With the mobile landscape in constant flux, companies must understand how employees and clients are using their mobile devices and how to stay ahead of the risks associated with them.
This presents an ongoing challenge for both IT and compliance teams. If you are on the path to compliant productivity register today for this webinar to learn about:
- The current mobile landscape for business
- How organizations can use mobile technology to be more effective
- A real-world example of a mobility assessment
Senior Director of Information Governance, Smarsh
Robert Cruz is Senior Director of Information Governance for Smarsh and Actiance. He has more than 20 years of experience in providing thought leadership on emerging topics including cloud computing, information governance, and Discovery cost and risk reduction.
Vice President, Enterprise Sales & Channel Partners, Smarsh
Brian Panicko is responsible for evolving the active landscape of mobility solutions at Smarsh through direct assessment of customer objectives and analysis of business and technical market requirements.
Founder and CEO, Leatha Consulting LLC
Brandon Leatha, the Founder, and CEO of Leatha Consulting LLC, is an expert in digital forensics, e-Discovery, and data analytics. With over 18 years of technology consulting experience, he advises clients on digital forensic investigations, e-Discovery, and cybersecurity. Mr. Leatha has extensive experience with enterprise software including both on premise and cloud-based email, database, line-of-business applications, and custom software solutions.
Transcription of Webinar Audio
Davi Schmidt: Hi, everyone. We're going to give people a few minutes to join and we'll begin the webinar shortly.
Davi Schmidt: Hello, everyone. And thank you for joining us for today's webinar, The Time is Now: Understanding the Mobile Landscape. Please, be aware that all participants will be muted for the duration of the call. Feel free to submit any questions you may have via the GoToWebinar messaging app and we'll attempt to answer as many of them as possible. Joining us today, our presenters, Brandon Leatha, Brian Panicko, and Robert Cruz. And with that, I'm going to hand over to you, Robert.
Robert Cruz: Thank you, Davi Schmidt. And good afternoon, everyone. Thanks for joining us today. Talking about the mobile landscape today, and I think the things that we're finding in our travels is that there's a few gaps that hopefully we can help to fill. Gaps in terms of understanding of what technologies and solutions are available today to help control mobility. Gaps in terms of policies, what are companies actually putting on paper that outline the way that their employees can use mobile devices and the applications that run on them. And lastly, just an understanding of some of the technologies and the developments have been taking place over the past 12 to 18 months. I think there's some interesting technologies that we're starting to see very broad adoption across. And we want to share some of those things with you today. And also, just look at this from a discovery perspective, what are firms experiencing right now, as e-discovery is really becoming focused on mobile devices as the primary source of information.
Robert Cruz: If we go to the next slide, Davi Schmidt we'll first provide the disclaimer that we provide this material for information purposes only. We do not provide legal advice or opinions. And you must please, consult with your attorneys regarding compliance with applicable laws and regulations.
Robert Cruz: So moving into the agenda, what we'd like to do is first just real brief introductions from the panelists. We'll then talk about the mobility landscape, what are some of the drivers and things that are happening for the firm's that we're doing business with. We'll then raise some of the unique risks that we're finding coming up. And it's not just about compliance, it's about information security and data privacy and other things that might indicate that there is important information that's being communicated or exchanged on mobile devices that firms need to have their governance processes updated to address.
Robert Cruz: And then we'll spend probably the bulk of the time on the five steps, the things that firms should be doing to catch up with mobility inside of the organizations. And then just a quick recap on the back end, how Smarsh can help in some of the areas that we're providing solutions to address mobility.
Robert Cruz: So, next slide for the firms that .... Actually first, let's do the panelists. Let me first introduce our guests. Expert in the area of forensic analysis and e-discovery, Brandon Leatha. Brandon, thanks for joining. Could you tell us a little about yourself and your background in this area?
Brandon Leatha: Sure, Robert. Thank you. Again, my name is Brandon Leatha, and I've been working in the e-discovery and digital forensic space for just about 20 years now. Have been providing services to clients from everything from data collection and preservation, consulting, dealing with forensic analysis and review of documents, and production of documents as well as being an expert witness in e-discovery and digital forensics cases. Just an interesting tidbit, looking at 20 years in the space. When I was first in the area of doing collections and whatnot, a lot of the mobile devices at the time weren't even cellular connected.
Brandon Leatha: So I've been doing data collection for mobile devices since Palm Pilots and the early Research In Motion for BlackBerry devices that didn't even have a cellular radio in them. So I’ve seen a lot of evolution in the last 20 years.
Robert Cruz: Awesome. Look forward to hearing your insights. Next, over to Mr. Panicko Brian, the mobility experts. Tell us about yourself.
Brian Panicko: Thanks, Robert. Quick introduction of myself. I look after our channel partners as well as our enterprise sales teams at Smarsh. However, my expertise really comes from a background in mobility and mobile security. I spent close to the last 15 years or so, developing technologies for BYOD capture, encrypted messaging, encrypted voice, working very closely with international carrier networks for solutions.
