We have recently completed a survey of IT decision makers that are knowledgeable about security issues in their organizations, and we found something surprising: the concern about “shadow IT” — employee use of unauthorized cloud apps or services — is significantly lower in this year’s survey than it was just over a year ago. While there can be variability between surveys because of sampling and other issues, the difference we found is not explained by sampling variability, but instead represents a significant shift of concern away from the problem of shadow IT and BYOD/C/A (Bring Your Own Devices/Cloud/Applications).
First, we have not seen big, headline-grabbing data breaches result from the use of personally owned smartphones, tablets, laptops and other employee-owned and managed devices, cloud applications and mobile applications. While these breaches occur and clearly are a problem, the horror stories that were anticipated from the use of these devices have been few and far between.
Second, senior management — both in IT and in lines of business — have seemingly acquiesced to the notion of employees using their own devices. They realize that stopping employees from using their own devices to access work-related resources is a bit like controlling ocean surf with a broom.
Third, there are some advantages that businesses can realize from employees using their own devices. While lower business costs are an important advantage because IT doesn’t have to purchase devices for some employees, another important benefit is that IT doesn’t have to manage them either. For example, when an employee leaves a company and company-supplied devices need to be deactivated, some organizations aren’t exactly sure who’s responsible for doing so — IT, the employee’s manager, HR or someone else. A survey we conducted some time back asked, “when an employee who had a company-supplied mobile phone leaves your employment, how confident are you that you are not still paying for their mobile service?” We found that only 43 percent of respondents were “completely confident” that the mobile service was deactivated, and 11 percent either were “not really sure” or just didn’t know. Employees using their own devices and plans gets around this problem nicely.
To be sure, unfettered and unmanaged use of employee devices in the workplace is not a good idea. It can lead to a number of problems, such as the inability for IT to know where all of a company’s data is stored, the inability to properly archive that data, the inability to produce all of it during an eDiscovery effort or a regulatory audit, lots of duplicate data, a failure to establish an authoritative record for corporate data, a greater likelihood of data breaches if a device is lost, and the potential for not being able to satisfy regulatory obligations.
That last point is particularly important, especially in the context of the European Union’s General Data Protection Regulation (GDPR). A key element of the GDPR is a data subject’s “right to be forgotten”, which translates to a data holder’s obligation to find and expunge all data it has on a data subject. If an organization cannot first determine all of the data it holds on a data subject and then cannot find all of that data, it runs the risk of violating the GDPR and can pay an enormous penalty as a result.
In short, BYOD/C/A offers a number of important advantages, but it carries with it some serious risks and should be addressed as a high priority issue in any organization.
Osterman Research has found that roughly one-third of the typical information worker’s day is spent working on a mobile device, and an even greater proportion of work-related content is accessed using mobile devices. The impetus for the growing use of mobile devices is driven by a number of factors, although the use of personally owned devices is a key factor in their adoption in the workplace. As shown in the following figure, the use of company-owned and personally-owned smartphones is on the increase.
The use of messaging applications on mobile devices, such as email and SMS/text messaging, are among the most common applications of mobile devices in the workplace. The vast majority of users who employ a smartphone for work-related uses employ some type of messaging-related application on a regular basis.
There are a number of difficulties associated with the archival of text messaging content. For example:
Text messages sent using telecom carriers are often retained only for brief periods, and so these providers cannot be relied upon a source of archived text messages for long periods.
Since some companies operate in multiple countries using carriers that often do not provide any sort of text messaging archival service, enterprises often employ different methods to archive text messages, such as doing a physical backup of a device.
Further complicating the archival of text messages is the lack of commonality for archiving content depending on the device in use. Some solutions pull content directly from the server (e.g., with the BlackBerry Enterprise Server), while others install an app on the mobile device that transmits text messages to the archive. Other tools, such as SMS Backup+ for Android devices, will move text messages into a user’s Gmail account where they can be backed up or archived indirectly.
The bottom line is that organizations using various and inconsistent methods for archival of text messages makes the process inefficient, expensive and prone to error. The result can be incomplete archives of text messages and the consequences that go along with this level of inconsistency. Therefore, it’s essential to choose the right vendor that can provide a consistent and unified method for text message archival.
We have recently published a white paper on text messaging archiving that you can download here.
In the case of Green v. Blitz USA, Inc.– a wrongful death case in which the plaintiff’s husband was killed by an exploding gas can produced by the defendant – the jury ruled unanimously in favor of the defendant. Because of a high-low agreement into which the parties had entered during jury deliberations, the plaintiff received a relatively small payment from the defendant. However, a year after this case was settled, the plaintiff determined that poor data collection practices by the defendant led to non-production of key documents that should have been presented during eDiscovery. Although the statute of limitations under the Federal Rules of Civil Procedure (FRCP) prevented a new trial in this case, the court ordered that:
The defendant must pay $250,000 in civil contempt sanctions to the plaintiff.
The defendant had 30 days to provide a copy of the court’s ruling about its poor collection practices to every plaintiff that had a case against the company during the past two years.
The defendant was ordered to pay a sanction of an additional $500,000 until the court’s orders in this case had been carried out. If Blitz complied with the court’s order, this particular sanction would be terminated.
For the next five years, the defendant was required to provide a copy of the court’s order as part of its initial pleading or filing to every party in every lawsuit in every court in which it might be involved.
Clearly, improper data collection can result in potentially severe sanctions.
Think about the process of sending a single email to one individual:
You create and send an email and a copy of that email is placed into your Sent Items folder (copy 1).
