Sting Gao

In China, WeCom (or WeChat Work) has been increasingly adopted by virtue of its powerful functions and the ability to integrate personal WeChat and enterprise applications. But enterprise IT will worry about the risks of such communication application across internal and external networks, especially in terms of content control, data security and compliance. Enterprises should analyze from the perspective of WeCom Features and Architecture to better estimate and reduce the security and compliance risks.

Key Findings

■  As a social application cross enterprise and personal, it’s difficult for enterprises to distinguish the difference between WeCom and traditional communication software (e.g.MS Teams, WebEx Teams, Slack), and hard to identify the best application scenarios of WeCom.

■  Due to the special corporate and public network integration architecture and rich set of SaaS-based functions, enterprises have concerns about the content control, security and compliance of WeCom.

Recommendations

In order to successfully implement WeCom applications and reduce risks, Enterprises must:

■  Analyze and compare the features and capabilities of WeCom, and combine their business strategy to implement, apply, manage and operate WeCom more reasonably.

■  Avoid and reduce the security and compliance risk through technical architecture analysis, and establish appropriate development and operation teams and capabilities, and considering the overall China’s cyber security ecology and related laws.

Analysis

Introduction

WeChat, has always been the first choice social application for Chinese people. With more than 1 billion active users, it’s a multi-functional social platform that can meet almost all needs, from messaging, shopping, games to car-hailing, etc. In addition to personal daily contact, more than 5.5 million enterprises and organizations were using WeChat because of the comprehensive services it provides. To avoid the disadvantages of using WeChat in a professional environment, the Tencent team developed WeCom (or WeChat Work) to create a clean ecosystem suitable for enterprises to achieve more effective communication and more exclusive services.

As part of the WeChat ecosystem, WeCom is a customized, business-dedicated version of WeChat for enterprise communication and OA applications, providing unmatched interoperability with WeChat, and the similar user experience. WeCom has a more powerful corporate communication functions and unified management of internal and external contacts, it helps the company establish connection with partners and consumers internally and externally like a CRM tool, it also can integrate corporate applications and provides a platform for build business applications or mini programs and APIs for third-party apps to solve the challenges in the workplace.

Based on WeCom’s powerful SaaS based functions and complex application integration architecture, enterprises will face the risks and uncertainties like content management in application scenarios, cybersecurity, data security and compliance.

This article presents personal insight, by analyzing the functions and architecture of WeCom, to help companies implement WeCom applications to bring benefits and avoid possible risks.

1. The Features and Application of WeCom

WeChat is China’s most popular social app with a monthly user base of more than 1 billion people. From the feature perspective, it almost covers all social application functions in the market to meet all scenarios in people’s daily life. Beside the basic functions like Message/Chat, Audio Video Call, Contact, Payment, Moments, QR Code, it also integrates the organization Official Account, Mini Program and E-Commence.

1.1 Features of WeCom

WeCom is based on WeChat and further optimized for enterprise application scenarios and relevant functions include enterprise WeCom management, enterprise contact integration and authentication. In particular, it is compatible with internal and external contact management, open API development environment, third-party and enterprise OA tools and mini programs integration, making it more suitable for business application scenarios. (see Figure 1).

Figure 1. The Screenshot of WeCom

As a powerful tools for business uses to streamline operations and communication at work. WeCom can bring benefits in:

To better control internal communication, WeCom’s internal communication function can accommodate up to 2000 users for group chats. Other functions include double-clicking a message to add a to-do list, checking whether the message has been read, and muting some or all group members. Considering the large number of users that may be added to the platform, there are several functions that can be used for effective user management: internal contacts can be divided into different departments and assigned different permission levels, and external contacts have a separate group to avoid miscommunication. Administrator users can access exclusive company management functions, such as adding or adjusting departments, setting user roles, and viewing weekly membership usage summaries.

To solve the pain points of using personal WeChat in the workplace, WeCom can help users fully concentrate on work-related activities, thereby separating personal space from workplace. It allows users to exchange work-related messages without accidentally exposing them to friends and family or any other contacts not related to the business.

Integrated applications, WeCom can provide various applications tailored for business operations. Reports, business expense approval, employee check-in/check-in, company pay phone calls, and corporate email are an indispensable part of WeCom and can be accessed under the Workspace tab. There are also a variety of third-party apps such as mobile office, CRM, human resources, reimbursement, corporate culture, training, and workflow management. These applications can be added according to your needs and support your daily tasks with their unique functions. In addition, you can further expand its advantages by seamlessly integrating your WeChat official account and the enterprise WeChat platform.

