Despite their popularity among employees, informal messaging platforms pose significant risks to organisations’ cybersecurity.
The 2025 KnowBe4 Africa Annual Cybersecurity survey found that 93% of African respondents use WhatsApp for work communications, surpassing email and Microsoft Teams.
For many organisations, platforms like WhatsApp and Telegram have become integral to workplace communication. Ease of use is what makes them so popular, explains Anna Collard, senior vice-president: content strategy and evangelist at KnowBe4 Africa.
“Particularly on the continent, many people prefer WhatsApp because it’s fast, familiar and frictionless,” she asserts. “These apps are already on our phones and embedded in our daily routines.”
In terms of collaboration, these platforms also help employees to work together, especially in remote or hybrid work environments. “It feels natural to ping a colleague on WhatsApp, especially if you’re trying to get a quick answer,” she says. “But convenience often comes at the cost of control and compliance.”
Recent cases have underscored the risks of using informal platforms for professional communication. Increasingly, WhatsApp messages are being used as evidence in employee tribunals and other legal cases. The British bank NatWest has gone so far as to ban WhatsApp messages among its staff. In the US, a top-secret military attack on Yemen was leaked on the messaging platform Signal earlier this year, with the plan inadvertently shared with a newspaper editor and other civilians, including the Defence Secretary’s wife and brother.
Official communications ending up on personal devices and informal platforms is a problem very clearly not exclusive to the corporate sector.
“There are multiple layers of risk,” states Collard. “It’s important to remember that WhatsApp wasn’t built for internal corporate use, but as a consumer tool. Because of that, it doesn’t have the same business-level and privacy controls embedded in it that an enterprise communication tool, such as Microsoft Teams or Slack, would have.”
The biggest risk for organisations is data leakage. “Accidental or intentional sharing of confidential information, such as client details, financial figures, internal strategies or login credentials, on informal groups can have disastrous consequences,” she says.
“It’s also completely beyond the organisation’s control, creating a shadow IT problem.”
This is a growing concern, as the 2025 KnowBe4 Africa Annual Cybersecurity survey notes that up to 80% of respondents use personal devices for work, many of which are unmanaged, creating significant blind spots for organisations.
Another major risk is the lack of auditability. “Informal platforms lack the audit trails necessary for compliance with regulations, particularly in industries like finance with strict data-handling requirements,” explains Collard.
Phishing and identity theft are also threats. “Attackers love platforms where identity verification is weak,” she says, adding that at least 10 people in her personal network have reported being victims of WhatsApp impersonation and take-over scams.
“Once the scammer gains access to the account, in many cases via SIM swaps, the real user is locked out and they have access to all their previous communications, contacts and files. They then impersonate the victim to deceive their contacts, often asking for money or even more personal information.”
Beyond security, using these channels can also lead to inappropriate communication among employees or the blurring of work-life boundaries, resulting in burnout. “Having a constant stream of messages can also be distracting and lower productivity,” says Collard.
To mitigate these risks, it’s important that organisations set up a clear communications strategy, Collard says. “First, provide secure alternatives. Don’t just tell people what not to use. Make sure that tools like Teams or Slack are easy to access and clearly endorsed.”
The next step is to educate employees on why secure communication matters. “This training should include digital mindfulness principles, such as to pause before sending, think about what you’re sharing and with whom, and be alert to emotional triggers like urgency or fear, as these are common tactics in social engineering attacks,” shares Collard.
“By promoting psychological safety, employees feel comfortable questioning odd requests, even if they appear to come from a boss or client.”
This is particularly vital given the “confidence gap” highlighted in the new KnowBe4 Africa Human Risk Management Report 2025, where high perceived awareness of cybersecurity policies often doesn’t translate into employees feeling fully confident or supported in reporting incidents or questioning suspicious communications.
By introducing approved communication tools, organisations can benefit from additional security features, such as audit logs, data protection, access control and integration with other business tools.
“These platforms also support more mindful communication norms, like scheduling messages or setting availability statuses,” says Collard. “Using approved platforms helps maintain healthy boundaries, so work doesn’t creep into every corner of your personal life. It’s about digital wellbeing as much as it is about cybersecurity.”
In conclusion, Collard maintains that while informal messaging offers convenience, its unchecked use introduces significant cyber risks. “Organisations must move beyond simply acknowledging the problem and proactively implement clear policies, provide secure alternatives, and empower employees with the digital mindfulness needed to navigate these cyber-risk zones safely.”