Employees Keep Bypassing Approved Communications Tools, Putting Metadata at Risk, New Report Finds
New analysis from BlackBerry revealed a security gap surrounding end-to-end encryption: people using common messaging platforms who don’t actually understand what encryption protects.
Publicly available messaging platforms—like WhatsApp, Signal, and the free version of Microsoft Teams—offer users convenience and promise a level of security with end-to-end encryption (E2EE). But this encryption only protects the content of messages. Messages are often accompanied by metadata that contains information about the sender, recipients, IP addresses, and much more that can reveal patterns in behavior and relationships within an organization. That metadata is not protected by E2EE.
Recent intelligence advisories from the United States and Europe warned “that state backed actors are actively targeting accounts on consumer messaging platforms through phishing, impersonation and account takeover, accessing sensitive conversations without breaking encryption,” according to BlackBerry’s The State of Secure Communications 2026.
Three out of every four security leaders reported that employees “often” bypass approved communication tools and instead use consumer messaging platforms, offering adversaries a more accessible opportunity for harvesting encrypted data and metadata.
Among the 700 security leaders that the survey queried, 83 percent believed that WhatsApp was most commonly used for important, sensitive conversations, followed by personal email (54 percent), Teams (50 percent), SMS text messages (46 percent), and Telegram (39 percent).
The analysis found that most people (88 percent) trust messaging apps, even when using them for sensitive work. But 90 percent of those surveyed don’t fully comprehend what encryption actually protects, creating a gap between the amount of trust placed in a messaging platform and the actual level of risk exposure to the data tied to a message.
Understanding End-to-End Encryption
When using a messaging platform that promises E2EE, know that the content of your message is encrypted. While there’s a certain comfort in knowing that E2EE can keep the content of your messages private, there’s still a lot of information tied to messages that is vulnerable.
E2EE does not verify who is sending or receiving messages. Even beyond that annoying spam text, remember that phone numbers can be spoofed, with attackers pretending to be from a legitimate or trusted source.
“Accounts can be compromised. Social engineering can add unauthorized participants to group communications. The encrypted channel protects content in transit but does nothing to ensure the people at each end are who they claim to be,” the report said. The problem is that users often forget these limits and inherently trust that every aspect tied to messaging is secure.
The Metadata Gold Mine
E2EE also doesn’t hide metadata. Message metadata includes who is communicating, when messages were sent, how often communication happens, how long people talk or message each other, what kind of device was used to send or receive messages, IP addresses, and locations.
“The metadata problem is really that it’s the foreign adversary’s goldmine,” Christine Gadsby, chief security adviser for BlackBerry Communication, tells Security Management. Gadsby is also one of the authors of the report. “It’s their ability to take that metadata, whether it’s your name, you location, who you’re talking to at 4:00 p.m. every Tuesday… the ability to create dossiers and create an attack surface out of that information.”
One example of this was with the Salt Typhoon attacks in 2024. Hackers with links to the Chinese government were able to compromise the networks of multiple U.S. telecommunication companies and harvest unencrypted metadata. For Gadsby, this attack was a red flag that signaled a gap in understanding the place that consumer messaging apps have in governments’ and organizations’ communication strategy while threat actors were already targeting this vulnerability.
Nation-states can use unencrypted metadata to identify behavioral patterns, schedules, and relationships. This makes metadata as valuable as the content itself.
“Communication patterns reveal organizational structures, identify key personnel, expose relationships between entities, and signal operational changes. Location metadata tracks physical movements. Timing patterns indicate working hours, travel schedules, and response to events,” the report said. “…In sensitive environments, who attended a meeting may matter as much as what was discussed.”
Gadsby says that it’s important to remember that all metadata is exposed. Using a consumer messaging app like WhatsApp means that you have tied your phone number to your account, giving others the ability to start putting together a profile.
“Consumer messaging applications with a metadata factor were designed for ease of use. They're designed for anybody in the world to be able to talk to anybody in the world. And that's great that they're designed that way. Unfortunately, that doesn't limit then who has access to all of that stuff,” Gadsby says.
Organizations looking to limit metadata exposure should consider administrative control of devices used by personnel.
The way Gadsby sees it, administrative control would give the organization the ability to control devices used by their staff, including control of the use of messaging applications. Even within a messaging platform on controlled devices, there should be strict rules on how and with whom people can communicate.
“If you can't control metadata, if you don't control the verified identity, you don't control anything. …[Administrative control is] really the only way to make sure that the metadata that follows those conversations is stored and can be sovereignly stored by your own administrative controls,” Gadsby adds.
The Looming Threat of Quantum Computing
While consumer messaging platforms may be convenient for noncritical or nonsensitive communications among friends and family, it’s probably not the best choice for communications about critical infrastructure or national security. The same goes for corporate executives or high-ranking officials with access to trade secrets, intellectual property, and financial information.
Yes, the content being discussed in these messages is encrypted. For now.
Adversaries are still harvesting encrypted messages and sometimes just sitting on that data. While current decryption efforts might take months or years to decrypt a message, quantum computing is expected to radically change this threat—attackers are betting that decryption of messages can happen once quantum computers mature, the report said.
“Harvest now, decrypt later isn't hypothetical. It's how sophisticated intelligence operations work. That window to act is going to start closing,” Gadsby says. “…They know at some point quantum computing will be able to break that encryption algorithm and then they will be able to unlock what is in that file.”
Among surveyed security leaders, 61 percent believe that quantum computing will threaten current encryption within five years; however, 78 percent have not started implementing defenses against this threat, such as transitioning to post-quantum cryptography (PQC).
This transition isn’t just a single step. It takes years and involves certificates, protocols, hardware, software, vendors, budgets, and procurement cycles.
“Organizations that build for crypto agility, architecting infrastructure to substitute algorithms without rebuilding from scratch, will be better positioned for this transition and for future cryptographic standard changes,” the report said.
Gadsby suspects that the hesitancy organizations have to transitioning to PQC comes with an uncertainty of the scope. “There are a lot of industries in general that just don't have a really good calculation of inventory of what they need to worry about,” she says.
She recommends that companies start in a way that is similar to the start of a threat assessment: determine what inventory or assets require protection, which in this case is encryption supported by PQC.
This can include intellectual property, elements of business development, personal information about employees and executives, financial data, and more.
“If it has value to an attacker, then it needs to be understood what the encryption level is and how do we make it quantum-proof,” Gadsby says.
While these will vary across industries and between organizations, it should also involve third-party vendors and those in your supply chain. Gadsby stresses the need to hold those vendors accountable and recommends starting by asking what their risk exposure is and what their plan for quantum readiness is.