Brian Panicko: So definitely have a very deep backgrounds in terms of mobile communications, and excited to share some of the things that we've seen in the field and Brandon mentioned, how easy this was, call it, 10 or 15 years ago, or at least easier, less complicated with things like BlackBerry devices that were given out to the entire organizations. And as mobile strategies within organizations have gotten more complicated, adding things like EMM and text capture solutions and behind the carrier mobile network recording has become so popular. So excited to share some things with you guys today.
Robert Cruz: Thank you, sir. And my name is Robert Cruz. I'm the Senior Director of the Information Governance Team here at Smarsh. Micro basically helps organizations to deal with some of the regulatory discovery and investigative demands that need to be addressed through our technology. So I work with the practitioners as they look at, how can you capture and control these sources? How can you implement your policies? How can you be ready for e-discovery? Whether it's mobile devices or collaborative content or social media, just ensuring that that data is available in a place that you can take action and stay in control.
Robert Cruz: So, if you go to the next slide, Davi Schmidt, just for those that haven't been exposed to Smarsh, or have not received an update. The main thing we do is basically enabling firms to use the communication channels of their choice. The communications that your clients are pushing you toward. If they want to be able to communicate over text messaging or over a collaborative network, we're providing the controls for firms to be able to do that. So, we provide technology both on the capture side as well as in the archiving space that enables firms to manage their supervisory obligations as well as e-discovery focused on the regulated industry. So financial services, government, and similar.
Robert Cruz: And basically from industry recognition, on both the Gartner as well as Forrester sides, been recognized as a leader both in terms of our innovation and our ability to support the next network that firms have to think about, as well as the adoption and the execution across all these new communication types. Two entities that have combined in the spring of 2018 Actiance, which was previously focused on the larger financial services firms, and Smarsh, who had been established as a market leader with over 6,000 customers in the archiving space.
Robert Cruz: So, with that, let's quickly get to the matter at hand today talking about the mobility landscape. And as we get to this first topic, I think this is where, Brian, you could give us an overview of just what's going on, on mobile devices today? There's clearly a lot of activity, a lot of things that are important to an organization. So why don't you walk us through some of the dynamics that you see here as visualized on the slide?
Brian Panicko: Yeah, very interesting, Robert. As you've seen, and this goes for regulated firms, financial institutions, which you see some examples of text messaging within the sensor segment that's coming up on this slide, but really goes beyond and cross vertical, whether its public sector, media companies, where mobile is everything. You've got groups of employees that you've allowed to bring their own devices in certain models and you're putting work applications on their phones, or you're giving out still corporate owned devices to these groups.
Brian Panicko: But I think one of the most neglected pieces that we see across the board is understanding that text messaging is electronic correspondence and should be treated in capture just like any other communications. One of the surprising things, and Brandon has probably seen this throughout the field as he's done some of this investigations too, is I think there's just a really weak level of policy when it comes to texting within organizations. I've worked with some of the top banks in the country, that their policy might read something like, "You can send text messages to clients that are not business related. But if it becomes business related, you can't send those texts and you can't respond to those test." Which ultimately, puts you in a pretty compromising position in terms of risk mitigation.
Brian Panicko: You know that if I just have coffee with you and we go to a Starbucks or you come into my office, it couldn't lead to just normal texting back and forth. And then all of a sudden, you might request something, I might be sending a PDF document or blatantly, maybe just because, me being productive and knowing that text is an easy way for us to communicate, maybe I'm just going to break the rules or break the policy and communicate this way, not because I'm a bad actor, but because I'm trying to get business done. So this is definitely something that we've seen across the board in terms of a lacking of really clear or defined policy on this.
Robert Cruz: And I think you raised some very interesting points, and just let's be real, everyone's got a mobile device in their hands right now. And I think the stats show that individuals, on average, are on their device 3.5 hours per day, which to me sounds a little bit conservative.
Robert Cruz: But if you go to the next slide, Davi Schmidt, I think what this really is a function of is, it's really a change in demographics. The immediacy in communications. If you look at this chart, it really highlights how different generations have their own preferences, their own desire tool of choice that they want to engage across. And as you see, as you move to the right, the need for the immediate interaction via chat and just having that response rate of 90% plus of a response to a text versus 20% for an email. So that need for that communication immediacy, is really driving a change in how companies are communicating and collaborating.
Robert Cruz: So I think if you look at the benefits and the results, Brian, I think what you can see here is, it's what individuals are experiencing, what are the benefits that firms or individuals have seen through the use of enabling their individuals with mobility. Can talk to us about some of the data here?
Brian Panicko: Yeah, super interesting. And when you see some of these percentages, it's some of these things that are just known. My phone is my alarm clock. It's right next to me, it's always next to me. When I'm on vacation, on my personal phone, I have my work email. So I'm constantly checking in on stuff. And its seemingly always available. Whether that's a good thing or a bad thing, or your wife or partner is going to be staring at you like, "When are you going to put it down?" But I think the point is, is because of mobility, we've become more productive, and we're always turned on.
