The New Normal Brings New Risks—and a New Focus on Information Governance: Part 2

In Part 1 of this blog series, we discussed how many organizations are updating their cybersecurity policies so they can better manage cyber risks and threats in the new normal of remote and hybrid work. We also noted that updating cybersecurity policies was only one part of the solution for reducing risk exposure in a dramatically changed work environment: information governance (IG) must also be a focus. 

Information governance is a corporate process or strategy that helps organizations manage information's risk and value. Not focusing on IG puts organizations in liable situations, should data or information not be retained correctly. Often a point of confusion, yet the most crucial facet to remember, is that IG is not simply software installed that automatically makes an organization compliant. IG is a company's process (vis-à-vis, policies, monitoring, & remediation). Software is just the tool that assists in that process and more than often has to be tweaked and calibrated to each unique organization.  

As corporate IT departments are updating cybersecurity policies, they are also limiting and/or providing access to productivity tools to help control the risk of shadow IT. As explained in Part 1, most shadow IT applications are enterprise collaboration tools. But even if only corporate-sanctioned tools are in use, most organizations still lack the ability to capture and retain information from these tools to create a "corporate memory."   

Corporate social media apps, which have a lot in common with their enterprise collaboration tool "first cousins," add to the dual challenges of maintaining cybersecurity and IG in the new normal. Take for example, Workplace from Facebook (WFB). It has attributes similar to public social media, but it's confined solely to the organization. It's the intersection of high-level work collaboration and social interaction—or a case of "project management meets the watercooler." Inside WFB, there are chat capabilities, chat rooms, data repositories for sharing documents and news, and live video broadcasting. In some instances, companies will open this portal to strategic partners. Surveillance helps to create a corporate memory.

As companies widen their embrace of social media, using apps like Facebook, LinkedIn, Clubhouse, Twitter and others, they need monitoring and/or surveillance of content (inbound, intra and outbound) and solid policies to govern social media use on corporate pages. One solution is to purchase software, like Proofpoint's Content Patrol, that can connect to an organization's many enterprise and social media apps and capture communications and interactions in them in real-time. 

Once connected, organizations can enable in-stream surveillance to monitor for content that doesn't meet corporate approval—before that content is published on social media. Also, these solutions can help organizations put in place controls for identity management and user access to social media channels and functions. They can also provide administrative control of multiple apps under one IT management dashboard.

Critical questions for organizations to answer

"62% of compliance leaders expect that more time and resources will need to be devoted to risk issues within the next twelve months." 

-Cost of Compliance 2021: Shaping the Future

Firms that are forging ahead, full steam, into social media and lack some kind of surveillance process—whether it's manual or automated—are at risk. Unless they're somehow creating a corporate memory that they can rely on to corroborate an e-discovery, internal or regulatory inquiry, and provide the "who said, what and when" and with context, a social media misstep that leads to brand reputation damage and even potential litigation is almost assured.

Headlines for corporate social media blunders, such as Adidas, congratulating runners of the Boston Marathon with the Tweet, "Congratulations, you survived the Boston Marathon," or Elon Musk's tweet of a poll, asking the public whether to sell Tesla stock?" are just a few examples of self-inflicted wounds. 

Additionally, employees sharing a seemingly innocent post that points to an upcoming merger or corporate acquisition on their personal social media account (e.g. LinkedIn) can easily translate to parlaying insider information. These are just a few examples highlighting the dangers of social media without an IG policy & surveillance mechanism in place to prevent mishaps like these. 

With all this mind, organizations should consider the following questions as they work to evaluate and improve both their cybersecurity and IG policies for the new normal:

· Which collaboration apps and social media channels do we currently use? Even more important, what don't we know about—and how can we find out?

  • Do we need to capture or monitor Teams, Slack, Zoom, collaboration tools or enterprise social media apps?
  • Do we have a policy in place to govern corporate social media use? (Note: If the organization already has a corporate LinkedIn or Twitter page, now is a good time to start building this policy quickly.)
  • Has the marketing department authorized key individuals to post campaigns, news, product launches, events and other information on LinkedIn, Facebook, Twitter, WhatsApp or other channels?
  • Has the corporate legal department validated whether a social media surveillance or monitoring tool can produce copies of data, objects and events (in context) from enterprise collaboration and social media apps?

A robust IG plan requires a team effort

Many corporate IT departments are recalibrating and augmenting cybersecurity practices right now to help their organizations manage risk effectively in the new normal. Creating relevant and well-thought-out IG policies that can work in synergy with updated cybersecurity practices is an equally important exercise for mitigating risks.

The organization's IT and legal departments will want to collaborate closely on creating a corporate IG policy. Also, IT and human resources teams should work together to educate employees about the risks of using non-approved enterprise collaboration and social media apps. 

And finally, the organization should consider employing best-of-breed software solutions that can help them capture, surveil and enforce policies to mitigate risk, preserve brand reputation online and create that all-important "corporate memory" with discoverable evidence that can be tapped whenever a potentially damaging issue arises.

To get a 4-step plan to stay secure and compliant with your communication and social media tools, download our ebook, How Communication and Social Media Tools Are Changing the Insider Risk Equation for Compliance, IT and Legal Teams.

To learn more about our compliance products, visit here. 

 

Subscribe to the Proofpoint Blog