EComms compliance: Not just about email and instant messaging anymore - THR2284
All. Right so thanks everyone for joining, this. Session is, focused on compliance, it's not just about email, and stay. Away from the speaker. And. Instant, messaging anymore. What. Does that mean what. It means is that organizations. Are deploying new communication. Networks, every, single, day. And. Ultimately. What's created, is a new series, of information, risks as well as, compliance issues so, we're going to talk about some of these things that are arising today, and, what companies can do to alleviate some of these concerns just one simple, case in point on the other side here there's, a session on. Organizations. Moving from Skype. For business to Microsoft, teams there's. Technology, issues obviously but, there's also compliance. Issues there's new features, there's new capabilities. Your, compliance organizations. Your InfoSec, stakeholders, your lawyers want, to know what's gonna happen now that you have this video sharing, capability. Now that you can put things in a desktop these, are all creative exposures, that, organizations. Need to have a plan for. So. Before. I begin just a quick introduction on Who I am and our, organization. What do we what do we bring to the table here my. Name is Robert Cruz I've been in the compliance space for over a decade working with firms in. Determining. How they can build policies, and technologies, to, support the deployment of new communication, networks so. The company I represent, is smarsh and, smarsh. Is basically a new firm that's in. The process of merging with a company called Acton's, we. Both have been in the game of compliant. Capture, archiving. And policy. Controls for. Communications. For the past decade, we work with some of the largest firms the, largest banks and largest manufacturing. Companies in the world we. Work very closely with Microsoft, we're a Microsoft Gold Partner. We, work very closely with the Skype for business team and now the Microsoft, teams, group, and a, part of that discussion is how, can I build, compliance. Controls so, that I can safely deploy, these communication, networks and so that's essentially, the relationship we have with Microsoft, we've deployed over 5 million seats on. Some of Microsoft's technologies. Some banks are running more than 40 to 50,000, seats on Skype for business or. On teams or across office 365, so these tend. To be very large organizations. But they're also firms, in the small to medium size category, as well and, we. Provide controls, for the entire Microsoft, stack so. You, know all the channels you see here plus about 73, other networks, things. Like. WebEx. Teams from Cisco, and slack, and Symphony and fact set a nice chat and you know all the public social media networks and communications. That are being delivered on a mobile device so, that's our expertise, of helping to bring these communication, networks. Under control. Let's. Get them to. The heart of the matter the, deployment of communication, networks you, see across this entire building a lot, of discussion, of new. Collaborative, capabilities. That firms are deploying and, let me let me ask you folks to start off how. Many folks are allowing, the use of social. Media within your organization's, let's say Twitter LinkedIn. A good number of hands, how. Many organizations, are. Outlining. What individuals, can and cannot do on their mobile devices you, have policies, do. You have technologies, a, good. Number of hands for both all. Right let's bring it home office. 365, how many companies are today. In production, on office 365. Relatively. Seminal number of hands how about Microsoft teams rolled. Out in production fewer. Hands not surprising, given where we are, final. Question for. Companies that are here attending this conference making, a big investment of your time how. Many of either licensed, Microsoft, technology, are thinking about it you know yet, to deploy.