Brian Panicko: I think one of the other interesting things, I found a stat the other day and Robert and I were presenting at the AMA conference and I talked about this a little bit, where I actually had a sales rep, who ended up negotiating a fairly large deal mainly over text messaging. And in thinking about this, I was actually auditing some of his conversations back and forth, because there was some confusion in terms of the final dollar amount. And it made me think a couple things like, first off, from a capture perspective, it's so critical to have the rich data with the edits and the deletes, to be able to really understand the context of the conversation. If you're doing these things post mortem, and you don't have that data available to you, you can't pick up on the ins and outs of these conversations.
Brian Panicko: The second thing that it really made me realize, and I looked up a couple surveys that actually back this fact that if your text messaging with your economic buyer, you actually have a 75% greater chance to close that particular deal. And when you think about this type of thing, how many of us as sales folks had sent emails out and the emails are not being responded to and it's easy for them to duck and then they finally catch up with you and say, "Oh my gosh, it was buried at the end of my inbox."
Brian Panicko: With mobile and text it's so different where text messages are typically read within 90 seconds of receipt and typically responded to within three minutes. So there's a different sense of urgency with this. There's a more intimate relationship that you have with that other person when you're communicating with text. So definitely, above and beyond just the basics of it being there and you being turned on, that can really affect your productivity as well.
Robert Cruz: Let's go to some additional metrics, I think some other data points here that worth calling out, Brian.
Brian Panicko: Yeah, so ... No, go ahead. You can go ahead and go to the next one. So really, what I like about this slide that we have on the screen talking about device-centric switching to user-centric. And Brandon, you may have some feedback on this too. This goes to the point that when we rolled these things out as an enterprise back in the day, and said we're going mobile, it may be a scenario where we buy a ton of BlackBerry devices directly from the carrier, the BlackBerry devices for locked down, everything sent through the bench server and we were able to capture thing.
Brian Panicko: But as workers came to the table and didn't like carrying two phones, one for business and one for personal and iPhone started to take over the world in the world of apps and the creation of Mobile Device Management and Enterprise Mobility Management started to show it space. We rushed as enterprise to satisfy our users and save costs from not having to replace devices. But things became so much more complicated in terms of managing this environment because it wasn't all defined yet.
Brian Panicko: But today, I really believe that our world is going from the Internet of Things, which we know we can connect everything to there's going to be a level of the Enterprise of Things where you're connecting to enterprise devices and your user persona, not necessarily your specific device or hardware persona, is going to be what runs your world.
Brian Panicko: Brandon, I don't know if you had any feedback on that, too?
Brandon Leatha: I do have an interesting analog to there. And one of the things is, it used to be when we were interviewing custodians for a matter for data preservation and collection, we would ask and have the question about, "What is your mobile device?" Well, that's quickly moved to, "What are your mobile devices," because employees no longer just use one mobile device. And the fact that that so many of these applications have great ways of handing off just in the Apple environment, being able to hand off from even a phone call or chat from your phone to your iPad, to your Mac means that all of these conversations are persisting across multiple devices.
Brandon Leatha: The other thing is that just the fact that a lot of the folks that work in corporate that heavily user devices, they're constantly upgrading. And so being able to keep track of where data is and manage them at the device level is very difficult, which is really brings home the importance of being able to manage them centrally. So if the device is replaced or damaged or a user's using multiple devices, you're not actually having to go to the endpoint or the individual device to preserve that data.
Robert Cruz: Yeah, I think these are both some interesting points that you guys raise. This evolution to user centric really is the beginning to the question of policy because it is multiple devices, multiple networks. The fact that we've got clients that have 50 or 60 different communication sources, it's really looking at how you can enforce these things across an individual. I think that's key. And I think it also takes us from the notion of, how do you protect your particular device versus how can you ensure that an individual across all the different touch points has the proper controls, has the proper training and policies are set to be able to address that individual. So, interesting data here.
Robert Cruz: Let’s keep going, Davi Schmidt, and move on to the ... Well, I think we probably covered a lot of these things just as far as the adoption. So why don't we just move to the next section, I think is probably the best place to go here. So I want to get to the question of risk. And this is where the gaps come in. And Brandon, as you deal with this question every day of the week, and firms asked you to come in and begin the expedition process for the forensic work on a mobile device. What do you seen companies, their understanding of the technologies that are out there, what expectations to have as far as what they're going to be able to produce if they have to manually collect from these devices? What do you seen, that level of sophistication and understanding, what does that look like today?
Brandon Leatha: Well, sure. So I think, first of all, very few organizations have the same story in terms of what they believe users have on their mobile devices versus what's actually there. So there may be a written policy that says that, "Text messaging is not to be used for substantive business conversations," or, "WeChat may not be allowed on a mobile device and cannot be used for business." But when we actually go to the process of collecting evidence for a case, you find, in many cases, a very different story.
Brandon Leatha: And what that has done is then requires a quick scramble to figure out, "First of all, can we preserve this data?" And a lot of the consumer driven applications that may be difficult because of end to end encryption and the fact that there might be different encryption at the user level and there is at the device level. That's one thing that I see quite often.
