Tradeoffs and Risks in Compliance Systems

By Ben Gross
in

While institutional deployments of compliance systems are now commonplace, implementations, policies, and practices vary widely. Organizations use these systems to prevent the leakage of proprietary business information and confidential customer information, as well as pass audit. However, compliance systems that do not take employees work practices and personal communications needs into consideration can also significantly reduce productivity and cause major frustration that leads some people to actively subvert protection mechanisms. The lengths to which people will go to “work around” what they perceive as overly restrictive compliance systems range from worrisome to simply frightening. In this column, I’ll discuss some of the problems and potential solutions.

Compliance systems have many interconnected components including archiving, retention, access controls, and document and email management. Systems must keep up with evolving communications technologies that have reached widespread corporate adoption, such as instant messaging, VoIP, unified communications systems, social networks, location-based services, SMS, as well as up-and-coming messaging systems like Twitter that can be used to gateway between several systems.

Businesses frequently must prove compliance with regulations, such as the Sarbanes-Oxley Act (SOX), the Health Insurance Portability and Accountability Act (HIPAA), Gramm-Leach-Bliley Act (GLB), the U.K. Data Protection Act, and the PATRIOT Act. The financial costs for compliance are substantial. AMR Research reports that companies will collectively spend more than US$32 billion on governance, risk management, and compliance (GRC) by 2008 and more than US$6 billion on SOX alone.

Many businesses could reduce the risk of compliance violations by taking into consideration their employees’ everyday communications needs and practices. The more restrictions and limitations imposed by a compliance system, the greater the value of evaluating employee communication. Internal needs assessments, possibly including surveys and interviews, can be used to determine how well corporate needs for security and compliance align with employees work practices and other communications needs.

Strike a Balance

Compliance and security can be treated as a form of risk management in which there is no expectation of perfect security or perfect compliance, but rather a continuum that balances risk and cost with the necessary requirements to pass an audit. Exposure to risk should be kept to a minimum and mitigation should be expedient. On the one hand, compliance implementation can help prevent users from making careless mistakes or even willful violations of information policy. On the other hand, overly restrictive systems can reduce workplace satisfaction and limit productivity. Restrictions may even facilitate security violations if users feel that circumventing the system is their only alternative to completing necessary tasks or engaging in necessary personal communication.

As mentioned in this column last month, Why It Matters When Users Have Multiple Accounts, I have interviewed people about their use of multiple different identifiers, such as email addresses, instant messaging IDs, and Web logins as part of my dissertation work. I talked with people about their interactions with institutional policies and compliance systems. In particular, I asked people how these policies and systems affect their daily life in terms of work and personal communication, and productivity.

During the interviews, I found many examples of tradeoffs in the implementation of compliance systems. Everyone I talked with understood the basic reasoning for compliance systems. However, people in institutions with highly restricted communication and document management systems often said they felt they were being treated like children. This did not improve compliance rates. I repeatedly heard the phrase, “we are all adults here” when people articulated their frustration with what they saw as overly restrictive systems.

Companies were rewarded when they took greater efforts to both explain compliance policies and made attempts to ensure that users, especially mobile users, were not regularly prevented from communicating or managing documents. In such cases employees were appreciative of how productive the system allowed them to be, while still mindful of the risks involved. Explaining the reasoning behind the policies and implementations went a long way to improve compliance.

In many ways, these behaviors mirrored those of populations in other environments with highly restricted Internet access—such as school or library computers—and in countries where governments block or heavily filter Internet access. At one end of the spectrum, people described using proxies to avoid filters, using alternate services that were not yet identified by filtering software, or emailing files to themselves at external personal accounts. On the other end, people described connecting cellular-based wireless adaptors to work machines and complex home Internet connection sharing setups, which bridged their corporate LAN (behind the firewall) to that of an external ISP. This behavior is likely to make any chief security officer nervous in addition to being reason enough for terminating employment. Interestingly, when asked why they engage in these highly risky behaviors employees uniformly responded that they were far more concerned with job performance and completing tasks at hand than with corporate security policy. In short, they were far more worried about a lost job or a promotion due to poor performance, than they were about violating corporate security policies. This is why it is important that compliance implementations be evaluated and periodically monitored for its potential negative impact on productivity.

Inflexibility Breeds Contempt

As with many jobs, employees in the high-tech sector often work substantially more than forty-hour weeks, which includes working from home at night and on weekends. Many workers are caught in a confluence of restrictive policies where receiving personal email to their work email address is technically prohibited and access to personal email accounts, social networks, and other messaging services is also restricted. When employees find that working additional hours from home caused them to be subject to the same restrictions as the workplace due to VPN configurations this only added insult to injury.

I heard many examples of highly productive younger employees frustrated with trying to coordinate social events after long days; of parents who want to receive email discussing family logistics or notes from teachers; and a variety of other mundane, but personally important information. One person described her frustration with what she saw as unreasonable filtering of religious material. She needed to print a receipt for a reservation to a religious service because she was working long hours and could not go home before hand, but was blocked from accessing the material by the filter. Product managers, Web developers, and programmers all provided examples where they were blocked from seeking code samples, user contributed documentation, or asking questions by filters that considered a broad array of sites to be social.

On the one hand, it is completely reasonable for a corporation to not want employees browsing and uploading photos from vacations or weekend events for substantial periods during the day. On the other hand, to block a productive employee from asking questions or looking for code samples in popular forums seems like an inefficient use of expensive labor resources.

Many individuals I interviewed were split on whether or not they would use their personal email account if it were monitored. But for many, monitoring for loss of intellectual property or other workplace violations would be preferable to outright blocking. Of course violations, or excessive use should be reprimanded, but I saw time and time again that inflexibility breeds contempt in cases that could have otherwise been avoided. In many instances, simple institutionally provided work arounds could mitigate many of these problems. For example, an office with a few older machines set up as public terminals and a printer all located on an external network would solve many employees’ need to periodically check personal email on a break or in an emergency. In other cases, file transfer mechanisms were clearly optimized only for in-office staff, leaving mobile and home users with limited reasonable options to get their work done while still maintaining compliance. If the institution had investigated the needs of their mobile users and implemented mechanisms for working with documents remotely that were both reliable and efficient, most of the violations would not have occurred.

Obviously, there is no one-size-fits-all solution due to varying compliance requirements, security needs, and tolerance for risk. Yet, businesses would be wise to investigate and consider the work practice and personal communications needs of its employees; or else an organization may find it has unwittingly created a new class of problems that it could have otherwise avoided.

Published April 1, 2008