Anybody. Just still, in that process of deployment, ok. That's where we really get to the heart here because you, know clearly there's issues. About employee, training, there's issues and concerns you have to work through to create cultural, different, you know moving, your culture to get people to accustom these new networks but, I'll guarantee you the vast majority of companies that we talk to they work with every day the. Reason they have not yet deployed or. Because the people sitting in the back. The people sitting in the back are the, compliance, officer the. InfoSec, executive. The, person that's managing, litigation, and what, they want to do what they want to make sure that you have, in place are controls. To. Make sure that you can capture and retain that data, to, meet all the obligations, you have to meet one of their regulatory driven, your, own information governance policies. Or what have you and this, is only getting bigger so a typical, Bank that we work with today has, more than 40 different communication. Networks that they are aware of and, every. One of these firms is also concerned that there's people out there that are using WeChat and whatsapp, and snapchat. Because. That's the way people are communicating and that last point is what I want to leave you with is that why, is this happening, is it from, a technology perspective it's great but. The reason this is happening for a lot, of organizations is, because this, is where your customer, is going this, is the way they want to engage you. Know so it's a question of what new network is going to show up it's, because your business is driving, you this direction, they want to engage in, a channel, that allows for, immediate response so, this. Trend is only increasing. Now. Is. This just deployment, of a new communication, network what's the big deal I've got to know the system I have to monitor and manage well. The big deal is this, what. People have been accustomed to is. Transactional. It's binary, it's flat, email. Is very deterministic. When, you get technologies. Like Microsoft. Teams or WebEx, teams or symphony, or slack or, information. That can be delivered uniquely. Over a mobile device you. Have a whole new set of issues you've got to sort through because you're not just looking at messages, you. Are looking at conversations. Conversations. Are dynamic, in. A Microsoft, team's discussion, you, may be talking, with four people that you know about and you're, discussing. Maybe, an item that is intellectual, property but. Then there's : user 5 that's unidentified who. Is this person or there's, another person, that comes, and goes from this this discussion, hey, this, could be a regulatory, event. Because. There's activity, happening, on these networks that have business, value areas. Where you can be compromising. And exposing, your, intellectual property so. The fact that these are rich and dynamic you, can engage in, sharing. Files in having. A video that you can you, can share in delivering, information out, to your clients you. Know these are areas that you now have to expand, your control over, the. Last comment. Here is we. Have a couple of banks that have told us they've uncovered entire. Conversations. That were encoded. In emojis. To. Frowns a palm tree and a couple of Angry Birds means that. Purdue, farmers goin down 5%, it. Was a it. Was a conversation, being, conducted. With, emojis and the, fact is just insignificant as, is of interest well the fact is emojis. Can convey emotion. And sentiment, this might be important, to understand, if you're looking at an insider trade and somebody's, trying to cover an, activity, that may be malicious so. Rich, and dynamic is, the problem that these new networks are now exposed are now creating. Now. Why, is this a problem so what. The. Entire. Population. Of legal, review tools that are in the market today are designed, for email, the. Overriding. Vast, majority. Of archiving. Tools that. Individuals. Are using to meet their books and records requirements. To do their supervisory, review are designed. For email the. Vast majority of data loss prevention tools, are designed for email the, problem is that you have a rich conversation that's. Evolving, where, I post, something that, there's now alike, or a share, or a comment, when. You deliver this information into, a tool that's, designed for email, what, happens, each, of these elements, becomes. An individual, item that, loses, its association. With everything, else that happened before what.
You've What, you've done is lost the context, I don't, know who's communicating with whom about what and more. Importantly, what, if items were changed, or deleted. You. Now have an event it's not just something that's making the process more complicated. It's also creating more exposure because, that, change, in a post, could, be something that's relevant for rediscovery. So. So. What. Organizations. As they think about how they can implement risk management, controls they either do that from a you. Know a regulatory, compliance, oversight or. Maybe the periodic, inspection, from your your, InfoSec, department, or you, know someone that's doing kind of the day-to-day month-to-month, supervisory. Review grind, what. We have found in talking to organizations, is that even, though the communication, networks they use have changed, the. Way they conduct review is the same and the. Answers are kind of interesting it's like why do you still do it that way that's the way we've always done it it, was like the, pattern, here of reviewing. And focusing, an inordinate amount of energy and time on email. Is still, something we find organizations are, stuck with large organizations small. Organizations, across, the board even, though the, elements of risk are beginning. To become more prevalent there's more cases, both, legally, as well as from, regulatory perspective where. The issue of the subject, at hand is, voicemail, or it's I am or it's some collaborative, tool I, think. The most important, element here is think of an individual, who, is intent, is to, avoid, detection, they. Are gonna go somewhere, where they think you aren't, so. If they believe the focus of attention and energy is on email they're likely to do things on social, media or on a collaborative, platform, and you're gonna find phrases, like let's, take this offline or, let's. Jump. To another channel, this is actual freight channel, jumping I started. On Skype for business I went to Microsoft, teams I'm now on symphony, let's bring it over the slack so the, problem is that people are focusing not, where the risk is they're focusing, where the volume of content still resides. So. What organizations, we talk to are looking for they're looking for one unified, view of risk you, know there's an individual, in the back of the room who is the high risk broker there's, a person, that I know is, frequently. Getting caught up in issues where they, may be involved, in disclosure, of sensitive. Information I want, to have a complete view, of that individual, if, I know that Dave, Luisi is the guy that I have to pay attention to I want, to know what his logging, is on on. Microsoft, teams I wanna know how he's identified, on Skype. For business I want to know what he's doing a LinkedIn I want to create that one unified, view because. Ultimately what I'm trying to understand, is, not the content, I'm trying, to understand, the behavior so.