Brandon Leatha: Second is that, going to the devices and getting the data is just part of the battle. Once data is collected from these chat applications on a mobile device, then the next step is to figure out, "Well, how do we search and review and produce this data? Does it fit within our existing processes designed by company and vendor to review and produce data for litigation or investigation reasons?" And sometimes it does, but in many cases, these new collaboration suites, the data really doesn't fit in the traditional document email model. And so, it can be very time consuming and very expensive to figure out ways to take something like from slack or from WeChat or from chat and put them into the review process.
Robert Cruz: And I want to get to this fourth bullet here, actually the fifth one, the text messaging question about it being transitory or not containing business records. You mentioned something to me the other day, which I thought was fascinating. What percentage of discovery today is involved with mobile devices? What percentage would you estimate?
Brandon Leatha: I would have a hard time not saying 100%. Mobile devices, even if they don't seem to be initially involved in discovery, they always end up having some aspect or some relevant information in discovery. So very, very high percentage of electronically stored information relevant to cases are either originate or exist on mobile device.
Robert Cruz: That's amazing. And Brian and I have heard this come up many times where a firm says, "This is the first move. They're going to basically look for a forensic collection and it's going to take X amount of time, it's going to cost this amount of money," and really, that's just a cost of doing business or perhaps it really is a recognition that there is suitable technology where they can start to do more of these things proactively. Brian, what are your thoughts there in terms of just, how firms end up down this path without really examining other methods to be able to deal with mobility?
Brian Panicko: I think sometimes, and it always surprises me because, from a Smarsh perspective, we deal with some of the most regulated firms that you'll ever see. And sophisticated IT groups that understand the risk and the need and work closely with legal, but then you've got this whole other pocket of different groups, maybe influencer, but not necessarily the same regulated type firms that you have conversations and what are they doing, they're sending out literally 10s to hundreds of phones that they're confiscating from employees, both corporate phones that they provided to them or even attempting to get them to collected BYOD device and send it in for some type of forensics investigation.
Brian Panicko: And it's a huge challenge. And honestly, until really spending the time in the field and having the conversations, you don't realize how big it is. I was just with a firm the other day that mentioned that their average spend per device, and they've recently calculated this, is about $3,000 per user. And on top of that, the follow up question that I asked was, "Well, after you send this device in and/or use your own tools to scrape it, what are you getting? Are you getting valuable information?" And the true answer is, "Little to nothing."
Brian Panicko: Because as they go through and do their edits or deletes or they're using encrypted messaging applications, or whatever the case may be, they're not really getting a lot or maybe they don't even have the appropriate password permissions to access it. So it becomes critically important as you're rolling out mobile strategy, and not just from a physical perspective of the technology tools you put in there, but from a policy perspective to be very prescriptive and do your homework before you put these things together because it can become quite expensive. And obviously, the other piece of it is if you're spending the money, and you're not really getting the results that you wanted, anyway.
Robert Cruz: Exactly. And just the final thing that we hear is there will still be hands going up when we ask about prohibition policies. So in spite of the realities of how individuals are doing their jobs today, there are firms that we still see that have prohibition in place. And the follow up question is always, are you aware of how ineffective that strategy is? Or has that become an issue that you've been recognizing or attempting to address?
Robert Cruz: So let's go to the next level here. If you click, Davi Schmidt, into some of the gaps. And I think this is just really addressing the same points of just raised previously. From our upcoming compliance survey, if you click through, one of the things that comes out everywhere, is the concern that compliance executives have about the use of mobile devices. Number one, is amongst the top three prohibited channels requested by employees. Hence, is the problem with prohibition, 54% in those cases were it is prohibited, but you're getting that push from individual users to be able to support that network.
Robert Cruz: The second is that the sources of risk, texts and SMS, the question here I think really calls into need the focus for inspection and just how firms are now looking at what individuals are doing and whether they have supervisory processes that really are incorporating information and activity that's happening on the mobile device.
Robert Cruz: And finally, on the right side, the biggest gap. If there is a supervision or archiving solution in place today, what areas does that not include? And you see Instagram as well as text on the top there. Any comments guys here just in terms of understanding where these gaps are? Because this is regulatory, but I'm confident that on the litigation side, you're seeing very similar things. What do you guys think about this?
Brian Panicko: Brandon, I'll let you get started.
Brandon Leatha: Yeah. So definitely, I think just looking simply at the conversations that I have in terms of scoping a discovery project, text messaging buying far dominates that conversation with, "What are we going to do? We know we have to do something? Are we going to go to the endpoint to collect and if so, that's very expensive." You're also relying on the user to preserve in place and that's putting a lot of reliance on the user. But text has been one of those where they're just really is a significant gap and a significant risk and just dominates the conversations.
Brian Panicko: Yeah, and I have to compliment that in terms of these gaps. When I'm looking at the top left corner, and the most requested channels by employees, when I'm in the field, I hear three things that are very, very common, which is, "How come I can't text message with my customers?" And this is even a drive that comes from the millennial age where they're coming to work for a bank. And the bank is rolling out policies to say basics, like, "Text messaging is prohibited," it's very unattractive. And on top of that, you'll notice the encrypted messaging pieces, the WhatsApp and the WeChat.
