Ensuring compliance takes a front seat when using collaboration tools [Q&A]
One effect of the pandemic shift to working from home has been a surge in the use of collaboration platforms. Microsoft Teams alone just exceeded 250 million monthly active users.
But a new whitepaper from Theta Lake and Osterman Research, Archiving And Data Protection With Microsoft Teams, brings to light the strengths and weaknesses of native archiving and data protection in Microsoft Teams and why firms look to third-party solutions to address coverage gaps.
We spoke to Anthony Cresci, SVP finance, business development and operations, at Theta Lake, to discover how organizations can access the right archiving and data protection capabilities to ensure they remain compliant with regulatory obligations and industry best practices while using collaboration tools like Microsoft Teams.
BN: Has the rush to remote working meant legal and compliance concerns have taken a back seat?
AC: In most cases, unfortunately, yes. In the early days of the COVID-19 pandemic, businesses needed to continue to be efficient and productive from day one and were forced to implement work-from-anywhere models at an unprecedented, accelerated rate. As a result, compliance and legal requirements had no choice but to take a backseat. The inability to go to a physical office was such a transformative change that groups responsible for IT, Workplace Technology, and Collaboration were forced to take two- and three-year digital transformation plans for Unified Communications (UC) platforms like Zoom, Microsoft Teams, Webex, RingCentral, and more, and instead, implement them in days, weeks, and months to ensure businesses were fully operable and able to share information and communicate effectively. Unfortunately, those circumstances circumvented the standard processes where compliance, legal, and risk are more involved in the selection and deployment plans.
In order to meet regulatory obligations and industry best practices, it's essential to take into account the long-term archiving and supervision requirements for firms. If you're in an industry such as financial services with high standards of regulation and compliance, you would not be able to deploy a platform like Microsoft Teams without having the ability to capture, archive, and supervise those communications, especially globally. So, in a lot of cases, these organizations might not have deployed to all users, or the regulated ones, if they did not have some type of compliance and archiving solution in place. Those companies that did leverage these existing archiving and compliance solutions are also facing challenges as those platforms were built for email and struggle to capture all the rich ways employees can communicate and share information over MS Teams. Legal, compliance, and risk teams are now becoming more engaged, understanding that work from anywhere isn't a fad and needs a better compliance solution that is purpose-built for unified communications. Businesses are looking more strategically at how they can safely and efficiently deploy modern collaboration tools across their teams. Compliance and legal teams will be much more involved in defining the requirements and technologies needed to support this new hybrid work environment.
BN: What are the main risks of using collaboration tools?
AC: First, there's the regulatory obligation to archive communications which creates risk if you don't have the right compliance tools in place to archive those communications. If you look at financial services alone, over $150 million in communication monitoring fines in 2019 increased to $350 million in 2020. The fines and penalties are very significant and also create brand reputation damage; if you don't have the right compliance controls in place to deal with regulatory obligations, you leave your organization at great risk.
Risk was much more controlled when employees were in office, they were on corporate networks and their communications were conducted through outlets like company email and the corporate drives. There were tools in place to help supervise how people share and communicate information. We're now sharing information in a host of different ways; one has been across chat platforms like Microsoft Teams or sharing information through screen shares or whiteboards in video meetings. But legacy compliance hasn't kept up with the innovation of the UC platforms. That's why there's a need for security and compliance solutions like Theta Lake to monitor modern collaboration platforms to detect how information is being shared across what is said, shown, or shared. Risks, whether data leakage, employee misconduct, inappropriate behavior, and more, can be flagged across all the ways that employees can communicate in collaboration applications.
BN: What are some of the biggest gaps in using Microsoft's native archiving capabilities
AC: For some organizations, Microsoft 365's native archiving capabilities are sufficient, but for many other organizations choosing to use third-party archiving, compliance, and supervision vendors is a better fit for their needs. The Osterman report identifies a number of reasons why firms choose third-party archiving vendors and gaps in Microsoft Office 365's capabilities.
Second, in most cases, organizations don't have just one chat or meeting platform. They might have Microsoft Teams or Slack for chat, Cisco Webex for meetings, Zoom for a host of users, RingCentral, you name it, there are going to be multiple types of UC technologies inside their environment, and Microsoft doesn’t integrate into those other platforms. This means you're going to need to have multiple archiving solutions. This approach creates a lot of pain for compliance, legal, and eDiscovery teams pulling records of communication content. It's important to work with a vendor that is integrated with the leading UC platforms to provide a single point of capture and archiving, and integrates with third-party archiving solutions so firms can leverage existing investments in their compliance tools.
An even more important point when evaluating a compliance vendor is ensuring that their solution captures all the ways employees can communicate and share information within Microsoft Teams. This includes capturing edited or deleted messages, images, gifs, reactions, and even capturing the source file when sharing content through OneDrive or SharePoint instead of just a URL. Some of these aren't always captured in the Microsoft Team's archive and you don't have the most complete record of communications that you need. Lastly, when you're talking about Microsoft Teams Meetings, you rely on third parties like Theta Lake to record effectively what was said, shown, or shared as well as capture electronic communications inside the meeting, including chat, whiteboards, and screen sharing.
BN: Where are the main areas that user demands come into conflict with compliance requirements?
AC: There are specific requirements for business preservation, archiving, and supervision of electronic communications and voice conversations. In the US SEC 17a-4 Books and Records are among those, and in the UK MiFID II requires voice recording retention. This means that in environments like financial services, compliance is very involved in decisions around choosing technology vendors and deployment. Most organizations would approach this by not turning on features and functionality that could create a compliance risk. For example, eComms comes into place with video conference capabilities inside video conferencing to do things like chat, polling, Q&A, or even whiteboarding. All of those features are considered electronic communications that need to be captured and retained, typically for five years. Now, in most cases, these platforms have enabled APIs for platforms like Theta Lake to go in and capture data. We have several partnerships with Microsoft Teams, Zoom, and Cisco WebEx and more, where we can capture eComms inside of meetings.
These features and functionalities are typically some of the most highly requested by users because they increase productivity. So, when those features or functionalities are disabled, you don't get the full benefit of these platforms because compliance has essentially said, 'I can't be compliant if you enable these inside my environment.' Theta Lake can help employees be more productive by enabling safe and compliant usage of these features and functionality.
BN: What are the key considerations for choosing a third-party data protection solution?
AC: There is an increasing need and urgency to apply supervision and data leakage controls uniformly across all the ways employees can share information, instead of relying on legacy tools that only supervise email communications. The more sophisticated bad actors will go to channels like video that are more difficult to supervise, making it the most risk channel. Therefore, having a compliance partner that can solve immediate needs, as well as future ones, for the way employees communicate should be a core part of any evaluation process. Look for someone who has expertise and experience building archiving and supervision tools that are purpose-built for unified communications and not tied to architectures that were built for text-based content like email.