I Need to match the, content. With the activity, to, really understand where the risk resides what are the kinds of issues that, might, come up along, the way. So. The things organizations, we hear are what they're looking for is insight, they, want to be able to understand, who said what to whom they, want to be able to understand where the critical risk resides going. Back to that the, chart of will review time is being spent it's, being spent on activity, not the things that are most critical to your business and finally. It's. Not just about compliance. And regulation, it's about, governance. It's about where is the sensitive, information where, is the information that has value, I want, to be able to track those critical, assets, wherever, they may go within, my organization. So. One of the topics that you, know I've heard. Some very interesting material, or some really insightful and informative. Technological. Developments, that Microsoft, and others are, rolling out in the area of artificial intelligence machine, learning and surveillance, and, it's a really good question it's like how the machines won this game is it basically the complexity. And the variety, of communications. Now is something, that's better addressed, by. Machines. And. I think it's a very interesting discussion, to have and, I think in the area of surveillance. And artificial, intelligence in particular. There's. A great, amount of value that can be brought in helping to uncover, risks, that, I'm going to be aware of where. I need to match content. With, behavior. With, sentiment, with, other things that I might find through, the use of artificial intelligence. So. Extensions. To what people are doing now this makes perfect sense there's technology, that is. Accessible, and a bunch of domains that are underneath, the AI umbrella, which, you, know companies. Are making significant. Investments in but. To the point you know where is the information risk. Do, I have a finger on what, important, communications, are being delivered I would, contend that, you. Need to be able to address both, sides of the spectrum so what's, the basic, the basic requirements, are any. Regulated, organization, needs to have an understanding of how they can meet their books and records obligations. Any industry, that has a record retention. Obligation. Has to do this if. You are a publicly traded corporation. And you have to deal with the SEC, and the fair disclosure requirement. As does Elon Musk and Tesla when he starts talking about taking the company private he's, got a deal with how he's going to respond to the SEC, you've got to do the basic, policy. Definition. Let, me identify the words and phrases which are sensitive do that regular. Interval, of review to deal with the known risks the things that I've seen before, where. We believe the extension, applies, is, using. Surveillance. Using analytics. To be, able to look at the behaviors, the proactive. The, activity. That's happening over a period of time that's. Where you have the ability to expose, things you've not seen before take, those findings and feed that back into, whatever you're using for a compliance, review and risk, mitigation, so. One way that we've looked. At this is something, that we're promoting thanks, to the brilliant, work of some of our product guys in the back of the room the. Concept of super valence think. Of compliance controls as, delivering.
The. Basic enforcement, of policy, if, I'm deploying Microsoft, teams I want, to have the ability to block specific features, I want, to be able to monitor for where there's restricted. Words and phrases that I have to pay attention to I want, to be able to store that information in. A repository that allows me to search and retrieve that data easily, and, if I have to do supervision, where I sit down and look, at policies, to make sure there's not an issue happening, I can take care of all of those things on. The other side of the spectrum I want to be able to interoperate, kind, of interact, with the. Analytics, to, be able to uncover the things I may not be aware of to, be able to add to that information the. Behavior, the sentiment, the things that I'm going to learn from a behavior ox or digital reasoning or IBM. Surveillance inside they're some of the innovative. Microsoft, technologies, that are being deployed specialized. Domains I want to deliver feed, and interact. With that data. So. One. Case and that we've come up against that I think this is gonna be something that many industries, begin to see financial. Services firms that are investigating. Things like insider, trades. Again. Your, compliance, systems, are enabling. You to look at static, transactions. It's, much more difficult to look at a pattern that's happening over time so. In this particular example what, people are doing is using our technology, to, make sure that all the relevant communications, are captured, they're, being stored you're. Providing, that first level of review so I can see where there might be issues to pay attention to now. That I know those issues are out there I want, to deliver that information into a surveillance, application. In this case surveillance. Insight to, match against the sentiment, to match against the other data the transactional. Information I have. To do this today form if it - in the EU if any of you are have, be you operations, so, from that I'm able to identify, where those activities are and feed that back into my. Repository so. A lot, of real-world use, cases where you can bring both of these areas of technology both domains together. So. Let, me wrap it up what, are we seeing as, ways that organizations can control. The. Emerging, use of these new communication, networks first, you, got to deal with the fundamentals, AI is not going to replace the, things you have to do as part, of your information, governance programs. As part of your records management protocols, as what, you do to deal with your regulatory, obligations, every day, second. Context. Is imperative. Stuffing. Things into the form of an email all you lose the context, so, you need to be thinking about for any tools you have to archive, and preserve data, is it, allowing me to preserve what the rich experience, of Microsoft, teams looks like, preserving.
