A Lebanese trading company I spoke to last year had their entire client database โ names, numbers, purchase history โ sitting in a WhatsApp Business account on one employee's personal phone. When that employee left, they took the account. No backup. No export. Three years of customer data, gone.
That's not unusual. That's Tuesday.
Most Lebanese SMBs would recognize that story immediately โ because they're one resignation away from the same situation, and they know it. The WhatsApp group that replaced the CRM. The shared Google Drive folder that is "the server." The one person who knows every password because there's no IT department, and who may have already left, or been compromised, or both.
Nobody is writing about this. So let's write about it.
The infrastructure nobody audited
After 2019, Lebanese businesses went into survival mode. The focus shifted from "how do we grow?" to "how do we stay open?" Understandably, investments in IT and security went to zero or close to it. What filled the gap was whatever was free, familiar, and already on everyone's phone.
Which means the average Lebanese SMB is now running on:
- WhatsApp โ for client communication, internal coordination, file transfers, and anything requiring a paper trail that nobody actually kept.
- Personal Gmail accounts โ used for business because setting up a proper domain email felt like a project nobody had time for.
- Shared passwords โ one login for the accounting system, used by four people, never rotated, written on a sticky note somewhere.
- No backup policy โ because the data lives on someone's laptop and "nothing has gone wrong yet."
None of this was a deliberate choice. It accumulated. And now it's infrastructure.
No IT department means no one is watching
"We're too small to be targeted" is not a security strategy. It's a hope.
Automated attacks don't read your revenue figures before deciding whether to phish you. Ransomware doesn't check your employee count. The bots scanning for exposed passwords, unpatched systems, and misconfigured cloud storage don't discriminate between a multinational and a Beirut trading company with twelve people. They hit everything, and they let the results sort themselves out.
The crisis also created conditions that make social engineering unusually effective in Lebanon. Employees under financial stress are easier to manipulate. High staff turnover means more people with access credentials leaving, and more new hires with unclear access policies. Businesses desperate for payment are more likely to act on a fake invoice or a spoofed email from what looks like a trusted supplier.
WhatsApp is not business infrastructure
I want to be precise here, because "WhatsApp is insecure" is often said without explaining what the actual risks are.
WhatsApp messages are end-to-end encrypted between sender and receiver. That part is fine. The problems are everything else.
WhatsApp Business accounts are tied to a phone number. Lose the SIM, lose the account. In Lebanon, SIM swap attacks โ where someone convinces a mobile operator to transfer your number to their SIM โ are not theoretical. They happen. When they do, the attacker gets your WhatsApp, your SMS-based two-factor codes, and whatever verification links are sent to that number. Your bank. Your email. Your business accounts. All of it.
When a WhatsApp Business account lives on someone's personal phone, there's no separation between the business and the person. When they leave, what happens to the conversation history with clients? What happens to the files that were shared? Most of the time: nothing. The data leaves with them, and you have no legal or practical mechanism to get it back.
Every client conversation that happens in WhatsApp is data you don't own, stored on infrastructure you don't control, accessible to someone who may no longer work for you.
This isn't an argument against using WhatsApp with clients โ that ship has sailed in Lebanon, and fighting it is pointless. It's an argument against using it as the system of record. The conversation can happen in WhatsApp. The information that matters has to end up somewhere you actually control.
The attacks are already happening
Lebanese businesses get hit. They just don't talk about it, because admitting a breach is reputationally expensive and there's no regulatory framework that forces disclosure.
The most common attacks I hear about from clients and colleagues:
- Phishing โ fake emails or WhatsApp messages impersonating banks, suppliers, or government bodies. The quality has improved dramatically with AI-generated text. The old tell of bad grammar is mostly gone.
- Business Email Compromise (BEC) โ attacker compromises or spoofs a supplier's email, changes the bank account number on a pending invoice, waits for payment. Extremely effective in environments where email verification is informal.
- Ransomware โ encrypts your files, demands payment in crypto. Especially damaging for businesses with no backups, which is most of them.
- WhatsApp account takeover โ attacker tricks someone into sharing the six-digit verification code. Once they have the account, they message the owner's contacts requesting urgent money transfers. This one is embarrassingly simple and embarrassingly effective.
The common thread: none of these require sophisticated hacking. They require one person to click the wrong link or share the wrong code. That's it.
Where to start
I'm not going to tell you to hire a Chief Information Security Officer or implement ISO 27001. You're not there yet, and that's fine. Here's what actually moves the needle for a Lebanese SMB with no dedicated IT staff.
1. Use a password manager. One password for every account is not a password โ it's a skeleton key. LastPass, Bitwarden, 1Password โ pick one, get everyone on it, generate unique passwords for every service. This is the single highest-return security move a small business can make.
2. Turn on two-factor authentication everywhere that matters. Email, accounting software, cloud storage, banking platforms. Use an authenticator app (Google Authenticator, Authy), not SMS โ SMS is vulnerable to SIM swaps. Everywhere that matters means everywhere you'd be in trouble if someone else had access.
3. Move client data off WhatsApp. You don't have to stop using WhatsApp for conversations. Stop using it as your database. When a client shares something important โ a document, a decision, a spec โ it gets logged somewhere your company controls. A CRM, a shared drive, a proper project management tool. Whatever works. The key is that it's not locked in someone's personal chat history.
4. Know who has access to what. Make a list. Every service, every account, every login. Who has it? When did you last review it? Does the person who left six months ago still have credentials to your accounting system? This audit takes an afternoon and is almost always alarming.
5. Test your backups. "We have backups" is only true if you can actually restore from them. Backups that have never been tested are not backups โ they're optimism. Take one afternoon, restore something, confirm it works. Then set a calendar reminder to do it again in three months.
The Lebanese market has legitimate reasons for the security posture it's in. The last six years were not the time to be investing in IT audits. But the attacks don't care about the context. The bill arrives regardless of whether it's a fair time to receive it.
The good news is that most of the risk is addressable without significant budget. It requires attention more than money โ and for most businesses, the first step is simply deciding that this is worth an afternoon of attention before it becomes a crisis worth a lot more than that.
