Employees are using many other means than email to communicate including text and Skype, presenting challenges for IT teams.
Go back a decade and a half or so in enterprise IT, and email systems were one of the newest members of the mission-critical family of IT services. Email systems, whether they are on-premises or in a Software-as-a-Service offering, are clearly still very important, but organizations have a whole new set of communications systems that become part of the puzzle. These new systems have introduced a new issue: too many means to communicate.
Different organizations have different protocols on this topic, but the digitally connected workplace is changing how employees communicate with each other. Services such as SMS text messages, WhatsApp, Google Hangouts, Cisco Spark, Flock, Facebook Workplace, Microsoft Teams, Slack, and Skype have made their way into the workplace. If you don’t think work communications are taking place on multiple platforms, ask any Millennial in the office.
I believe there are two primary reasons why people use alternative communications tools: to reduce email and keep conversations relevant to groups. That said, there may be alternative motives such as being able to communicate freely without management visibility and the ability to get a more immediate response. Whatever the reason, this becomes eerily similar to the file-sharing conundrum of a few years ago. There is a risk of critical data being transmitted on unofficial mechanisms.
What about controls? Sure, there are content filtering, site and service blocking, and mobile device management techniques, but users will find a way around them by using their own devices or networks.
And these new communications apps often provide a wealth of capabilities, typically for free: chat, IM, group threading, file transfer, voice calling, video conferencing, and more. IT must find a way to steward data, deal with terminated employees with access to these collaboration platforms, and reinforce the organization’s communications and data policies.
I’m convinced that a hard line “not permitted” approach will fail. Instead, indicating what responsible, common sense use looks like is a better strategy. Unfortunately, it's difficult to ensure that common sense is consistently applied to individuals who use these services, especially when dealing with global teams. Organizations need a policy, but they don’t have to start from scratch. Many organizations have invested in social-media policies to provide guidelines defining the appropriate use of social sharing regarding workplace content. These policies can often be adapted to address communication platforms, as they have many similar characteristics to social media, including:
- Can be an app on a phone or tablet
- Are not monitored or provided by internal IT
- Can be used at home with no control of IT
- Are public and free
That said, organizations should take a hardline approach to file sharing of sensitive data. Typically, people aren’t sharing sensitive data over unauthorized platforms because they are malicious; on the contrary, they’re usually trying to be more efficient because a free unapproved app provides capabilities that approved apps do not. One of the best ways to address this challenge is to provide a solution that both meets the security requirements of internal IT and exceeds the capabilities of the free and public domain. Internal IT offerings have to be more compelling than the shadow IT approach.
A good example is OneDrive for Business. I frequently share OneDrive links in Slack. The OneDrive account is centrally managed by internal IT, even though the Slack channel is self-administered. Having updated policies on how processes like file sharing should be addressed (with a specific solution outlined) will greatly increase the chance of success.
Terminated employees present another challenge. When an individual leaves the organization, it is up to the administrators of some of these additional platforms to remove access. Some of the new communication platforms authenticate via traditional constructs, but some don’t. For example, Skype for Business will disable access when an account is either disabled or deleted; but consumer Skype may not. Consider a large group chat in consumer Skype with participants who are no longer with the organization. Again, another opportunity to educate and document in updated policies.
At the end of the day, IT must balance management and control, and the first step is to understand what we can effectively manage. I believe we have an opportunity to educate, embrace and enforce what is reasonable and required.
Rick Vanover (Cisco Champion, MVP, vExpert) is the Director of Strategy for Veeam Software. Rick’s IT experience includes system administration and IT management; with virtualization being the central theme of his career recently. Follow him on Twitter @RickVanover.