1.2 Tools Comparison

As a collaboration tool for enterprises, WeCom didn‘t enter this field early, especially for MNCs (Multinational Corporations). Enterprises already have related tools existing, from the earliest Skype for Business, Microsoft Teams, Slack, Cisco WebEx, etc., and even China Alibaba’s DingTalk is also an earlier enterprise collaboration tool used in China. In terms of functionality, the main functions of these tools are similar, but they also have their own characteristics. In view of the growing application demand of WeCom in China, it is necessary to conduct some analysis and comparison (see Figure 2). The main differences I found are as follows: The great advantage of WeCom is the integration and intercommunication with the personal WeChat ecosystem, which surpasses the traditional collaboration tools for enterprise internal application.

Figure 2. Enterprise Collaboration tools beside WeCom

1.3 Application Scenarios

Based on the integrated features of WeCom and WeChat (the most popular social channel), enterprise can connect customer through the official account and content push, your sales and customer service teams can communicate with customers or customers more effectively. Customers can also contact appropriate sales or customer service agents to better meet their needs.

Corporate sales can add a customer’s personal WeChat as an external contact for the company. Corporate customers can access the “Chat with Us” function in the WeChat official account and send their queries to customers or sales agents. Sales agents can view these messages on their corporate WeChat account and continue the conversation directly there. At the same time, the “Inheritance from former employees” function is available. This feature allows a new employee to take over all client resources from the former employee, allowing for a more seamless takeover.

In general, WeCom can better connect with customers, facilitate the establishment of enterprise private domain traffic, and has an important application position in the enterprise’s market and sales scenarios.

2. The Architecture and Security of WeCom

WeCom is not only a SaaS application integrated with WeChat Ecosystem, it’s also integrated with enterprise contacts and internal applications. Combining the integration and network connection between systems, referring to possible user application scenarios, I drafted the following architecture diagram (See Figure 4), which involves the connection between enterprise On-Premises and Public SaaS, API applications, and content data transmission and storage.

Therefore, companies should pay attention to WeCom’s security in terms of compliance, data security, operational security, and basic security, and strengthen end users’ security awareness of WeCom, so enterprise can calmly respond to various Internet attacks, prevent leakage of corporate secrets and user information, and protect information security for enterprises and users.

Figure 3. The High-Level Architecture of WeCom

 2.1 Content Control

WeCom also faces the same challenges as other internal collaboration platforms such as Slack and Teams. Due to the connection with public WeChat ecosystem, it will further complicate this issue if any risk related to user’s WeChat messaging content. This means that companies using WeCom also bear all WeChat risks.

Because the amount and speed of communication are also extreme, The corporate IT or security team must to keep up with the pace of communication and review all content, messages, files, and links. The lack of visibility opens the door to all the risks of insecure collaboration: malware, ransomware, spear phishing, data leakage, etc., followed by compliance risks, including human resource issues and cyberbullying.

Potentially, WeChat message content may contain the following risks:

External threat: WeChat attacks usually start with ransomware attacks in the form of malicious links and attachments. Phishing attacks via WeChat usually involve some form of social engineering.

Insider threat: billions of private records are leaked every year. Almost 90% are leaked through insiders, including malicious and accidental. WeChat does not have an end-to-end encryption security function, and criminals can easily access and retrieve information found on the platform.

2.2 Security and Compliance

In addition to WeCom’s content risks, there are also a series of unique considerations for the Chinese market.

For national surveillance issues, companies need to understand that all files, images, videos, recordings and information processed and stored by WeCom are inevitably subject to the strict security and surveillance regulations of the Chinese government. To prevent compliance risks and audit requirements, meticulous filing and recording are more important than ever, but WeChat itself does not provide such services. The way employees communicate may expose them to compliance risks, but they don’t know it.

Of course, in addition to the above potential risks, companies also need to consider system security integration, standardized API calls, data transmission and storage encryption, data backup, compliance review base on laws, the relevant local and global laws China Security Law (CSL), China Data Security Law (DSL) and General Data Protection Regulation (GDPR), etc.3).

3. Summary

WeCom is a powerful application that can solve the pain points of many organizations by providing enterprise-level management and collaboration. Especially in corporate marketing and sales applications, it can be fully integrated with WeChat official account, effectively establishing the connection between company and customers, and changing the behavior from the workplace to the marketing world. Of course, companies should also make right choice and control, Polit WeCom through the iterative method and build appropriate team and capabilities for WeCom operation, including functions management, content management, system integration, application development, the security & encryption for data transmission and storage, security and compliance check etc.