Protecting Your Organization from Communications Risk
Innovation Exchange Webinar Recap
Smarsh recently held its first Innovation Exchange webinar. To kick off the series, we focused our inaugural discussion on the topic of potential business risks in a new era of employee communications. This is undoubtedly front and center for many organizations, regulated or otherwise, as they adjust to their workforce communicating primarily through Microsoft Teams, Zoom, Slack and a variety of chat applications on personal devices.
We approached the discussion of communications risk recognizing that 1) we have all been thrust into this new way of conducting business with little time to prepare, and 2) some firms and employees are coping better than others with the transition.
As business goes on, however, meeting key deliverable dates and customer commitments remains a priority. And the new communication paradigm raises the additional quandary of how to stay productive and collaborative, but also use tools and technologies that mitigate unnecessary risks to the business.
Perspectives from Technology, Compliance, Investigation and E-Discovery Experts
We hosted recognized experts in the areas of technology, compliance, investigation and e-discovery to offer their distinct perspectives on communications risk:
- Matt Kelly, editor and CEO of Radical Compliance, publisher of a popular newsletter about corporate compliance and governance challenges
- Troy Paredes, head of Paredes Strategies, LLC, a consulting firm that focuses on compliance, financial regulation, corporate governance, and investigations. Previously, Troy was a commissioner at the SEC and professor of corporate and securities law
- Laurence Goldfarb, a compliance technology executive with almost 25 years working for some of the world’s largest financial institutions
Their cross-functional viewpoints highlighted a number of similarities — and a few key differences — in the ways they think communications risk should be managed. All agreed, though, that the challenges created by the abrupt disruption in the ways we work are leading toward a more cohesive view of risk management.
The Disrupted Workforce and the Resulting Success of Microsoft Teams, Zoom and WhatsApp
We began our discussion with what was an innocent, but suddenly loaded question: “How’s everyone doing?”
Only a few months ago it would have been hard to imagine so many organizations going fully remote. And the transition has been harder for some than for others. People are using Zoom for the first time (which has resulted in Zoom growing from 10 million to 200 million users in three months).
They have finally been forced to use the Microsoft Teams video camera (which has resulted in Teams video use growing by 1,000% in the month of March alone). They have finally given in to clients who interact via the encrypted WhatsApp platform (giving the already popular WhatsApp a 40% boost in usage).
The onslaught of online interaction has even brought about a new psychological affliction — “Zoom fatigue.”
We turned to the panel to hear what they are observing from their clients and colleagues.
- Matt Kelly: “The best way to describe the last week or two is that many compliance officers I talked to would say they're generally okay, but you can tell from the tone of voice how qualified and uncertain that is. I think the proper adjective for this current situation is a compressed disruption. Many people would have said, ‘We'll get to this sort of a world by 2030,’ and now we're going to get to it by June. Nobody had anticipated that. From late February into early April it’s just been emergency procedures. ‘Do we know that everybody is okay? Do they have Wi-Fi access? Do they have the tools they need to do their jobs?’ For a lot of companies, at first they just figured, ‘we are still in business, we can still communicate, we're all breathing. That's victory right there.’ Now everyone is trying to figure out what the new normal looks like.”
- Troy Paredes: “Organizations are now in the position of, ‘how do we manage this, and come out on the other side of it,’ which leaves a little more room for focus on compliance, control, policies, procedures and governance. The one thing the regulators have not said, and I don't think one can expect them to say is, ‘rules and regulations that mattered in January do not matter anymore.’ Maybe there's accommodation here and there, but the rules and regulations continue to persist.” He referenced a March 23rd statement from the co-directors of the enforcement division of the SEC, on market integrity. It stated that they “…wish to emphasize the importance of maintaining market integrity and following corporate controls and procedures.” Troy recommends using that as a regulatory north star while organizations navigate uncharted waters.
What are the Risks of Collaboration Tools like Microsoft Teams, Slack and Zoom?
Microsoft Teams, Slack and Zoom have enabled remote staff to leverage new modes of communication as a way to fill the void of office interaction, including video, persistent chats, and document co-authoring. So, how are firms ensuring that this increase in digital discourse isn’t introducing new security, data privacy, compliance and litigation risks?
Laurence Goldfarb addressed this new potential for cyber risk. He suggested that companies should take typical security precautions, including appropriate safeguards against phishing attacks and malware, and encouraging the use of strong passwords. But he also stressed the importance of monitoring communications for potential data loss and misuse of personally identifiable information (PII).