Brian Panicko: Now, I think we are at a point where there's certain things that are going to be prohibited, being WhatsApp and WeChat for the most part, because they're encrypted messaging apps that are made for consumers, where text messaging and nowadays, this has been going on for 15 to 20 years, where there's groups like Smarsh that have developed very deep relationships with the mobile network carriers, where we can get this information in real time, eliminating that risk and that confusion from these missing text messages.
Brian Panicko: So it becomes super important ... And I'll mentioned other thing too, getting out of defense of vertical, that some of the most biggest growth that we've seen this year has been accounts that are outside of Forrester that are looking to capture text messaging for HR purposes. They've given out corporate devices, they let people text, but they're not reviewing the things that are being texted. So puts more responsibility on different departments to capture this information.
Robert Cruz: Yeah. And I think what's interesting also is that when you go to the next slide, Davi Schmidt, it's no longer an issue of, I'm concerned of what may happen in the future. These things are happening now, if you look at both regulatory enforcement actions is a steady stream of SEC and FINRA enforcement actions that center on the use of text messaging. So it's not at all unusual. We track these very closely with my colleague, Marianna Shafir.
Robert Cruz: And then also on the commercial litigation side, the cases are constantly arising, whether it's the Boeing, the case that's still unfolding as far as what individuals knew and how that information was being shared across text messaging. And then the unfortunate scenarios are an Antonio Brown and what he's doing on the text message and how that affected him personally and within his career. So you can see an endless stream of cases as well as actions from the regulators that firm should be taken note of and be looking to improve their productivity and dealing with these questions.
Robert Cruz: So guys, let's take it to the step or to the level of what you can do now. And I think there's a couple of things that we can raise here that firms can walk away with just in terms of enabling readiness. And probably the first one here, just, mobility is just another component of good governance. And just recognizing the fact that risk and value live anywhere. It doesn't live in a secured IT managed repository, it can live on a mobile device, it can live on a series of applications. So it's really asking firms to think about your governance practices.
Robert Cruz: And just one point I will raise here, but before I hand it over to you guys, is what we're seeing consistently across large and small firms is this notion of a governance council as your business users are pushing for the support of a new application or new device type. Having legal IT compliance, and now infosec and privacy, having them all engaged in the evaluation of, what are the risks? What are we signing up for here? What are the collection mechanisms? And is that justify the value that this gives us in terms of customer immediacy. So that's one, I think we're seeing pretty consistently.
Robert Cruz: But guys, what else pops out to you here from a governance perspective as far as how companies can think about mobility?
Brian Panicko: I'll just chime in and reiterate the fact that bringing the teams in early on when technologies are being evaluated is key. Getting legal and compliance involved in that process of technology selection and testing it, not just relying on the marketing or sales of during technology procurement to believe that it'll work. Let's move proof of concept all the way through and make sure that it works. I think that is absolutely key.
Brian Panicko: Another thing is, in the policy development, when the decision is to say, "No," make sure you have an alternate solution. Because if you say, "No, you're not allowed to use any kind of chat application, text messaging, etc." Users and employees will find a way. So it's much better to steer people to the preferred channel than to just say, no.
Brandon Leatha: Yeah, agreed. And to that point, too, I think it's so important to understand the, ask behind why users are looking to do something in particular, right? The ask behind text messaging, because it sets up a more close relationship with my buyer. Because I can close deals more easily, may that's the reason, versus, what are the reasons you're asking for WhatsApp? Is it because you're based in the UK and you're trying to talk to local countries?
Brandon Leatha: So I think understanding the why, before you go into the no, or the prohibition becomes critically important, because there's obviously numerous solutions for more of the problems, regardless of if the app can actually, if we can capture WhatsApp or capture WeChat, there may be different solutions that don't involve WeChat or WhatsApp that solves the same problem.
Robert Cruz: Great points. And I just would raise one other one, which is, you talked about it early on Brian and that one visual, it just the idea that this is not just about messaging. There's modalities that are being introduced and video and voice and recordings and emojis. Apple just announced a whole new set of customizable emojis that you can make look disturbingly personal. So all these things are information and you can have data that's important for a discovery or for a regulatory investigation, you have to think about that. Again, can you capture and preserve and ensure that these new sources of interaction are things that you are defining in your governance processes.
Robert Cruz: So let's talk to the next level here. And Brian, just the idea on the next slide of, setting up a mobile first strategy, and bringing folks together to specifically look at what they're doing, assessing their environment. Talk to us about this activity, where, again, there's multiple stakeholders and things that you want to do just to understand their landscape, understand where they're going and what they're trying to achieve. So how have you seen firms address this particular policy and strategy formulation piece?
Brian Panicko: Right. Yeah, so for the past, I'd say eight to 12 months, us, being Smarsh as a company has spent a lot of time taking our experts and spending time doing what we call mobility assessments in the field with our top customers. This is activities that, when I think of a mobility assessment, this is what you should almost be doing on your own as a company. And it starts with, we call it the mobility task force or internal texting team, whatever you want to call it. And to your point in the last slide, this team needs appropriate stakeholders from compliance, the IT, security, supervision, and probably most important, the actual users, your advisors, your broker dealers, whoever those end users are the actually using the solution.
