The old adage “walls have ears” isn’t quite as apt as it used to be. These days, it would be a lot more accurate to say, “the network has ears”. Or it should, at any rate.
The truth is, in today’s digital world, organisations don’t have the luxury of trust. Constant vigilance is required to minimise insider risk, both in terms of data breach, and the potential social, legal and compliance fallout of inappropriate employee communications within corporate networks.
Communication compliance scenarios
Effective communication compliance strategies can make a world of difference in mitigating the risks associated with corporate communications.
The three main scenarios at play revolve around corporate policies, risk management and regulatory compliance.
Corporate Policies
It’s essential that all employees adhere to acceptable use, ethical standards, and corporate policies in their business communications. Communication compliance policies can help detect violations and take corrective actions. A good example is monitoring communications for HR concerns like harassment or inappropriate/offensive language.
Risk Management
Organisations are responsible for all communications within their infrastructure. Communication compliance policies can help identify and manage potential legal exposure and risk before corporate operations are impacted. For example, messages can be monitored for unauthorised communications or conflicts of interest relating to any confidential projects like upcoming mergers, acquisitions, earnings disclosures, reorganisations and/or leadership changes.
Regulatory Compliance
Most organisations need to comply with some type of regulatory standards as part of their normal operating procedures. These often involve a level of oversight on messaging.
One example is the Financial Industry Regulatory Authority (FINRA) Rule 3110, which mandates scoping procedures for user communications to ensure compliance with regulatory requirements and prevent inappropriate conduct. Another example would be the potential need to review broker-dealer communications in your organisation to safeguard against insider trading, collusion or bribery activities.
Communication compliance policies can help meet these requirements by providing a process through which to analyse and report on corporate communications.
How Microsoft Purview Communication Compliance works
Purview Communication Compliance is a Microsoft service that helps organisations monitor, detect, and act on potential communication risks. It uses machine learning and AI to analyse messages for sensitive or inappropriate content, including everything from harassment to discrimination, threats, profanity, financial misconduct and more.
Organisations can create policies that define message types, scan locations, conditions, and actions to take when policy matches occur. The service supports various communication sources like Microsoft Teams, Exchange Online, Yammer, and third-party platforms such as Slack and Bloomberg.
Administrators and/or reviewers can view policy matches, review messages, and take actions (e.g. educating users or escalating issues) using Purview’s Communication Compliance dashboard. This also provides access to reports and insights that make it much easier to identify communication trends and risks in order to proactively improve compliance awareness and performance.
Implementation considerations
As with most new technology, due diligence during the planning phase can make all the difference to the success of your Purview Communication Compliance implementation.
We recommend paying particular attention to:
Stakeholder Engagement – Communication compliance typically involves stakeholders from a number of departments, including IT, Compliance, Privacy, Security, HR and Legal. By including these stakeholders in the planning process, it’s possible to streamline policies and workflows to achieve better outcomes from day one.
Roles and Responsibilities – It’s much easier to ensure an appropriate response to alerts when there is a clear plan of action and division of responsibilities in place. Make sure you know exactly who should be reviewing which communications, when, and how, and ensure they are supported with the right permissions, training and resources to act appropriately.
Review and Resolution Procedures – Establishing a structured workflow with appropriate criteria and processes for reviewing incidents and documenting actions and outcomes makes it easier to ensure consistent handling and resolution of compliance alerts.
Feedback and Training – Providing feedback and coaching (and/or disciplinary measures) to employees involved in compliance incidents goes a long way towards reducing the occurrence of communication policy breaches. Plan what these measures will look like, and how they will be implemented.
The human element
Communication compliance needs to be viewed from an HR perspective, as well. Key considerations include:
Communication – How will you communicate the purpose and scope of compliance policies to employees to ensure their awareness and informed consent for monitoring?
Privacy and Security – How will you protect the privacy and security of employee data and messages, and maintain compliance with all applicable data protection laws and regulations?
Policy Evaluation – How will you evaluate the effect of compliance policies on organisational culture, employee behaviour, and compliance performance, and make adjustments if necessary?
Partner up
Microsoft Purview is a complex suite of products, and getting it wrong can have severe consequences for your organisation’s compliance and security. It’s also not easy to get the right stakeholders engaged and on the same page to progress at any speed. Thankfully, you don’t have to push through unaided.
Whether you’re looking for specific guidance on Communication Compliance, or seeking a more holistic view of your Purview deployment, Cloud Essentials has what it takes to get you exactly where you need to be.
