The way businesses communicate and share information has been transformed by the pandemic. Microsoft CEO Satya Nadella, for example, reported seeing two years’ worth of digital transformation in two months during the April 2020 earning results.
The rapid adoption of collaboration platforms such as Microsoft Teams, Zoom, Cisco Webex, RingCentral and Slack has enabled businesses to remain productive and connected, providing multiple ways for teams to interact with each other and with customers and clients. Now firmly embedded, these tools will continue to be integral to hybrid, work-from-anywhere and office-based workforces.
Legacy controls to reduce risks aren’t designed for the way organisations share information today
As these platforms have become the primary source for communications, focus has turned to the potential compliance and security risks created by these new ways of sharing information. They create unique challenges, and legacy controls that may be in place to reduce risks such as data leakage or malware in emails aren’t designed for the way organisations communicate and share information today.
With the global focus on data protection and a growing need to respond to litigation, requests and complaints, being able to access and retain robust records of communications is critical for every business.
Businesses face a number of compliance and security challenges. For a start, given the collaborative nature of communications, there’s a much greater risk of confidential information being shared either by accident or deliberately, such as exposing tax returns when sharing the wrong screen or sending sensitive payroll files or screenshots in a chat message internally or externally.
There are also personal conduct risks, as the boundaries between work and home blur, particularly given the increase out-of-hours communication. Detecting potentially risky behaviour on screen presents new challenges. This can include interpreting contextual information such as emojis, reactions, gifs or deletions within chat messages.
In addition, challenges arise in finding records. The volume of communications and content is outpacing the capacity of those with compliance or security responsibilities to monitor risks and find records when needed. Being able to search and find information efficiently is critical for responding to client requests for accounting records and business correspondence, complaints, regulatory or personal indemnity insurance investigations, or to meet data deletion requests under data privacy rules. But identifying relevant records that span video, audio, screen shares, in-meeting or private chat, whiteboards, file links and more is proving to be a challenge.
Then there is the complexity of retaining records. The inability to capture and archive complete information prevents firms from complying with record-keeping policies or regulatory obligations. Particular challenges include capturing original content shared from OneDrive or SharePoint links, edited/deleted messages or images, or being able to recreate the natural flow of a chat conversation that spans several days or includes multiple participants.
Last but not least, communications need to be kept secure. Whether it’s preventing unauthorised access to video or audio calls, or removing risky content such as a malware link, protecting data is critical. Likewise, being able to redact sensitive personal or financial information shared in the normal course of business, such as bank account details or tax references in a chat conversation, is important to prevent unnecessary access internally and related data privacy issues.
The panel below provides a number of practical steps that organisations should consider.
Businesses have invested time and resources in collaboration tools to enable employees and customers to stay connected and productive. Making sure that communications and data are compliant and secure is the next important step to protect consumers, employees and shareholders.
Tips for data management
- Have policies and training in place. Your employees need to understand the expectations and requirements relating to acceptable IT use, data privacy, security, conduct and adherence to regulatory obligations.
- Take a risk-based approach. Given the volumes of communications, the potential risks are likely to outstrip your capacity to review everything. Focus on the risks most likely to have serious consequences in terms of customer harm or regulatory, operational, financial or reputational damage, and review a sample of the rest.
- Determine your review process. Set out the process for identifying risks and the appropriate routing for escalating identified risks. That could be a compliance officer or senior manager, and may vary depending on factors such as role, geography or level of risk identified. Make sure any sensitive data that might be included in a review can be redacted so it’s not unnecessarily exposed further during the review process, while still keeping a record for your audit trail.
- Check you can find records quickly. You need to be ready to respond quickly and comprehensively to both internal HR matters and internal audits, external customer complaints, GDPR and data deletion requests, regulatory reviews or legal investigations.
- Maintain integrity of records. Ensure that records of communications and any supervisory activities including corrective action taken are held securely and can meet legal, tax and regulatory obligations such as legal hold capabilities or specified retention periods.