Brian Panicko: What you find when you first get this texting team together is man is there a lot of confusion about it? Folks that don't understand that the simplicity of a corporate device, that we can capture native text is almost mind blowing to a lot of these groups and even showing that there's BYOD solution. So starts with that.
Brian Panicko: But then really gets into looking back at the current mobility policies or BYOD policies that you've put in place. And I stress that it's important to understand the true, underlined, capital letters, state of your strategy. Because it may be just so general that texting wasn't addressed, or maybe you used some type of language on a BYOD policy that says, "You can't use applications that the business can't capture." Protecting you maybe as an organization, but not empowering your group as users. And obviously, there's risks, there's gaps, there's limitations that exists when you do these type of things.
Brian Panicko: Next is spending time with some of our experts, whether it's our experts, or your internal experts to really take time to address your strategy. Look at benchmarking yourself against other organizations in the field that have been more proactive about text. You see articles that you can find online. There's a great Bank of America one that I saw some time ago that says, headline, "Bank of America greenlights texting for advisors." These are groups that have made commitments to mobile, and there's practices that we should be able to follow up from there.
Brian Panicko: Final couple points here to and feel free to chime in guys after that, but this really needs to be something that, from an executive level, there needs to be buy in. And again, circling back to that point that compliance and legal and user groups becomes so important. It's important for them to recognize that just prohibition and ignoring this is very costly and affects your organization in a number of different ways. So it's important that we're getting the right people focused on this internally.
Robert Cruz: I think these are great points. And Brandon, I think there's maybe a subcommittee or it's a portion of this exercise, if we go to the next slide. It's the engagement of the individuals that are responsible for the e-discovery playbook. And just making sure that they're assessing the time cost risk tradeoffs between different methods that might be used, if discovery from mobile devices is necessary. So what are your thoughts here, just in terms of, looking at some of the alternatives and having a good plan in place up front prior to a major event happening?
Brandon Leatha: Well, I think one of the key things is bringing mobile app early and often it's important. It used to be the last check in our checklist, and it often got left out in a meeting if we used a per hour and mobile wasn't talked about. It now needs to be front and center in all conversations about preservation through discovery.
Brandon Leatha: And I think that another key point is that it's not something to be afraid of, there are solutions out there. If you're going to bring in the technology for your employees to use, you need to bring in the technology to manage it. And so bringing it all the way through discovering and preservation and production is important, building it into the playbook, putting teams in place to evaluate that and test it and then doing the after action. When you have a matter and things didn't go well, evaluate what didn't go well and figure out how you can implement solutions to fix that so that it doesn't have the same cost and risk associated with it for the next time you have litigation.
Robert Cruz: Yeah, and I would assume that this is not just about litigation per se, it's also about investigation, departing employees, looking into issues that might arise from bad behavior that you need to now have a mobile strategy attached to as well, is that fair?
Brandon Leatha: Absolutely. And actually, Robert, that's a very good point. Earlier, in the slide, you had something about the onboarding and off boarding process. So I think that's really key during off boarding to really have a good playbook in hand for how to deal with that. I'll just give you one example, is that the whole key management, password management on mobile devices is not simple. And when you have an employee departing, and you confiscate a phone, are you sure that you're able to get what you need off that phone. And let's say it's even corporate owned and it's an iPhone and its corporate issued, even if the iCloud password is something that's administered and managed centrally, did that user put an iTunes password on which may limit the ability to do device extractions in the future?
Brandon Leatha: So those things, regardless of what the need is, whether it is investigation or internal audit, or discovery or compliance, they all need to be thought through thoroughly and processes need to be integrated from start to finish.
Robert Cruz: Great points. So let's turn now to the tasks around supervision and inspection. And I guess the theme here, it's just acknowledging that there's more complexity in trying to understand what took place over a persistent chat, or through the use of a bunch of emojis. And so when you look at the mobility as well as the collaboration areas, I think the complexity goes up on this chart because number one, it becomes more difficult for a tool designed for email to understand. Number two, I think just the basic adage that I've learned from my 16 year old is that, individuals who intend on doing wrong are going to go places where they think you aren't. So the scheme is going to be hatched somewhere where an individual things that they're going to be outside of the compliance or the inspection parameter.
Robert Cruz: So I guess the key thing here for me and your thoughts, gentlemen on just, looking at supervision, not just as an ongoing requirement for FINRA regulated firms, but also using it as a method of inspection. What exactly are people doing on their mobile devices? Where might there be instances where people are using WeChat or WhatsApp in an unauthorized fashion. So just making sure that you understand what's in this data and what kind of information is being shared on a mobile devices is good governance, not just purely from a supervisory perspective.
Robert Cruz: So, Brian, what are your thoughts here in terms of your ability to inspect and understand mobility as part of your supervisory processes?
