Skip to main content

Good governance of collaboration tools in the workplace

Most companies have some sort of electronic communications policy. It’s probably been updated ad-hoc over the last few years to include new communications applications, but often lacks the enforcement tools that companies initially used when email first came about. With Facebook looking to take centre stage in business communications with Workplace it’s time for organisations to start taking the governance of social and collaboration platforms more seriously. 

For heavily regulated industries, such as financial services, the initial driving force behind managing data communications more effectively was compliance with a myriad of acronym loaded legislation from MiFID II (Markets in Financial Instruments Directive II) to MAR (Market Abuse Regulation). But there was a significant upside for firms achieving compliance—improved security and reduced exposure to internal fraud and litigation. 

Collaboration based applications have been infiltrating the working day for some time now. In 2015, it was reported that employees of one of the largest Swiss banks sent more instant messages than emails for the first time. Email accounted for just 48 per cent of the total communications sent by its employees. 

Facebook is following a trend of other messaging applications such as Skype for Business that started off life in the consumer world. But these real-time applications are very different from their static email cousins, and starting to understand now the potential impact of controlling, supervising and archiving them, will save time and resources in the future. Readdressing the balance between policy and enforcement of data communications use within an organisation isn’t a difficult task. 

As with most business issues a pragmatic approach is often the simplest: understand the need of the business, identify the policies and procedures already covered, and mitigate the remaining risk.

Define the channels to be used

Before an organisation can establish policies it’s essential to carry out an audit to discover who wants to use social media and other collaboration tools, and why. Armed with this information it’s possible to define the channels that can be used and by whom. At this stage it’s important to include key stakeholders such as sales and marketing, HR and IT. 

This ensures that no part of the business is left out of the plan and that all aspects are considered. For instance, customer service may insist on VoIP to keep call costs down, but each collaboration tool has their own idiosyncrasies when it comes to archiving. Determining the approved channel at this stage based on the needs of the workplace and the challenges in archiving will save time and money in reactive measures further down the road. 

But the approach needs to be pragmatic. While defining a set of permitted channels and blocking everything else sounds like a sensible approach, if the choice is too narrow it may drive usage of popular communication tools underground. 

Understand the need

Discovering the motivation behind people’s use of communications tools within the business will help to build the right risk infrastructure. Are there teams that work within “Chinese walls”? Does the post room really need access to Instagram? Do sales use instant messaging when closing a deal?  

Once an organisation understands how employees are using social media and collaboration applications to achieve business goals it’s easier to ensure the technology is available to manage them. 

Don’t forget that employees may well be reacting to market demand when they ask to use a specific application. If customers can’t communicate with an organisation in the manner of their choosing, they may well go and look for a competitor that can.  

Increase supervision

While the emergence of new forms of electronic communications and collaboration technologies has undoubtedly improved productivity, it has also increased an organisation’s exposure to data leakage, information theft and liability from inappropriate content. 

It doesn’t matter if the intent is malicious or not, the effect can be just as detrimental to the business. Increasing supervision and surveillance over all electronic conversations can enable organisations to pre-emptively identify and halt any irregular activity.

Understand conversations in context

Speed and accuracy in reconstructing past conversations can be crucial in legal situations. Unfortunately, the complex way in which employees, partners and colleagues communicate today can make this an almost impossible task. An agent dealing with a customer complaint on Twitter may switch to over to email. 

An instant message conversation may include several people who joined the conversation at different times, and numerous sideline chats between individuals as they discuss the main conversation on a one to one basis. Understanding the context of these conversations, who joined when and over what channel, will help the business in two ways. 

Firstly, it can help to identify rogue operators by highlighting unusual channels or interactions with people outside of their normal routines. Secondly it can enable legal teams to rapidly build a picture of a situation without relying on an individual’s memory or what happened.  

Archive in real-time

Modern communications tools have added another layer of complexity to archiving business conversations. A phone call started on Skye for Business, might also involve sharing additional information over chat or email. If it’s good news a user might even send out a message on Twitter. However, in order to view the entire end to end communication, several systems with differing capabilities may need to be accessed. 

Two years later when the legal team come to look at the deal because of a contract dispute, how easy is it for them to piece together the entire conversation? Especially if the person is no longer employed. It might be that the organisation has partially considered this and implemented ways to use their email archive to take a snapshot of social channel. 

But this only tells one part of the story. It doesn’t show that someone has deleted all of the message they know are against policy before the archiving process runs each day; or that a competitor is playing games with you by deleting their posts on social media conversation with you that then make you look bad. The only way to demonstrate your position – either just to shareholders or in a court of law, is an archive that captures everything in real-time. 

Good governance

The key to protecting a business from litigation, internal fraud, and other risks exposed by the use of collaboration tools is proper record keeping. This includes controlling, overseeing and archiving all conversations as they happen and retaining them in as near to their original format as possible. 

Regardless of how and when Brexit happens, certain legislation, such as GDPR (General Data Protection Regulation) will be in force before the exit and may well be entered into UK law regardless. By taking steps to follow best practices now, organisations can be confident of enabling new modes of communication and meet the stringent regulations that will eventually be imposed on all businesses.

Image source: Shutterstock/niroworld
Robin Smith, Technical Director International,

Robin Smith
Robin Smith, Technical Director International for Actiance, has over twenty years’ experience of security and compliance solutions within a wide range of networking and messaging systems.