Insider Risk in the Age of Microsoft Teams, Zoom Chat, and Unmonitored Messaging Apps

In 2024, AT&T suffered two major data breaches, exposing call and messaging metadata for more than 70 million individuals. The implications went far beyond lost records. They underscored a growing blind spot in modern organizations: the unmonitored sprawl of everyday communication tools.

Email is no longer the dominant mode of workplace correspondence. Today, business happens through methods like Teams threads, Zoom chats, and WhatsApp messages. Collaboration is quicker—but so is the chance for something to go wrong. A misplaced file, an ambiguous comment, an unintended recipient—each moment of informality can carry consequences. Insider risk is no longer limited to rogue employees; it includes anyone who slips up in an environment with few guardrails.

Defining Insider Risk in a New Era

Insider risk in 2025 goes beyond ill intent. It now includes three core profiles:

• Negligent insiders, who accidentally share sensitive data or fail to follow secure protocols.
• Malicious insiders, who exploit their access for personal or financial gain.
• Compromised insiders, whose credentials have been hijacked by outside attackers.

According to Verizon’s 2023 Data Breach Investigations Report, 74% of security incidents involve the human element. That means accidental behavior is often just as risky as intentional wrongdoing—especially when messages travel across multiple platforms, often out of view.

Messaging Platforms: New Tools, New Threats

Apps like Microsoft Teams, Zoom Chat, Telegram, and WhatsApp now power day-to-day business operations. Yet many of these platforms weren’t built with compliance in mind. Encryption, ephemerality, and bring-your-own-device policies can make it nearly impossible to audit or retrieve records when issues arise.

A recent SteelEye survey found that 63% of financial firms do not monitor employee communications on personal messaging apps like WhatsApp. That lack of oversight has already led to over $2 billion in regulatory fines for recordkeeping failures.

The FBI and CISA have both issued warnings recommending encrypted messaging apps to reduce exposure to cyber threats. But this push for secure messaging underscores a tension: communication tools designed for privacy may also elude corporate monitoring systems.

Why Traditional Surveillance Isn’t Enough

Legacy compliance systems were built for structured environments—email inboxes, document repositories, and scheduled reviews. They struggle to adapt to real-time, emoji-filled chat threads that may disappear in minutes. This gap is especially risky when conversations span multiple tools or involve material non-public information (MNPI).

Monitoring these tools is complicated further by legal constraints. Compliance teams must balance security with privacy, particularly in jurisdictions with strict data protection laws. Surveillance that overreaches could backfire—both reputationally and legally.

Adapting Insider Risk Programs to Meet the Moment

Fighting modern insider risk doesn’t mean banning chat apps. It means building smarter frameworks around them. That includes:

• Centralizing communications on approved platforms that include compliance-ready surveillance features.
• Using behavioral analytics to spot outliers and patterns instead of blanketing every chat with scrutiny.
• Establishing clear boundaries on how, when, and where sensitive topics should be discussed.

Organizations are increasingly turning to AI compliance software to manage the volume and velocity of digital interactions. These tools help distinguish between harmless collaboration and potential risk with greater speed and accuracy.

Culture Still Matters

Even the best tools can’t replace a culture of accountability. Employees need to understand why digital boundaries exist, not just that they do. That means regular training, leadership modeling, and consistent reinforcement.

Cross-functional collaboration is also key. Compliance teams need to work hand-in-hand with IT, legal, and HR to ensure policies are both practical and enforceable.

Why Communication Needs a Compliance Upgrade

With the average cost of a data breach hitting a record $4.88 million in 2024—a 10% increase from the previous year, it’s more important than ever that leaders address insider risks. As business moves further into the messaging-first era, insider risks will only grow unless organizations act now.

Staying secure isn’t just about preventing deliberate wrongdoing. It’s about acknowledging the ways real people work—and building systems and cultures that support secure communication without slowing down the business.

As Head of Business Development, Steve Brown is responsible for helping drive growth at Star Compliance, with a focus on go-to-market planning, data and vendor partnerships, channel sales, new markets, and mergers and acquisitions. Steve joined Star in April 2021, and brings with him 25 years of experience advising financial firms on regulatory compliance. Prior to joining Star, Steve was Director of Broker-Dealer Client Services at Compliance Risk Concepts LLC, a senior director at PwC, and Head of Fixed Income and Capital Markets Compliance at U.S. Bancorp Investments, Inc. Steve began his career at Wachovia, where he was Head of Global Investment Banking Compliance and Control Group, and is considered a pioneer in the control room space—having established the bank’s first formal control room function.