Brian Panicko: I completely agree with your statement. It's where you go first is your mobile device. It's got your email, it has instant messages, you have the ability to send text messages, your Microsoft Teams or Slack, it's all mobile. So, I think on the last slide, it talks about reactive versus proactive. This is stuff that you have the ability to be proactive. That you don't have to go after the fact that something's happened to go search. And I think more and more firms are understanding that if I'm putting these work, "tools" in their hands, I have a responsibility and an obligation to watch what's happening on here, both to prevent company leakage IP, data and things like that.
Brian Panicko: But I mentioned it a couple times in this presentation, even just from an HR perspective, I mean that, you circle back to a case like that the things that are going on at Boeing, and all the folks that have lost their lives and supposed to text messaging that was going on internally, that was somebody watching those texts? Was this a huge conspiracy? Was this a lack of policy that they were workers that were sending text messages, but it was never captured, and now they're finding it from a reactive perspective. So these are real things that we deal with every single day.
Brian Panicko: And again, just goes to the point that, you can set up these strategies in a very intelligent way where we can be more proactive about the capture and inspection.
Robert Cruz: Yeah, and use cases that go across the spectrum here. I mean, universities and colleges and middle schools, just to understanding what individuals are doing, what university staff are doing. Text message laws that have been passed, such as SB 944 in Texas, that basically say, "If you are communicating with an individual doing the business of government, you have the obligation to capture that." So just knowing that those protocols are in place, I think you're seeing these things across the board.
Robert Cruz: So let's go to the final piece, which I think we've talked a lot about but really looking at training. And Brandon, you deal with a lot of organizations. How are companies building training programs to ensure that employees are not getting themselves into bad spots in how they're using their devices? Are you seeing companies make these more explicit, more specific to individuals and their job roles? What are some of the things that you're observing here?
Brandon Leatha: Well, first of all, I'll say I see the whole spectrum. I see, at a minimum, something in an employment agreement that has a use policy put in place, all the way to training through a training portal with ongoing and updated training says as policies change that that includes testing at the end of a session. And I think that these training solutions are very common now, especially in large organizations, for training employees on all different things.
Brandon Leatha: Integrating just an ESI training, and specifically mobile training is not a significant step to add that to an employee onboarding and an ongoing employment training process. So I think it works well and it helps to ensure that your employees are understanding and retaining the information.
Brandon Leatha: The other thing that I have seen that works well is to have people throughout an organization that are tapped with additional roles. And in the records' management world, you'll see records champions who are people within the organization that have additional training that can help answer questions to your peers. And it's not just going to IT for a question, but you're giving additional training to help disseminate the knowledge and information throughout an organization. And I see that works very well, especially in the area of new technologies and mobile.
Robert Cruz: That's a great point. And let me add just one thing that Brian, you mentioned earlier regarding your engagement of the users in your mobility for strategy. I think you raised the point that you need to understand how clients want to engage with you. What are the things they want to be able to do and ensure that those scenarios are called out either as acceptable or prohibited uses within your mobility strategy. So what are your thoughts there? Just build on your earlier comments.
Brian Panicko: Yeah, absolutely. I think that's one of the most important pieces is if you get those users involved, you find out so much more about the why's behind the what they're actually doing in these particular devices. And in formulating, what are the best options? There's so many different pieces that come with mobility, and specifically, I'm talking on texting where it's not just capture but it's TCPA, where they're sending out both text messages to a group of users. Could this be considered an auto dialer?
Brian Panicko: So there's concerns that I think from a user, they're like, "Why can't I do this? Why can't I do that?" But when you peel back the onion, there's reasons why certain things can't be done. And most users actually accept it when they get that particular explanation, but if you're not educating them on that, and training them on what the risks and what the reasons why you can't do certain things are, it becomes quite problematic and people start to break the rules. So I definitely echo the point, train, train and retrain.
Robert Cruz: Cool. Gentlemen, really useful insights here. Really appreciate you sharing your expertise. And just to wrap up here, I know we have a couple of questions, I want to save time for at the back end. Just to highlight at a high level, how we can help in this area. Really, the portfolio is comprised of three elements, the first of which is ensuring that we have the ability to capture these communications. And the strategy for us is to work with the source providers, work with a native versions of each of these communications so that we understand, what is the context, what's in a persistent chat? What are the different ways that individuals are using their mobile device. So having the ability to capture all that content natively, preserve its context.
Robert Cruz: And then deliver it in the second box, to our archiving technology. And the beauty of this approach is that all the understanding of context that's captured, we now preserve, and can playback within the archiving system to meet your supervisory or discovery obligation. So treating each communication source as its originally intended. We do that with a professional cloud, which is for our small medium sized firms as well as for the multinationals, the enterprise cloud product, and also our recently deployed government cloud that's enabling fed ramp certification for government agencies.
Robert Cruz: And then on the application side, it's just enabling firms to execute workflows, whether those are supervisory review, e-discovery, or talking to external applications whether those are legal review or content surveillance or business intelligence being able to deliver that information out so that you can get the additional insight, you can embed advanced analytics and get deeper into the data and understanding the user patterns and the areas of risk that you need to pay attention to.
Robert Cruz: So the platform, as we now click into the mobility components, Brian, you want to talk us through the approaches we offer here, specifically for mobility.
