In-Depth

Lack of Messaging Controls = Regulatory Risk

Mobile phones, lack of policies expose the enterprise

• By Mathew Schwartz
• 03/23/2005

Just what kind of information is your CEO using his or her mobile device to convey?

The question is pertinent since a variety of regulations, including Sarbanes-Oxley, require organizations to monitor certain business communications. According to new research, however, mobile devices and other, newer methods of communication are an often-overlooked area, meaning certain information isn’t monitored, archived, or even secured.

“Substantive business is done every day by organizations through e-communications technologies with little consideration for the business and legal issues,” notes Randolph Kahn, the founder and principal of Kahn Consulting. “Contracts are now regularly executed in e-mail, modified in voice-mail, and breached with a text message.”

Those gaps are documented in “Electronic Communications Policies and Procedures: An Industry Study,” released by The Association for Information and Image Management (AIIM), an enterprise content-management industry association, and Kahn Consulting.

Based on the enterprise content-management strategies of the 1,000 organizations surveyed, “many organizations are simply failing to put in place the basic policies, controls, and technology to manage electronic information,” says John Mancini, president of AIIM. As a result, “in an era of litigation threats and new compliance requirements, organizations without a plan are putting the very existence of their organization at risk.”

The report details the degree to which a variety of communications technologies—including instant messaging (IM), wireless devices, and phones with e-mail and text messaging capabilities—are now used to conduct major business transactions, or for exchanging information used to make those business decisions. Yet many organizations don’t monitor those technologies, even when they’re used to transmit regulated information.

To help, the report recommends organizations revisit their written policies for acceptable use of electronic communication and pay special attention to security and data retention.

Corralling Instant Messaging

One place to start is with IM. According to the report, only 28 percent of surveyed organizations have an IM policy, even though half of organizations explicitly permit employees to use it. Likewise, only 27 percent of organizations have policies for text messaging or e-mail-enabled phones, as well as e-mail itself. Compare those findings with the fact that two-thirds of companies have a policy for laptops, and over 80 percent have a policy for posting to discussion forums or online message boards.

Despite the widespread use of IM, many organizations don’t seem to be dealing with the very real security or liability risks. As the report notes, “For example, the National Association of Securities Dealers recently fined a securities analyst $75,000 for circulating false rumors about a company through instant messaging; rumors that caused the company’s stock price to fall by 10 percent.”

The reliance on public (free) IM software, coupled with the lack of IM policies, also indicates many organizations are ignoring the problem. According to the survey, 35 percent of organizations use MSN Messenger, 19 percent use AOL IM, 17 percent use a custom service, 11 percent use Lotus Sametime, and six percent use Yahoo IM. Sametime, which is not free, is notably the only out-of-the-box IM software with enterprise-level security. In other words, notes the report, “most organizations are using IM tools that likely do not support enterprise functionality such as encryption and retention, and [which] cannot be centrally managed.”

Maybe organizations need to take a page from their own e-mail policies. Compared to low numbers of IM policies, two-thirds of organizations say they’ve taken steps to better secure their e-mail systems. In addition, 27 percent say they’re now retaining e-mail for longer periods of time. As the report notes, “This may indicate an increased awareness among organizations of the regulations and laws that require the retention of e-mail records, or may simply reflect the increased use of e-mail for business purposes.”

At the same time, however, organizations are still confused by regulations, at least as pertains to e-mail. For example, equal numbers of respondents say they’re retaining e-mails longer as say they’re keeping them for less amount of time. As the report indicates, “this seems to indicate that many companies are still trying to decide what types of e-mail messages should be retained to best meet their business and legal needs.”

Gauging Anecdotal Evidence

Some of the survey’s anecdotal evidence says senior management isn’t always helping determine such things as optimal e-mail retention times. For example, for archiving e-mail as a business record, one respondent notes forthcoming policy will soon mandate employees clean old e-mails from their mailboxes. Even so, “no assistance is being offered in determining what is a ‘business record’ and how long and where they must be kept,” says the respondent. Furthermore “ senior management is not open to such discussion.”

Another respondent notes company policy is to archive e-mail, in a manner of speaking. “If you do not choose to archive your e-mail, then it doesn’t get backed up.” Obviously, no technology is in place to enforce a corporate policy on e-mail archiving.

Based on the survey numerical and anecdotal responses, says Kahn, “while some organizations have recognized the growing need to take seriously their responsibility to manage electronic communication technologies, massive gaps continue to exist.” In today’s heavily regulated world, that’s a big risk.

Related Article

Q&A: Security Policy Best Practices
http://esj.com/Security/article.aspx?EditorialsID=1307