WhatsApp finally earns money by charging businesses for slow replies

Today WhatsApp launches its first revenue-generating enterprise product and the only way it currently makes money directly from its app. The WhatsApp Business API is launching to let businesses respond to messages from users for free for up to 24 hours, but will charge them a fixed rate by country per message sent after that.

Businesses will still only be able to message people who contacted them first, but the API will help them programatically send shipping confirmations, appointment reminders or event tickets. Clients also can use it to manually respond to customer service inquiries through their own tool or apps like Zendesk, MessageBird or Twilio. And small businesses that are one of the 3 million users of the WhatsApp For Business app can still use it to send late replies one-by-one for free.

After getting acquired by Facebook for $19 billion in 2014, it’s finally time for the 1.5 billion-user WhatsApp to pull its weight and contribute some revenue. If Facebook can pitch the WhatsApp Business API as a cheaper alternative to customer service call centers, the convenience of asynchronous chat could compel users to message companies instead of phoning.

Only charging for slow replies after 24 hours since a user’s last message is a genius way to create a growth feedback loop. If users get quick answers via WhatsApp, they’ll prefer it to other channels. Once businesses and their customers get addicted to it, WhatsApp could eventually charge for all replies or any that exceed a volume threshold, or cut down the free window. Meanwhile, businesses might be too optimistic about their response times and end up paying more often than they expect, especially when messages come in on weekends or holidays.

WhatsApp first announced it would eventually charge for enterprise service last September when it launched its free WhatsApp For Business app that now has 3 million users and remains free for all replies, even late ones.

Importantly, WhatsApp stresses that all messaging between users and businesses, even through the API, will be end-to-end encrypted. That contrasts with The Washington Post’s report that Facebook pushing to weaken encryption for WhatsApp For Business messages is partly what drove former CEO Jan Koum to quit WhatsApp and Facebook’s board in April. His co-founder, Brian Acton, had ditched Facebook back in September and donated $50 million to the foundation of encrypted messaging app Signal.

Today WhatsApp is also formally launching its new display ads product worldwide. But don’t worry, they won’t be crammed into your chat inbox like with Facebook Messenger. Instead, businesses will be able to buy ads on Facebook’s News Feed that launch WhatsApp conversations with them… thereby allowing them to use the new Business API to reply. TechCrunch scooped that this was coming last September, when code in Facebook’s ad manager revealed the click-to-WhatsApp ads option and the company confirmed the ads were in testing. Facebook launched similar click-to-Messenger ads back in 2015.

Finally, WhatsApp also tells TechCrunch it’s planning to run ads in its 450 million daily user Snapchat Stories clone called Status. “WhatsApp does not currently run ads in Status though this represents a future goal for us, starting in 2019. We will move slowly and carefully and provide more details before we place any Ads in Status,” a spokesperson told us. Given WhatsApp Status is more than twice the size of Snapchat, it could earn a ton on ads between Stories, especially if it’s willing to make some unskippable.

Together, the ads and API will replace the $1 per year subscription fee WhatsApp used to charge in some countries but dropped in 2016. With Facebook’s own revenue decelerating, triggering a 20 percent, $120 billion market cap drop in its share price, it needs to show it has new ways to make money — now more than ever.

Altru raises $1.3M to improve recruiting with employee videos

Marketers are increasingly looking for social media celebrities and influencers who can promote their products with more authenticity (or at least, the appearance of authenticity) than a traditional ad.

So Altru CEO Alykhan Rehmatullah wondered: Why can’t businesses do something similar with recruiting?

And that’s what Altru is trying to accomplish, powering a page on a company’s website that highlights videos from real employees answering questions that potential hires might be asking. The videos are searchable (thanks to Altru’s transcriptions), and they also can be shared on social media.

The startup was part of the recent winter batch at Techstars NYC, and it’s already working with companies like L’Oréal, Dell and Unilever. Today, Altru is announcing that it’s raised $1.3 million in new funding led by Birchmere Ventures.

Rehmatullah contrasted Altru’s approach with Glassdoor, which he said features “more polarized” content (since it’s usually employees with really good or really bad experiences who want to write reviews) and where companies are often forced to “play defense.”

On Altru, on the other hand, employers can take the informal conversations that often take place when someone’s deciding whether to accept a job and turn them into an online recruiting tool. Over time, Rehmatullah said the platform could expand beyond recruiting to areas like on-boarding new employees.

Since these videos are posted to the company website, with the employees’ name and face attached, they may not always feel comfortable being completely honest, particularly about a company’s flaws. But at least it’s a message coming from a regular person, not the corporate-speak of a recruiter or manager.

Rehmatullah acknowledged that there’s usually “an educational process” involved in making employers more comfortable with this kind of content.

“These conversations are already happening outside your organization,” he said. “In the long-term, candidates expect more authenticity, more transparency, more true experiences.”

Two Month Later | SentinelOne and the GDPR

The General Data Protection Regulation (GDPR) is now in effect and organizations worldwide are working hard to ensure they are compliant with the new regulations. With that in mind, SentinelOne has invited Ian Thornton-Trump aka ‘Phat Hobbit’ to share his thoughts on the GDPR and how endpoint protection can help companies achieve compliance.

