Worldr CEO, Max Buchan explains the growing need for zero trust security on Sky News

Why maintaining audit trails is essential for your business communications

When something goes wrong, whether it’s a social engineering attack or a compliance failure, it’s vital to get to the source. That’s where audit trails come in.

November 1, 2022

Do you believe that your business communication is effective? Are you able to quickly identify any potential data leaks that happen on your messaging platforms? How can you be certain that employees are adhering to your communications policies?

These are some of the vital questions that a thorough communications audit can answer. After all, you can’t optimize and protect what you don’t know about. A communications audit offers the most comprehensive route to finding clear answers and uncovering potential weaknesses.

However, although most business leaders understand the importance of auditing, the process itself can be extremely time-consuming. In the case of business communications, carrying out an audit might involve manually searching through message logs from multiple platforms and devices. If employees are using their own devices for work, as they often do in the era of the hybrid workplace, communications auditing can be even more complex due partly to employee privacy concerns.

By far the best way to approach these auditing challenges is proactively. By establishing the means to record all communications the moment they happen, you can promptly answer the aforementioned questions. With all communications being archived in a centralized location, in real time, you can easily search through and retrieve individual messages, audio recordings, and share documents.

A real-world example highlighting the need for audit trails

Let’s consider an example with WhatsApp. More and more employees are using WhatsApp for internal or external communications thanks to widespread familiarity with the platform. The problem with WhatsApp is that it doesn’t provide a sufficiently reliable way to preserve conversations in the typical enterprise environment. While it does provide an archiving function, it’s account-based, and end users can easily delete messages, making it near impossible for managers to ensure accountability and transparency.

In the US, federal law requires that financial services firms maintain meticulous records of all electronic messages between brokers and their clients. Should the authorities have any doubt that a firm isn’t adhering to the rules, they have the right to investigate. If they do, they’ll likely ask the firm to provide evidence of its record-keeping practices. If employees are using their own devices and WhatsApp accounts, over which the company has no visibility nor control, it constitutes a breach of compliance. In 2021, JPMorgan Chase found out the hard way when they were forced to pay a $200 million fine for allowing employees to use WhatsApp for work.

Bridging the gap between hybrid work and compliance

Communications sent or received from company-owned devices and software platforms are typically preserved, since compliance and security leaders have full control and ownership of their own communications infrastructure. However, it’s quite a different matter when factoring in employee-owned devices and apps. Compliance and security departments have no right to surveil their employees’ own devices and their use of third-party apps. As such, a compliance failure is an inevitability in such an environment.

The obvious solution to the problem might be to simply ban the use of unsanctioned apps for work. The best solution, however, is more nuanced. On one hand, simply banning industry-leading apps that employees are already accustomed to using can be seriously damaging to morale and productivity. Moreover, employees are hardly going to be willing to surrender their own devices to company surveillance, in which case the business will struggle to get buy-in for its BYOD program. On the other hand, giving employees the freedom to use any app and device they like to communicate with clients is clearly a security and compliance disaster just waiting to happen.

To bridge the gap, security and compliance leaders must view themselves as more than mere makers and enforcers of the rules. Instead, their first priority should be to look for ways to allow the use of popular third-party apps in a secure and compliant way. For example, there are now solutions that allow you to consolidate your business communications across various popular platforms, such as Microsoft Teams, Slack, and WhatsApp. By keeping a real-time record of all communications, you can maintain complete oversight and governance for everything.

Assuring compliance and security no matter where work happens

Security and compliance leaders face mounting challenges in the age of hybrid work. After all, it’s inherently harder to maintain oversight across an ever-increasing number of devices and apps being used in different locations by different employees. By consolidating your business communications, you can easily apply automated supervision for all messages, attachments, links, and more. For example, if an employee sends a message containing potentially sensitive content (either intentionally or accidentally), data loss prevention (DLP) can flag the message for review before it can be sent. 

Most importantly when it comes to auditing, having the ability to capture all messaging content and associated metadata preserves a complete digital record, including legal holds. That way, if something goes wrong, it’s much easier to get to the root of the problem. For example, if an employee falls victim to a phishing scam on Teams or WhatsApp, security leaders can quickly find out who was targeted, when they were targeted and, most importantly, how they were targeted. Equipped with these insights, all thanks to their real-time digital records, they can take corrective action quicker and better educate the broader team on the latest threats.

Meeting the constantly evolving demands of regulatory compliance and information security is undeniably challenging. However, all too often do these demands end up hindering business growth. Compliance and security leaders often assume that the easier approach is to ban the use of third-party apps for work, but such an approach can be just as bad for the business at large as taking a hands-off approach. Sometimes, internal rules and regulations can become oppressive to the point that they can even encourage employees to find risky workarounds so they can continue using the apps they’re familiar with.

It’s essential that security and compliance leaders don’t let these challenges hold back growth. Instead, they should be looking for ways to maintain control and oversight across increasingly disparate communications environments. By establishing the means to retain and consolidate communication records, they will have the critical foundational infrastructure in place needed to carry out audits, mitigate risk, and enhance performance.

Worldr gives businesses full transparency across Teams, Slack, and WhatsApp deployments with secure record retention, centralized search, and complete ownership. Book a demo today to see how it works.

Follow usTwitterLinkedIn