Several weeks ago I had the pleasure of hosting another Compliance Week editorial roundtable, this time in Los Angeles to discuss data security risks in the era of mobile devices and social media. The discussion was vigorous as usual, and Compliance Week will have in-depth coverage of the discussion in a separate article. Let me report some of my own conclusions here, however, in the interest of helping compliance executives to panic more effectively about a problem hurdling toward them.
Coming in on little cat feet. One roundtable participant summed his worries about mobile devices as follows. “We were in an audit committee meeting, talking about financial projections, and all the board members were reviewing the documents on their iPads,” he said. “Then it dawned on me. We hadn't given them any iPads.”
That story says it all about why social media and mobile devices are so maddening: you look up from your desk one day and the problem is suddenly just there. The compliance department has no idea how long it's had these risks, nor much sense of what the company's exposure actually is. How long have your board directors been using iPads? How many Twitter accounts has the marketing department created? How many customers are your unhappy sales execs discreetly contacting on LinkedIn, before they announce that they're leaving? Who at your company is pinning what to Pinterest?
My point is that social media and mobile device technologies are now so inexpensive, and easy to use, that compliance departments are in a reactive position—a place compliance executives never want to be. Your risks are already out there hanging in the breeze, waiting for some clever hacker to stroll by and take advantage of them.
IT controls, on steroids. One buzzword you hear in the field of internal control is “provisioning.” Your IT department would define provisioning as the issuing all the proper permissions and access—email addresses, passwords, security tokens, system clearances, and so forth—to an employee as he or she moves around the corporate org chart. Likewise, de-provisioning is the removal of those permissions when the employee should no longer have them.
Most compliance and internal audit departments, however, probably know provisioning as that task which the company doesn't do very well. Somebody transfers from HR to marketing, but still has the same password and the same access to salary information. A sales executive relocates from Europe to the United States, but nobody blocks him from downloading private customer data onto his laptop in violation of EU privacy rules. In the worst case, you fire a failing employee and forget to delete his user ID, so he logs onto the corporate network and tells all his old clients to follow him to a new firm. (I've heard that particular example at least twice from Compliance Week subscribers.)
In truth, most compliance departments are getting better at access controls—but mobile devices and social media are about to make that task much more difficult. You'll now need to cease access to any corporate Twitter or Facebook account when you separate from an employee; you'll need to confiscate any company-owned devices, and take control of any data the person may have stored in the cloud or downloaded onto a personally owned device.
The risk here—the likelihood, really—is that the company won't be able to find all the computing devices or social media accounts an employee may have used while on the job. In that case, this becomes a matter for company policy: all employment agreements should require employees to disclose any social media accounts (including user IDs and passwords) that exist on behalf of the company, and you'll need a procedure to cut off those accounts along with all the employee's other IT access should some adverse event happen.
Culture clash. The foil to my roundtable participant mentioned above, worried about his board using their own iPads, was another roundtable participant sitting across from him. “We gave our general counsel a company-approved tablet to prevent that,” the other participant said—and then, with a sigh, added, “It's still in the box. She hates it.”
The plain truth is that people are stubborn; they want to do what they want to do, and theorists who gush about best practices in compliance don't give that reality anywhere near the respect it deserves. We all use certain mobile devices because we like them, certain social media services because we find them easy. You can order employees, from the audit committee down to the shop worker, to use certain devices or social media, but that doesn't mean they will.
Moreover, even if your senior leadership does take the threat of mobile devices and social media seriously, that doesn't necessarily mean that a stern policy is the best idea for your business. One roundtable attendee hailed from a decidedly fresh, New Media sector where the company helps others thrive online. “Are we really supposed to endorse a one-way-only policy?” that person asked. “We're supposed to be one of the cutting-edge innovators. We should want employees to innovate.”
We found few solid answers at our roundtable, and I suspect that will be the case for a long while. Perhaps the best insight I heard at the event: “If you don't have a policy, don't feel bad,” one compliance executive quipped, “since you'll just be updating it all the time anyway.”
Compliance Week holds executive forums around the country just about every month, open (at no charge) to in-house compliance, risk, and audit executives looking for a chance to talk shop with your peers. What's on deck this fall?
We'll be in Philadelphia on Oct. 23, hosting a roundtable specifically for the life sciences sectors (pharma, biotech, healthcare, hospital systems) about how to improve your data collection, analysis and reporting. Only three seats left for that one, so raise a hand soon if you want to attend.
Next will be Dallas on Nov. 27, to talk about those whacky new rules for disclosure of conflict minerals and payments to foreign governments for mining operations. If you want to feel overwhelmed with fellow compliance executives, I can't think of a better place to be.
Interested? Just email me at firstname.lastname@example.org, and let's talk.