By Otavio Freire, CTO & Co-Founder at SafeGuard Cyber
China accounts for almost a quarter of global GDP, and its growing middle class has significant spending power. Across every industry, global growth plans include capturing market share in China.
However, China presents unique challenges. Its information ecosystem is built differently to any other. The tools and platforms used by sales and marketing teams operating in APAC, EMEA and the Americas cannot simply be transplanted to the Chinese market. Instead, whole new cloud channels need to be deployed. By far the biggest of these channels is WeChat.
For a western audience, it can be hard to grasp the centrality of WeChat to the Chinese digital landscape. WeChat possesses over 1.2 billion monthly active users. It is much more than just a chat app. WeChat is China’s foremost application for social media, retail, banking, eCommerce, business, information, customer service, brand reputation building, and every other personal and professional function.
WeChat is a business communications imperative. For companies with Chinese operations, there are two versions: WeChat and and more recently WeChat Work, also known as WeCom.
WeChat vs WeChat Work
WeChat is the multifaceted mobile web of China: ecommerce, social network, mobile chat, payment system, all rolled into one. Most any company doing business in China understands the app is critical to engaging with consumers for marketing, sales, and support. From the West, luxury retailers and automakers were the first adopters in using WeChat influencers and marketing programs to reach Chinese customers. However, from an enterprise standpoint, the personal WeChat app is difficult to secure and presents data privacy challenges.
In recent years, Tencent, the company behind WeChat, released WeChat Work, also called WeCom. WeChat Work is an enterprise collaboration tool that integrates seamlessly with the more general WeChat messaging app. In many ways WeChat Work anticipates the type of communication that might be possible with the Salesforce-Slack acquisition. A game-changer for Western enterprise IT teams, WeChat Work offers an enterprise-scale cloud-based instance, which is easy to deploy and far easier to manage than a confederation of employees’ personal WeChat accounts. Similar to Slack or Microsoft Teams, data privacy challenges are fewer given the platform is dedicated to business communications.
Security Challenges for WeChat Work
Even a modest-sized company’s WeChat Work instance will play host to hundreds of messages per day. Any one of these messages could contain a phishing link, or a malicious file, or an interaction that represents a compliance risk. The volume and velocity of the messaging makes manual review impossible. And, this challenge is to say nothing of any customer data transiting into the platform via customer support or marketing channels.
The lack of visibility and threat detection would be bad enough on its own. It already makes the cloud channels that western enterprises are more familiar with weak links in the security chain. However, on top of this, WeChat comes with its own set of security idiosyncrasies:
- WeChat possesses no end-to-end encryption. Users really don’t know what happens to their data inside the WeChat ecosystem. This is a very bad situation for security teams tasked with preventing data leakage.
- WeChat is a primary attack vector for Chinese cybercriminals. Exact data can be hard to find, but from a report by the Supreme People’s Court, we know that in 2019 WeChat was by far the leading source for scams. Over 50% of online fraud incidents investigated by Chinese authorities were conducted via WeChat. A western security team entering the Chinese setting will likely be poorly positioned to understand these threats.
- Outside China, cybercriminals are continually developing banking trojans that mimic WeChat to access and steal user information. Cerberus, for example, is a type of malware that is capable of stealing user privileges and granting itself additional permissions without any user interaction. Again, security teams using WeChat for the first time can be unfamiliar with the app, and struggle to detect trojans.
- Then, there are the major compliance issues. Again, all information shared on WeChat is likely open to government access. Non-Chinese users located abroad are also visible. This government surveillance means that companies that don’t possess full visibility into their employee interactions are putting themselves at risk. They are in danger of violating China’s strict censorship laws and other regulations – regulations which can often be difficult to parse.
- Compounding all of these situations is the language barrier. Securing cloud channels in predominantly English-language markets is hard enough. But WeChat supports numerous Chinese dialects, including the major ones of Mandarin and Cantonese. In many exchanges, different languages could be mixed together. Universal-language machine learning is an absolute necessity to assure security and compliance.
Securing WeChat is Possible
Despite the aforementioned challenges, securing your company WeChat Work instance is eminently possible. However, it requires extra tools that are custom-built for the challenges that WeChat Work presents. (The likelihood is that employees at western companies are at special risk of cyber-attack, as WeChat-savvy bad actors will see them as naive and vulnerable users.)
The principles of effective WeChat security are as follows:
- Companies must seek out tools that give them full visibility and round-the-clock monitoring. These tools must have the power to detect, and alert companies to, any digital risks: malicious links, malware, account changes, and problematic language.
- Through this security engine, companies must be able to implement custom policies so that the precise risks they face are flagged. The Chinese setting can be dynamic and unpredictable, and companies need a policy engine that is flexible.
- To protect against compliance risks and audit requirements, automated archiving and record-keeping is more important than ever. The security platform must allow companies to record everything that happens in their WeChat Work instance.
With these three principles as the backbone of a WeChat Work security policy, secure and compliant usage is possible. Without them, though, companies are putting themselves at major risk in a business critical market.
About the Author
As the President, CTO, and Co-Founder of SafeGuard Cyber, Otavio Freire is responsible for the development and continuous innovation of SafeGuard Cyber’s enterprise platform, which enables global enterprise customers to extend cyber protection to social media and digital channels. He has rich experience in social media applications, Internet commerce, and IT serving the pharmaceutical, financial services, high-tech, and government verticals. Mr. Freire has a BS in Civil Engineering, an MS in Management Information Systems, and an MBA from the University of Virginia Darden School of Business, where he currently serves as a visiting executive lecturer.