Brian Panicko: So as far as we certainly believe in enablement of tools that will make you more productive as a business and specifically with mobility. We've spent tons and tons of time developing relationships with some of the largest carrier networks in the world from AT&T and Verizon, to Vodafone, Rogers in Canada, where we are able to, as you mentioned, get the contacts directly from the source to avoid any edits, deletes are things that folks have done to manipulate the conversation.
Brian Panicko: So this has been critical, not to mention, from a BYOD perspective, partnering with the best of breeds in the industry to be able to capture fluently on both models, because let's face it, every single company has instances of BYOD as well as corporate devices that are still being issued out. And same needs and the same risks exists for both sets. So in terms of having a fluid ecosystem to take this information in, coming into connected capture and being preserved in an archive for search and legal purposes becomes huge. And that's exactly what we do.
Robert Cruz: Terrific. Shall we go to questions or do we want to cover any of the remaining ... I think we got a couple of slides left but you want to hit this real quickly, Brian?
Brian Panicko: Yeah, and just for kind of an architecture perspective of this, two main means for capturing voice and text. First, as I mentioned, the carrier networks. The relationships that we have basically, we're not capturing or scraping conversations or putting voice into captured text. The text is coming directly from the source on a corporate owned device where it's whitelisted for all intents and purposes of the carrier network, and they give us a direct feed.
Brian Panicko: BYOD operating a little bit differently, where there's actually a separate business application for text and for voice that has a separate business phone number that's assigned on that personal device. So in the same fashion, we work with directly with the source of BYOD applications and get the information in original formats and context.
Robert Cruz: Awesome. Last slide that, containerization.
Brian Panicko: Yeah, and finally, just to echo on the BYOD. This is something that a lot of folks haven't been exposed to, or maybe don't have an understanding of it. But the point is, you've got a separate texting. If I'm BYOD, my native text is my personal texts, just like as a company, you never let them send out emails on their yahoo email address, you shouldn't be letting them send out text messaging on their personal. There should be a separate business texting app with a business number with a very similar user experience. That's exactly what the solutions of today look like.
Robert Cruz: Terrific. And this leads directly into one of the questions I saw from Davi Schmidt, just sending over to me, on that previous slide. This really addresses how we would deal with data privacy. And so the question was pertaining to CCPA. So Davi Schmidt, if you just flip back really quickly. The notion of containerization here, what it's allowing you to do is it ensure that the business communications can be preserved in accordance with your regulatory obligations. And so the things that you're doing here are to meet a specific mandate, these are communications with your clients. And as long as the firm is transparent in terms of how they're using that data, it's specifically for that purpose. And you audit and log all the activities associated with that content once it's captured. That's fundamentally addressing the spirit of CCPA.
Robert Cruz: The personal information is transitory, it's not being preserved. All the additional things that an individual might be doing are not sources of information that are being captured and stored within the archiving solution. So, I think that separation from a mobility perspective is critical. And clearly more firms are going to be asking, "To what extent can you maintain that separation between business and personally use?" So very important consideration given the likelihood of having multiple data privacy laws across the US in the very short term.
Robert Cruz: Do we have any…
Davi Schmidt: Yeah, we have a couple of questions. So we'll try to get through as many as you can. How should friends address the several apps in policy, for example, WeChat.
Brian Panicko: So I can maybe get started on this one and feel free to add in. There's going to be certain apps that you're going to be able to enable from a productivity standpoint. Apps like WeChat and WhatsApp has not been opened up from a business perspective from those companies through the use of API's or open source API's that we can plug into to capture from the source. You see a number of different solutions, and we're actually working with some partner companies for WhatsApp, for example, where there's a bot that a user can invite to a conversation. And every time they invite that bot, it's going to capture what goes on.
Brian Panicko: I think the problem that you're going to see across the board with solutions like that is, it still requires some level of user action and user thought, which can screw things up in terms of compliance at different times. So for the most part, I think it's really understanding that certain apps were built to be encrypted messaging. Wickr and all these others that are built out there. And unfortunately, if that provider doesn't really want to open it up for business communications, or to companies like Smarsh, it becomes very challenging to approve those type of apps. Gentlemen, any feedback on that?
Brandon Leatha: I guess I'll just add that the apps like WeChat and WhatsApp from a forensic perspective can be very challenging to deal with. They're constantly changing, the operating systems of the phones are constantly changing. And all the forensic providers are playing catch up, always trying to reverse engineer how to extract data from it. So it can be very time consuming and expensive to collect those at the end point. And that is, if we can even collect them. Some of them are truly encrypted and cannot be pulled at the end point. So trying to find solutions upstream is always better.
Davi Schmidt: Awesome. That is all the time we have for now. Thank you everyone for participating in this webinar. Please note that the webinar has been recorded and a link to the recording will be sent out via email. If you ask a question and we were not able to get to it, we'll have someone follow up with you after the webinar to make sure all those questions get answered. You're also welcome to send any additional questions to us at email@example.com. Thanks again for joining us today. And have a great day.
Ready to enable compliant productivity?
Join the 6,500+ customers using Smarsh to drive their business forward.