That Context, of that conversation, is critical, third. You. Need to anticipate that there will always be the next network you, know we say we support I think the number today is 83, different communication. Networks next. Week that's going to be 85. There's always going to be a new one the regulator's have told us and our customers that you, have to have the expectation, that every, new application, you deploy is going, to have a messaging, application, attached to it including, the things on a mobile device so, you always have, to be anticipating, the next network that your business users are, gonna be banging on the door asking, you to support. Next. A lot of these things are really about policy, enforcement how can I ensure that if, I have to block messages because that's what I my DLP, policy, requires, for email how could I do that on one. Driver Yammer, or on, some other Microsoft, network or some other network on social media enforcement. Of policies, uniformly, what, can I do natively, with all of the tools that are available for, Microsoft, and where, can I work with third parties, like smarsh, to, be able to extend some of those controls. The. Other element, is just critical. From where we've seen the fact that we're bunging, together so many different domains is that the, platforms, that you're storing this information whether, you're using the, Microsoft, Office native capabilities in the security and compliance center or another third-party tool you. Don't, want to use the cloud to create, yet another siloed. Environment. You, need these systems to be able to feed other applications. You, need api's, and SDKs, to, be able to deliver information, the payload, so where it needs to be whether that's for compliance. That's for a discovery, that's, for information. And InfoSec, you. Know obligation. And inspection, of emerging threats, and. The. Last point. The. The. The. Science, of doing policy, management firms have gotten. These infrastructures, in place over multiple, years they've. Refined, lexicons. They've known how to do that but, you really have to keep this in balance, with. The, art forms now that are emerging, with AI, machine. Learning and surveillance, is keeping these things in. Context. Of one another. So. A lot. Of best. Practices, discussion, and for. More, specifics, on how we address, us come. To our booth the number is Alex our booths.
16:05. We're over there by the rubric, giant. Booth but I'll, leave you with this because I think this reflects, not only what we do but, I think these are some of the things you need to think about as you look for technologies, to help mitigate, some of these risks, first. On the capture side you. Need to go where your client is you need to have the ability to support any, communication. Channel, that you're allowing your employees to use and. Not just the simple capture, but, policy, enforcement if you need to have the abilities, to block a message, or spot. For sensitive words or phrases, it's, enforcing. Those policies, it's capturing, the right stuff not, over preserving, it's capturing, the information that has value, or risk. Next. In the way that you reveal it's not just storing the data it's. Like I want to have technology. That allows to meet expose, where the issue the issues are so, something, that's allowing, me to do robust, supervisory. Review to, be able to spot where these more critical items might reside so, being able to quickly deliver. This information I, want, to talk about reveal a lot of this has to do with performance it's not just search performance it's, quickly getting the data into the system being, able to search very fast against the data and to be able to export, that. Data downstream. You need throughput, not just the ability to search on an item quickly, and finally, the response goes. Hand-in-hand with the performance, it's the ability to allow. Your legal compliance. And IT staff to serve themselves to, be able, to respond to the regulator faster, to get in front of the end-user to say wait, a minute you're on an area of Microsoft, teams that's restricted, by policy, are you you, know make sure that doesn't happen again we have these controls, that send up flags when something happens so just be, aware as, part, of that training you, can respond, to those individuals, and correct this from happening the, second time. 16:05. Is where we're located appreciate. Your time hopefully you can come by love to show you some more about how we help, both within, the Microsoft infrastructure. As well as other, communication. Forms so with. That, I'm. Not sure timewise are we at, it, I'll. Be around happy to chat with you further or back at the booth so thanks again for attending.