Roddy Wilson, CISO at Serbus, a network infrastructure advisory firm, pictured, explores the dangers in corporate and government reliance on off-channel apps like WhatsApp and Signal for high-stakes communication. He argues that while end-to-end encryption offers a veneer of safety, it lacks the sovereign control required to prevent human errors and deliver complete security.ย
For the modern CISO and board, it is imperative to ask the question: do you know who can access your data and do you know when they are doing it and why? If it is part of your company culture to use popular apps such as WhatsApp, then you are relying on trust in others to protect you, rather than ensuring you have full technical oversight and control. The reality is, if you do not have oversight and control of your platform, you are at risk. Even if you are not currently breached, you are exposed.
Encryption
Off Channel Apps point to end-to-end encryption for security, however it is important to look past this veneer. While encryption is a part of the solution, it is not the whole story, identity, access, and visibility are also instrumental parts. Identity is the real attack surface. Bad actors do not need to break the encryption, they simply need to authenticate, and they can potentially do this through phishing and credential theft. Once they are in, the system decrypts the data exactly as it was designed to do, without them having to do a thing.
This lack of control is often hidden by a lack of visibility. Companies protect their perimeters but seldom consider what is happening inside their perimeter. As I have often told my teams, you cannot protect what you cannot see, by this I mean if you do not understand the architecture or who is connecting to what, how can you know what you are really protecting.Taking a house as an analogy. The outside of the house can be strong, with CCTV, reinforced doors, high fences, and alarm sensors. You know what it looks like, how people access it and who accesses it. However, inside the house there are no sensors, doors are left open and you cannot see who or how people move through it. The movement of people once inside the house is invisible to you, any actions or changes made are blind to you. If you do not know what normal looks like and monitor it, you have no way of distinguishing the normal from the abnormal.
Quantum
The urgency of the risk is underscored by the fact that the quantum clock is ticking. We need to stop thinking about quantum as a future problem, it is a today problem. Quantum shines a huge spotlight on issues you already have regarding access and visibility. Weak access controls are increasingly fragile, and visibility challenges mean you do not understand what is already compromised. Harvest today, decrypt later is the most talked-about threat right now, with foreign states hoovering up data now, buying themselves time to decrypt on their own timelines. Once they decrypt the data, they have your secrets.
While the value of harvested data is relative to time, the question is increasingly will this data still be relevant when someone gains the ability to read it? Sending a message to family about popping to the shops for milk is different from a message containing the design spec of a future product. While the data itself remains encrypted for now, the metadata can still be revealing. The metadata can reveal who is communicating with whom, for how long, and from where, enabling them to build a pattern of behaviour and collect information that can be very exploitable now. It tells the story around the message. The reports in early 2026 alleging inappropriate internal access to chats at Meta should be a wake-up call regarding cloud providers. These providers may, under certain conditions, access metadata. Overall, I find it both interesting and concerning that we are still talking about off channel apps in a business context.
Judgment call
People use off channel apps due to ease. People in the main prefer easy and gravitate towards tools that are instantaneous and at their fingertips. Their focus is on connect less so protect, however when communicating there is a difference between your personal security and your operational security. In your personal life, you are your own CEO and you make judgment calls on what works for your life against the pressures you have and what risks you are willing to take with yourself. In a corporate or government environment, your judgement impacts others with the potential impact being long lasting. The blend of technology, people and processes becomes far more systematic and of greater impact.
Technology is not the problem, lack of governance is the failure. A lack of control, visibility, and accountability in the era of quantum threats will reveal and exploit weaknesses. While convenience may drive organisational behaviours, cultures need to be challenged and changed, security must be part of an organisationโs DNA. Boards must ensure that their organisation understands, controls, and governs how they are both connected and protected. If not, compromise is not an if but when.