Cyber risk extends to the tool providers, too. Organizations should not assume that the presence of a SOC 2 or other certification will prevent people from acting inappropriately on a digital platform. He noted the recent cases of Zoom bombing as an example, when just sharing a private password access link can wreak havoc in the form of an unwelcomed visitor later.
But he added that adequate preparation can go a long way. “If organizations use proper hygiene and protect their systems and everybody does what they're supposed to do, then a lot of the risk associated with using new communication systems can be mitigated.”
On the risks of potential violations of codes of conduct and communication policies, Matt said that person-to-person business practices that may have gone unnoticed are now suddenly translated into the online realm. Cybersecurity and fraud risks are increasing, but companies might not have sufficient policies and procedures because they hadn’t really thought about the compensating controls.
He noted particular frustration with conducting investigations around topics like workplace bullying and sexual harassment. “A lot of compliance officers are trying to get their heads around old types of misconduct that still exist in the online world.”
Risk Mitigation Strategies for Online Workplace Communication
We (hopefully) are near an inflection point, past the initial shock of being suddenly thrust into this situation. Now companies can face the reality of supporting a virtual workforce for a longer period of time. Our panelists gave suggestions for managing this change:
- Troy: “Compliance, surveillance and risk management need to match up to the ways in which people are now communicating. Formalizing, institutionalizing and conducting lessons-learned exercises when we get to the other side of this is going to be really important. Consider what these new processes of communication mean for risk management, technology, governance, surveillance. And what it means for record and communication capturing is going to be a really important piece.”
- Matt: “I think companies are investing in clarifying just what their communication policies should be and what the consequences are for not following them. Compliance officers are trying to invest time into strengthening relationships with IT, with legal, with HR, toward consensus about what we should try to do about company communication because there's been a whole lot of making it up along the way.”
- Laurence: “You need to make sure that the individuals understand the rules and that they’ve affirmed them and attested to following them. That should be done on a regular basis to make sure that the employees know what they can use and what they can't. Work with your IT group to understand how individuals can be able to safely use the tools that they need to be successful.”
A Cross-Functional Mission to Mitigate Risk and Manage Compliance
What happens when we emerge from this phase to the new new normal? Will there be cross-functional alignment on potential communication risks, and will those cross-functional teams come together to evaluate appropriate solutions?
- Matt: “We are already moving to a shared view of risk. What COVID-19 is doing is changing the velocity of that evolution. This is a high-pressure situation, especially when members of the board are inquiring about emerging risks. But I think that will drive the technology, the monitoring, the algorithms and the tools that we use, and that's going to bring people to a shared view of communications risk solutions.”
- Troy: “We've already seen a lot of cross-team, cross-functional engagement and interaction. It's important to have the business taking ownership on compliance, too. That's foundationally good for the business related to risk management and sets the right course. I do think that working remotely will persist to some degree. I’ll be optimistic and say, start planning for the future — for a reopening or rolling reopening or whatever we have the opportunity to do.”
- Laurence: “Company culture needs to continue to be ‘can do,’ so where there are problems or issues, things are getting taken care of. It has to be all-hands-on-deck to address these risks. This is extremely important, and that momentum will be appreciated by management through each new phase.”
These shared notes of optimism brought a refreshing close to the discussion. We are living in unprecedented times, collectively solving hard problems and learning new ways to adapt. The discussion suggested that this resiliency will persist, regardless of whether we are physically located in an office or working from home.
Addressing where business is at now and where it may be in the future requires a confluence of people, processes, and technology. And the convergence of solutions to mitigate risk, across technology, compliance, infosec, and legal teams can only serve to make our organizations stronger.
My thanks to the panel. I look forward to our next Innovation Exchange in July. Look for those details here, soon.
Watch the full "Protecting Your Organization from Communications Risk" Innovation Exchange webinar on-demand. (Quotes in this blog have been paraphrased for clarity.)
A cloud-native, context-aware, extensible archive for global enterprises with complex security, data privacy and regulatory requirements. Learn More
Share this post!
Archiving and Compliance Blog
Our Blog explores the news, trends and best practices in electronic recordkeeping. It’s about managing and getting value from your electronic communications data. It’s about satisfying legal and regulatory obligations. It’s all about turning compliance liability into business insight.