A new study has revealed how much personal and behavioral data popular work apps collect from users, potentially exposing employees and businesses to cybersecurity risks.
The analysis by NEBRC, a police-led non-profit supporting SMEs with cyber security, looked at the privacy policies of the 50 most popular free business apps. It found social media and marketing apps gather the most data – holding around 29 different data segments on average. This is almost four times more data than security apps and three times as much as collaboration or HR apps, which use 7–9 data segments.
Meta Business Suite, LinkedIn and Uber were found to be the work apps that collect the most data segments. The most common data types held were contact information and user content like photos and videos.
Stephen Leach, head of business development at NEBRC explained how employee device usage could leave businesses exposed: “Employees often add personal accounts and make online purchases on work devices, exposing them to unaccounted for threats. The opposite also puts data at risk – accessing work files and apps from insecure personal devices leaves business data vulnerable.”
He advised businesses to have clear cybersecurity policies and best practice around device usage, to mitigate risks from work app data collection.
The top 15 work apps gathering the most personal data were:
- Meta Business Suite (32 data segments)
- LinkedIn (25)
- Uber (21)
- Indeed Flex (21)
- Reed.co.uk (20)
- WhatsApp Business (19)
- Google Chat (19)
- Amazon Flex (18)
- Shopify (18)
- TotalJobs (18)
- Microsoft Teams (15)
- Zoom (15)
- Slack (14)
- Deliveroo Driver (14)
- Indeed Job Search (13)
Whilst apps are protected from known malware, no digital platform is zero risk. But businesses can limit threats through employee education and policy.
Poor password hygiene is a major cyber breach factor, yet common passwords remain things like “123456”. NEBRC recommends businesses use password managers, enforce complex passwords, enable multi-factor authentication and maintain separation between work and personal apps/devices.
Leach said: “You can’t control threats to apps themselves, but you can look at internal policies and behaviour to optimise cybersecurity.”