Banning Social Media, Messaging Apps a Big (and Costly) Pain Point

Organizations and their compliance leaders are struggling to get a grip on off-channel communications bans, forbidding employee use of apps like WeChat, Whatsapp, or TikTok, to name a few.

In a study, 61.5% of surveyed compliance leaders said that “getting employees to comply with rules for electronic communication was their biggest concern.” The survey also revealed just 3% of compliance officers said they “strongly believe” channel bans are effective at ensuring compliant communications at their organization.

This feeling of futility persists, even though most (59%) have banned the use of social media and messaging apps due to increased regulatory scrutiny.

Rob Mason, director of regulatory intelligence at Global Relay, explains channel bans are ineffective because they are almost always circumnavigated -- hence the large number of fines that have been handed out in the past few years.

In addition to FTC fines, businesses that allow shadow IT and off-channel communication also run a higher risk of data leaks and security breaches, as IT and security teams have no oversight or control over how employees are using these tools and what data is being shared.

Organizations are also likely to incur greater costs in the long run associated with shadow IT.

“While channel bans are in place, we will always see an undercurrent of off-channel communication for business taking place,” he says. “I believe channel bans are now a temporary tactical measure while strategies are deployed to manage the risk more effectively.”

He adds prohibition of non-approved communication channels has always been the case.

“Colleagues are aware that they need to conduct business related comms on recorded mediums, which are then subject to surveillance and record keeping in line with regulations,” he notes. “This satisfies compliance with internal policies which reflect relevant regulations.”

When COVID-19 struck, lockdown required people to work from home, but “policing” of the no mobile policy did not happen, even as the lines between personal and business comms became increasingly blurred.

Despite this, there was clear and widespread use of WhatsApp and other non-approved channels of communication for business purposes -- which was first uncovered by an SEC sweep.

This resulted in almost all the large banks being sanctioned and fined, which is presently ongoing 18 months after the first notice.

“Penalties for breaches of these prohibition policies were increased -- but this is a deterrent not a control,” Mason says.

John Harden, senior product manager at Auvik, says effectiveness fundamentally depends on what the steps are in the ban.

“For instance, a memo to the employees at the organization without any enforcement, monitoring, or secondary IT measures is doomed to fail,” he says. “Like water taking the path of least resistance, we’ve seen here at Auvik, employees tend to use shadow IT to make their roles easier.”

It’s critical to know if the goal is to check the box that “we did something” or if the goal is to enforce that box and ensure it is stopped with protective measurements.

“Employees aren’t using off-channel communication because they desire to break IT policy,” he adds. “They do it because it’s easier for them or their clients.”

Harden says in this case, businesses need to look at shadow IT opportunistically -- they need to understand why tools like WhatsApp and WeChat are being used and look to innovate internally with their tech stack.

“Simply telling employees to use a sanctioned tool as opposed to one they prefer will not achieve much,” he says. “Employees have their preferences and IT leaders should listen to why employees prefer to use an unsanctioned tool and take it as an opportunity for innovation to meet the needs of employees while remaining compliant.”

Gartner VP Analyst Chris Audet explains in many cases, compliance officers tend to monitor risk retroactively and are looking at risk events that have happened, rather than a prescriptive approach assessing risk events which are likely to happen.

“Most compliance leaders are fairly new to generative AI tools and other tools that might provide advanced predictive insight into where these risks are appearing,” he says. “That’s a shift every compliance leader worth their salt is trying to chase after: How can I be more prescriptive? How can I figure out where the risks are likely to appear and use technology as an enabler for that?”

Audet adds this approach will require closer collaboration between compliance officers, IT departments, and stakeholders like the chief information security officer.

“Compliance needs to work with It to transition employees to more fully managed corporate devices that are restricting services and applications to those that can be fully monitored,” he says. “But obviously we know people do what they’re going to do, and they might move to another move to their own personal device.”

Mason cautions that if communication isn’t captured, there are unknown risks brewing within firms -- risks that they’re not able to prevent or mitigate.

“It also means that firms aren’t meeting regulatory expectations for recordkeeping -- exposing them to yet more harm both monetarily and reputationally,” he says.

He explains demonstrating to regulators that the risk has been assessed and appropriate controls have been deployed is essential, pointing out technology solutions which capture WhatsApp and other channels for surveillance and recordkeeping are now available.

“Firms are now recognizing that regulators will need to understand how firms manage this risk so they will need to build proportionate controls which can be defended if challenged,” Mason says.

What Does the TikTok Debate Mean for Enterprise IT Leaders?

Threads Boom Challenges Twitter Enterprise Throne

Why Technology and Employee Privacy Clash