The recipient receives your email (copy 2).
Your email admin makes a nightly backup of your email inbox (copy 3).
The recipient’s admin does likewise (copy 4).
Your company’s archiving system places a copy of your email into archival storage (copy 5).
Ditto for the recipient’s company’s email archiving system (copy 6).
The email you sent to recipient A gets forwarded to someone else (copy 7).
That copy gets placed into a backup and archive (copies 8 and 9).
You, your original recipient and the recipient of the forwarded copy access corporate email on a smartphone and a tablet (copies 10, 11, 12, 13, 14 and 15).
Now, let’s say you decide that you want to delete all of your old email because you’re afraid of incriminating evidence that might turn up in a lawsuit, a regulatory audit, or because you’re running for political office (ahem). Good luck with that. At best, you might be able to delete copy 1 and, if the recipient is nice, copy 2. Copies 3, 4 and 8 might disappear as admins reuse backup tapes over time or as the various mobile devices on which your email is stored deletes older content. But that means that of the 15 or so copies of your email that exist, only about one-third to one-half will ever really disappear.
What should you do? First of all, disabuse yourself of the notion that you can ever completely delete your email. You can’t – it exists and may exist forever in some cases. Second, realize that email will stick around despite your best efforts to purge it, and so plan on it reappearing at some point. That means that if you have incriminating emails floating around your company, it’s best to archive them reliably and prevent their alteration so that at least you have the same evidence that the other side will almost certainly have in a lawsuit or a regulatory audit. While the ideal state is never to have incriminating emails, if you have more than zero employees in your company that’s unlikely to happen.
All of this sounds quite basic, but our work has demonstrated that some are still under the false impression that the process of deleting email actually deletes email. In reality, it does delete email, but only your copies of them – most are still out there somewhere out of your control. The best you can do is ensure that you have copies of your email that you can reliably assume others will also have.
Archiving as a defensive tool is well-trod ground: it’s an important best practice for eDiscovery, litigation hold, regulatory compliance, storage management, and end-user access to content. Every organization should archive their employees’ data to ensure they can meet these defensive uses of archiving – what we call Archiving 1.0.
But what about Archiving 2.0, or a more proactive use of archived data? Here are some things you can do with your archives:
Investigations: The ability to extract intelligence from the content within email archives can significantly reduce the amount of time spent on investigations, such as early case assessments in advance of an anticipated legal action, an investigation about inappropriate employee activity, or an investigation about why a key customer account was lost.
Sales support: Communications with customers independent of a CRM system can be used to determine how sales, support and other staff members’ emails correlate with customer retention and follow-on sales. Similarly, the speed and quality of responses to customer inquiries can be correlated to sales in order to determine how best to respond to inquiries in the future.
Risk mitigation: Archived data can be used to mitigate risks from data breaches, employee fraud and related types of threats. Senior managers can look for employees who are more likely to commit fraud by looking for managers who are treating their employees badly, they can find employees who are communicating with an organization’s competitors, transferring sensitive files to a personal email address, or running a personal business on company time.
Customer service: Archived data can be useful in determining who in an organization is talking with specific customers, to whom in the customer organization they are speaking, the content of their conversations, and other relevant information.
Supply chain management: Another application is analyzing messaging and relationship intelligence to visualize employee communication with unauthorized parties.
Litigation management: Legal can use messaging and relationship intelligence to zero in on individuals or domains to understand communication trends and which individual(s) or domain(s) needs to be investigated further, enabling useful pre-trial or pre-litigation discovery information.
IT support: Help desks can become more proactive by conducting ongoing investigations into what employees are saying about particular applications, the goal of which is to address problems as early as possible.
Human capital management: An archive can be used to determine when employees are going to leave an organization and thereby minimize the impact of an employee departure.
We have written a white paper that focuses on Archiving 2.0 – please feel free to download it here.
What is “information governance”? Here are some definitions:
TechTarget: “A holistic approach to managing corporate information by implementing processes, roles, controls and metrics that treat information as a valuable business asset.”
Wikipedia: “The set of multi-disciplinary structures, policies, procedures, processes and controls implemented to manage information at an enterprise level, supporting an organization’s immediate and future regulatory, legal, risk, environmental and operational requirements.”
The IG Initiative: “The activities and technologies that organizations employ to maximize the value of their information while minimizing associated risks and costs.”
In short, information governance is about getting value out of information and minimizing the risks associated with managing it.
We are just about to publish a white paper focused on the return-on-investment associated with information governance. As part of that effort, we have conducted a survey with mid-sized and large organizations to determine the state of information governance today. Here are some highlights:
Only 52% of the organizations surveyed have an information governance program today, but another 20% plan to do so within the next 12 months.
The top three drivers used to justify an information governance program are risk avoidance, the risks associated with meeting regulatory obligations, and, somewhat surprisingly, maintaining or improving employee productivity.
Despite the fact that most organizations have or will have an information governance program in place within the next 12 months, most organizations do not regulatory dispose of digital information from file share, SharePoint or related systems.
Moreover, most organizations do not have in place a defensible disposition program.
More than one-third of the organizations surveyed have had sensitive or confidential content stolen from them. This most often occurs from outside parties, but also a sizeable proportion of insider theft has occurred.
Our focus in the white paper will be on a) why information governance is an essential best practice for any organization, but particularly those with large amounts of sensitive, confidential or otherwise valuable information; and b) how to demonstrate the return-on-investment that can be realized by implementing an appropriate information governance program.
If you’d like an advanced copy of the white paper, please let us know.