whatsapp user, i would feel harassed if my hospital asked me to use it to communicate with them. not having an alternative is segregation. you can setup multichannel communicators nowadays and use wa, telegram, linkedin, regular email, sip account, oralized vocal messages... or whayever the user is comfortable with.
depending on how much you trust the users, a browser or web app running in a dedicated low privilege user context (maybe guest) can be good enough.
a separate actual whatsapp running on an emulated android might be a decent option too
note : as a non whatsapp user, i would feel harassed if my hospital asked me to use it to communicate with them. not having an alternative is segregation. you can setup multichannel communicators nowadays and use wa, telegram, linkedin, regular email, sip account, oralized vocal messages... or whayever the user is comfortable with.