Identify risks and promote compliant communications behavior
Alongside the shift to remote work came a boom in the use of “shadow IT” — the unapproved tools and apps employees prefer to use over authorized, secure tech. This increase is likely due to the appealing UI/UX of consumer-focused apps (which makes them easy to use), familiarity and habit developed from personal use, and the apps’ overall popularity, which fosters an “everyone else uses them, so I can, too” mindset.
Despite training to the contrary, employees often view their shadow IT use as “no big deal” and fail to take security and compliance into account. This laissez-faire attitude is a serious challenge for compliance leaders; it recently resulted in over $1B in fines for major banks for “failing to monitor employees using unauthorized messaging apps” in the SEC’s WhatsApp probe.
Compliance leaders need to get out in front of the problem, but finding out when, where, and how employees are using unauthorized channels is tough, even with surveillance software in place. However, there are a few avenues compliance teams can pursue to identify employees’ shadow IT use.
Here are three ways to help identify if employees are using unapproved communications channels:
1. Monitor email volume
Check in with your IT team and compare the current email volume with the past volume. Have there been any significant changes in the past few months (big dips, yo-yos, etc.)? If there’s a detectable difference, it could be a sign that employees are taking communications to unauthorized channels.
2. Analyze employees’ browser history
If employees are using employer-provided hardware (laptops, cell phones, etc.) then IT or compliance teams can monitor their internet use, including their browser history. There are limits—both legal and technical—but a general survey can give compliance leaders decent insight into employees’ internet use, including identifying non-compliant websites and apps.
3. Audit approved channels’ UI/UX
Employees turn to shadow IT because it’s so easy to use. Compliance teams can test the user interface and user experience (UI/UX) of approved apps and tools to identify issues that may push employees towards more user-friendly options. They can also ask employees to rate the UI/UX of approved apps and share their feedback for tweaks and improvements. If there’s a key issue preventing widespread adoption and use, IT teams may be able to fix it. And if employees share any issues, it’s also a sign that they may turn to unauthorized apps to sidestep them.
Employees turn to shadow IT because it’s so easy to use. Compliance teams can test the user interface and user experience (UI/UX) of approved apps and tools to identify issues that may push employees towards more user-friendly options. They can also ask employees to rate the UI/UX of approved apps and share their feedback for tweaks and improvements. If there’s a key issue preventing widespread adoption and use, IT teams may be able to fix it. And if employees share any issues, it’s also a sign that they may turn to unauthorized apps to sidestep them.
There’s still one challenge: even if analysis suggests employees are using unauthorized channels, how do compliance leaders stop it? The only way to be fully confident regarding shadow IT use is to adopt compliance technology that tracks communications on authorized channels and detects when employees switch to unapproved channels. Compliance leaders using this type of technology can mitigate the risk of unapproved communications—regardless of the channel—by:
Implementing proactive monitoring
Compliance teams have limited bandwidth, which should be reserved for their highest-value tasks. Look for compliance technology that does more than flag communications AFTER they’re sent. Find a solution that provides real-time corrections as employees type—this can reduce compliance review by up to 64%.
Creating consistency
When it comes to communications compliance, “one-and-done” training doesn’t work. Employees may follow the rules for a few weeks before sliding back into old habits. Avoid this costly backsliding by providing consistent training and support in the context of employees’ day-to-day work.
By using the proactive monitoring mentioned above, compliance leaders can offer automated guidance to help employees adjust their language before sending a message. Not only will this help catch and correct risky communications, but it will consistently train employees on the right messaging and terminology.
Analyzing effectiveness
Analyzing user data is critical to understanding the success of compliance policies and processes. Compliance leaders should dig into the data to evaluate how effective their training and suggestions are. Key metrics include:
- How often employees change words after learning they shouldn’t be written
- Frequency of commonly flagged words and phrases
- What channels employees use to communicate—both authorized and unauthorized
Compliance teams can use this data to identify risks and areas for improvement to take corrective action before a serious problem occurs.
While there are countless monitoring and surveillance solutions on the market, most can’t detect unapproved channels until it’s too late (if at all). Invest in a targeted, flexible solution that helps identify unapproved channels, reduces false positives, and saves hours in communications review time. By building a solid foundation for monitoring and training, compliance leaders can create a program that stays ahead of emerging communications technologies and eliminates risks before they take root.
Looking for even more compliance insights to protect your organization? Learn how a leading financial services client discovered that many of their employees were conducting conversations that weren’t on their approved list and how Fairwlrds helped proactively protect and ensure their communications were compliant. proactively protect. Read the case study.
