The Effect of Remote Work and Collaboration Tools on Information Governance
COVID-19 has forced radical changes in how employees communicate. Legions of personnel now work from home when they previously didn’t. They use software tools (Zoom, Slack, Skype, and many more) to communicate electronically when previously they could just lean over their cubicle wall to chat up a colleague.
That has profound implications for regulatory compliance, cybersecurity, and even litigation risk. Threats that had once been remote might now be enormous; or business processes that previously had strong controls might now be much more, ahem, “free form.”
In that world — which is the one we’ll all occupy for many months, if not years — effective information governance becomes much more important to get right. Every scrap of employee communication becomes a piece of information; and like any other data, it can be stored, analyzed, hacked, subpoenaed, or exploited by anyone.
That’s the information governance risk COVID-19 is forcing upon us. Mitigating that risk is the task compliance officers and CISOs need to get right.
Managing Communication Risks in a Work-From-Home World
Foremost, your company’s ability to govern employees’ IT usage degrades because they aren’t physically present in the office. You can steer them to preferred software tools and secure virtual private networks, but forcing those behaviors becomes much harder.
For example, a sophisticated IT system could block certain third-party software from running on its corporate network — but plenty of firms didn’t have those sophisticated IT systems in place even before coronavirus struck. The rush to adopt mass work-from-home policies didn’t help. The ability to govern how employees do their job, and with which specific tools, has become harder.
Second, what employees communicate also changes in the electronic world. We all know (most of us from personal experience) that people sometimes say things via social media or an email that they would never speak to another person aloud. Or intention is misconstrued, or ambiguity created, where that wouldn’t happen in face-to-face communication.
Taken together, those two forces are a dangerous mix. They can create confusion, inefficiency, or the dreaded “adverse risk event” — whether that’s a failed regulatory examination, a lawsuit from aggrieved employees, or hackers absconding with valuable data.
How to Adapt Communication Policies After COVID-19
One critical first step is to develop clear, precise, relevant policies and then follow up those policies with training.
The plain truth is that for many procedures companies changed to adapt to COVID-19, where weaknesses in control were created as part of that shift — there are no compensating controls a compliance officer might easily drop into place to seal up those new weaknesses.
Instead, the employee’s understanding of policy serves as that compensating control. Granted, that approach isn’t ideal, but for many firms, that will be the best they can do in immediate circumstances.
So right away, that reality drives up the importance of policy management, and of understanding employee behavior. Compliance officers will want to know: “Does our policy actually work? Do people understand it and follow it?”
Answering those questions will drive a few more priorities upward. For example, firms will need strong data monitoring and analytics capabilities. For example, a financial firm following regulatory requirements for employee surveillance would want to monitor the volume of communication on employee messaging apps. A drop in the typical volume of communication might suggest employees have flocked to some other app, perhaps trying to hide from supervisors’ eyes while everyone works remotely.
Businesses will also need stronger capabilities for data storage, document retention, and even document destruction. They’ll need to understand, essentially, “If our policies direct employees to process information in this way, then we should see the records and data appear in these databases in this format” — or to understand when those expected results aren’t happening.
Long-Term Communications Compliance
Most compliance teams have been taking these steps since COVID-19 struck in March. What we need to navigate now is embracing these steps as a permanent evolution in business, rather than an ad hoc response to a challenge nobody was expecting four months ago.
For example, compliance, IT, and security functions will need to collaborate more closely to build these tech capabilities. They’ll also need to communicate more effectively with senior executives about key risk and performance metrics to monitor. They should also consult with business operations teams to assure that new policies and controls they do establish will take root with employees rather than become an obstacle they evade.
That’s how information governance succeeds: by integrating compliance into business operations, and relying on strong data analytics capabilities. Neither of those things are new trends in corporate compliance, but COVID-19 is accelerating them. Compliance officers need to respond accordingly.
A cloud-native, context-aware, extensible archive for global enterprises with complex security, data privacy and regulatory requirements. Learn More
Share this post!
Our internal subject matter experts and our network of external industry experts are featured with insights into the technology and industry trends that affect your electronic communications compliance initiatives. Sign up to benefit from their deep understanding, tips and best practices regarding how your company can manage compliance risk while unlocking the business value of your communications data.