Consumer apps like WhatsApp, Skype, Google Hangouts and "probably WeChat too" pose security risks for businesses, says Pankaj Gupta, founder and CEO of telecommunications services provider, Amtel.

"These are very good apps. They've been designed very well, but their focus is on the consumer [and not the corporation]," says Gupta. He explains that apps require superior security, privacy, data archiving and management facilities to be safely used in a corporate environment.

"We need to ensure that data is encrypted," Gupta says of app security. Because many consumer apps do not encrypt their data, companies as well as government, healthcare and finance institutions are made vulnerable to man-in-the-middle (MITM) cyber attacks, he notes.

In an MITM attack, the attacker intercepts communication between two devices, pretending to be each in turn so that the devices do not detect the attack, while the attacker can gain and intercept the data being exchanged.

Consumer apps can also compromise a business' privacy by making the user's phone number visible to those they contact, Gupta says, adding many consumer apps can access the user's contacts, which could amount to data leakage on the business' part.

Gupta states it is important for companies to be able to archive their messaging data in case of enquiry or complaint later on. Consumer apps do not offer an easy solution here, he says.

Consumer apps are also difficult to manage remotely, he adds. "You should be able to manage the [corporate] container on the device as an IT administrator."

"I definitely think these kinds of apps used by employees pose a big security risk to organisations and their information," agrees Doros Hadjizenonos, sales manager at Check Point SA.

Because consumer apps "become part of how people communicate on a daily basis, the focus shifts to the value these apps add to employees' lives, rather than the security risks involved for an organisation," he says.

Employees who fall victim to phishing attacks, malicious apps and software vulnerabilities can compromise company data as well as their own, says Hadjizenonos.

In a phishing attack, the cyber attacker poses as somebody the user trusts and tricks them into giving away information that makes them vulnerable, he explains.

Where malicious apps are concerned, many employees "never actually stop to read and think about what they are giving the app permission to access," Hadjizenonos says. "Education regarding general security practices is, once again, really important and people have to be careful and ensure they are downloading the official app available."

But even in dealing with "official" apps, "software is never perfect," and criminals often discover and exploit software vulnerabilities, so that "an app is a potential vector for criminals" to gain access to data, Hadjizenonos expands.

Employee resistance

However, "once an organisation has allowed BYOD, it is usually difficult for them to become stricter in terms of what apps employees can and can't use, as the device remains the property of the employee," says Hadjizenonos.

"Employees are reluctant to let the company manage their devices as it is inhibits their free use of them."

Hadjizenonos believes rather than banning the use of consumer apps, organisations must secure company data on devices by containerisation – separating business data from personal data and applications.

Gupta says businesses must enforce separate communication apps for corporate and personal communications.

Check Point Capsule creates a "secure business environment" whereby business data is kept separate from all personal data and applications, says Hadjizenonos.

Amtel Plum, a messaging and calling app, allows users to conduct business communications using a separate phone number, as well as archive their communications and manage the app remotely, counters Gupta. The receiver of the communications does not need to have the app to access them, he adds.