.svg){kind=small}
by Aware
Courts and regulators are beginning to pay attention. It’s more important than ever for organizations to take control of their collaboration data.
The pandemic brought with it many changes for the workplace, including an overnight explosion in remote work. Data shows 67% of companies are expecting to remain at least partially remote post-pandemic. That means organizations are now faced with defining what a hybrid business model might look like.
The tools that enabled remote working were already on the roadmap for most but experienced dramatic acceleration. We uncovered a fifty-fold year-on-year increase in the data generated by digital collaboration.
Aware Head of Product Marketing, Betsy Sewell, and Chief Legal Officer Brian Mannion speak with a panel of information security leaders about this new dataset. Experts from T-Mobile, eBay, and AstraZeneca discuss the concerns that are top of mind, and how they’re handling the challenges of collaboration data.
Watch the webinar now or read on for the recap.
The Risks Presented by the New Dataset
What does collaboration data look like? Compared to traditional business communications, the messages shared via Slack, Microsoft Teams and Yammer, and Workplace from Meta are unstructured, informal, and hard to control.
They’re also not going away. A McKinsey report found that effective communication increased productivity by 25-35%, and business-centric instant messaging tools are fueling that growth.
What makes this data most effective is also what makes it so problematic from a governance, risk, and compliance perspective. Instant messages rely heavily on slang and shorthand with very little context, and include @-mentions, gifs, emojis and more. Compounding the problematic nature of the content is the complexity of the environment in which it’s created. Whether a channel is public or private, or a message is delivered directly to a single recipient, changes how it can be viewed and distributed.
With increased legal and regulatory scrutiny falling on collaboration, it’s critical for organizations to take control of this dataset. Here’s our panel’s top considerations.
What Does the Collaboration Ecosystem Look Like?
What constitutes collaboration varies between enterprises. Of highest concern are instant messaging platforms such as Slack, Teams, or Workplace, but collaboration exists in many other locations, including:
- Workflow tools — Asana, SharePoint, Trello
- Audio-Video solutions — Zoom, Skype, RingCentral
- Productivity tools — O365, Google Workspace, iWork
- File sharing applications — Box, Google Drive, OneDrive
- CRMs — Salesforce, HubSpot, Zendesk
- Developer tools — GitHub, Bitbucket, Atlassian
Research shows that 91% of organizations use multiple applications. Almost all of them incorporate some messaging and collaboration features. In addition, many companies also uncover “shadow IT” — programs and plugins introduced by employees without enterprise oversight.
How do organizations make sense of this tangled ecosystem? And where can they install guardrails that mitigate risk? How can they empower workers to use collaboration tools, while remaining compliant with industry regulations?
The Challenges of Non-Standard Data
Traditionally, non-standard tools were the ones the enterprise didn’t use — for example text messages instead of email. Non-standard communications were limited to isolated users and cases. Today, the meaning of non-standard is evolving to refer to data that has no standard protocol for collecting and managing. Collaboration tools are widely authorized across the organization, but legal and IT leaders lack formal policies for managing the data they generate.
As Aware’s Brian Mannion points out, this process isn’t new. From paper to email to texting, workplaces have learned to transition with technology and develop a nuanced understanding of the data they hold and how to control it. But modern collaboration data is different from its predecessors in several key ways.
How can information officers produce a Slack channel for discovery? Or determine what a custodian accessed in Teams? Years after a message has been posted in a public chat, where do organizations stop considering who might have seen it?
Determining the context of this data is also critical. Is it five messages either side of the target communication, or ten? Is it all messages within a specific time frame, or a particular channel? Collaboration platforms include so many connections that it can be hard to know where to draw the line. What is clear, however, is that IT and Legal departments must reach an agreement about what they consider standard for their organization and implement the necessary guardrails.
Considerations of Collaboration Data Collection
Defining collaboration data is the start of good management but doesn’t solve the complexity of collection. How do you prove that collaboration messages are relevant and haven’t been manipulated? Here organizations may find themselves at odds with the apps they use to increase productivity. Most apps enable custodians to modify or remove the messages they’ve posted. Capturing those revisions is a challenge for true collaboration information security.
Collecting this data is no longer a one-person job, but the role of an entire team. Organizations must go to the source of the data for regulatory compliance and internal policies. There, many discover that collaboration apps lack visibility of the true extent of the data that exists. A single message could include a hyperlink to a storage folder containing a thousand documents. These so-called “modern attachments” are top of mind for the panel’s data collection experts.
The Lifecycle of Collaboration Data
Granular retention policies are the norm across most organizations, but collaboration apps are rarely built with this functionality. That can lead to messages remaining accessible within the ecosystem long after they’ve served their usefulness. At this point, the risks of this data outweigh the benefits.
When establishing retention policies for collaboration data, organizations should evaluate the risk of retaining information against the cost of losing the knowledge it contains. Placing a value on retention — including security and storage — will help data security officers when setting retention policies.
Finding the Balance of Risk and Reward
Unchecked, collaboration data can prove extremely costly to organizations. JPMorgan was fined $200 million after failing to secure employee communications in WhatsApp. And in Benebone LLC v. Pet Qwerks, Inc., et al., a court compelled Benebone to produce internal Slack messages, despite Benebone arguing that doing so would be an “undue burden.” Benebone estimated the cost of eDiscovery to be $110,000 to $255,000.
The risk of failing to safeguard collaboration is clear. However, there are additional risks that organizations must consider. Too many controls drive employees away from authorized tools and toward shadow IT. This exacerbates risk by creating hidden environments beyond the organization’s control. It also represents wasted investment in the initial tools and controls the enterprise selected.
Final Thoughts
Collaboration platforms pose a new challenge for information security leaders, and time is running out to understand the new dataset. Aware can help. We offer the only full-stack, AI-driven compliance and people insights platform that allows companies to monitor, moderate, and search their collaboration data, mitigating risks and ensuring regulatory compliance across the enterprise. Request a demo to learn more.