Endpoint Protection – the Frontline in the Fight for GDPR

As of Friday 25th May 2018, all organisations worldwide must now adhere to the protection requirements of the GDPR. Whilst some companies are well into their compliance journey, there are many out there with business models who are going to face challenges in quickly adapting to this new reality. It’s an interesting time either way.

Endpoint protection becomes the frontline defence in the battle against cybercriminals; there’s no point spending lots of money investing in cloud security if you haven’t looked at protecting the devices in the hands of the users. It’s those devices the cyber criminals target and it’s those devices on which the actual attack takes place – according to the SANS Institute, “75% of the time identified, impactful threats initially entered via email attachment.”

The Endgame

Ransomware – or worse – is the end result of an organizational security failure, in which there are three components: an exploit (either a software or human vulnerability), a Remote Access Trojan (RAT) and a payload such as WannaCry. Once the exploit has been triggered and the RAT is in place, you’re already looking at a GDPR violation because the system has lost integrity and an attacker can now choose to do whatever they want. In many cases, this is delivering a ransomware payload, but we’re seeing an increasingly diverse range of activities beginning to take place. Attackers, for example, are moving laterally through corporate networks, looking for privileged account credentials and credit card information before dropping their payloads.  

What Can be Done?

The GDPR is a new regulation, and the interpretation of regulations is similar to the interpretation of law – it’s done through precedents set in legal courts. Right now, there is still a lot of uncertainty about the application of the GDPR in the practical sense, but the key takeaway of it all is to make sure you’ve implemented a layered security model based on the personal data and confidential information you’re trying to protect. It’s also important to consider that installing anything and everything security will make you no more compliant than the organization that has taken the time to determine its level of risk and employed just two or three solutions to protect the integrity of their systems and data. Quality beats quantity every time when it comes to security defences.

Personal vs. Corporate Devices

With the mobile, BYOD era we operate in, many employees prefer to use their personal devices for work purposes. But then, who is responsible for the security of the device and the data it holds?

If the data belongs to the organization, they’re responsible for its protection – that much is clear. The company should have carried out a risk assessment to confirm they’re happy with the level of exposure the data has on the device, whilst also maintaining the ability, tools and techniques to locate and remote wipe the device should it be lost or compromised. Many organizations will also stipulate a minimum level of security required such as passcodes and encryption – this needs to be enforced. The end goal is to have evidence of data protection due diligence. A problem then arises if the device owner has been negligent in its protection, perhaps by sharing passwords or by not implementing them at all. At this point, the individual can be held to account, alongside the organization; look at the precedents set where unencrypted laptops have been lost or stolen.

Proving Compliance

When thinking about what you need to be successfully compliant, your organization needs the assurance the necessary security is in place and working. With the GDPR, it’s about assuring that the company’s systems have integrity and confidential data is secure.
You need to be able to prove that you’re compliant, and the only way you can do this is to have evidence. When you don’t have any evidence – or couldn’t even detect the attack in the first place – you’re in the unenviable position of having violated the GDPR. Chances are this compliance violation will be brought to your attention by an external third party, and not always a friendly one.

Many security products have the most amazing capabilities, but it means nothing if you can’t prove it. Any solution your organization implements should provide clear, concise reports summarising what’s going on, what is being found and whether all components are up to date. It’s these reports that will demonstrate compliance and which can be used as proof both to internal stakeholders and external agencies such as the supervisory authorities of the GDPR. For example, the UK’s Information Commissioner’s Office (ICO).

What if I’m Breached?

So, your devices all have endpoint protection and you’ve got the reports you need to prove you’re working hard to comply with the GDPR. But what happens if you still fall victim to a data breach? It’s nearly impossible to be 100% compliant all of the time – there will be chinks in the armour. However, the due diligence will show you’ve made every effort to be compliant and that means the difference between receiving a crippling – perhaps even fatal – fine versus a warning from the ICO. Conversely, a breach can also turn out to be a silver lining. If you have evidence of how the network was breached and what it was targeted, this can be used to assess what the true extent of the breach will be. It may not even be relevant to the GDPR if the data was not personal.

Some Advice

In addition to employing a trusted endpoint protection solution, my advice is to make sure data is properly segmented and secured so you know where it is stored and what protections are in place; this will help determine the level of risk that should be applied to the data. Equally important, is the management of privileged credentials. These are the keys to the corporate kingdom and a veritable treasure trove to a malicious attacker – the first thing an attacker will go after is local administrator rights, followed by domain admin or root credentials. One inexpensive way to detect compromise is to create a temping account such as “global administrator”. The attacker does not know you have an alert set to identify if anyone attempts to use the account to authenticate to a network resource. This is a low-cost way to detect a malicious actor with a foothold in your network.

However, all this advice is null and void if you don’t even know if an unauthorized person is roaming your network – which is why having have good endpoint protection in place is a ‘no brainer’. With endpoint protection, you will know the moment someone sneaks onto the network, alerting your Security Operations Centre to the threat and giving them the information they need to thwart any attacker.

Liked this article? Follow us on LinkedInTwitterYouTube or Facebook to see the content we post.