Skip to main content

UC Today: Applying Security and Compliance Controls to UCaaS Platforms

By August 3, 2020May 26th, 2024No Comments
Theta Lake logo and Marc Gilman, General Counsel and VP of Compliance

Guest Blog by Marc Gilman, General Counsel and VP of Compliance, Theta Lake

As companies settle in for be extended work from home arrangements as part of COVID-19 response, the compliance and security controls of widely used collaboration and UCaaS applications are being scrutinised. Technology, security, and compliance stakeholders must assess relevant technical controls to ensure that UCaaS systems are secured and that the conversations taking place on them do not expose companies to litigation, employee complaints, or sanctions from governmental regulators. Ultimately, CISOs and Chief Compliance Officers need to understand the nuances of UCaaS feature sets to appropriately manage the risks of communications on those platforms. Whether it’s Zoombombing, abusive behaviour, or the disclosure of sensitive educational, financial, or healthcare-related information, senior executives across industries must identify these risks within their organisations and take proactive steps to mitigate them.

One challenge for organisations is navigating the diverse and ever-expanding set of security controls on UCaaS platforms like Zoom, Microsoft Teams, and Cisco Webex. For example, enabling the waiting room feature in Zoom to pre-vet potential conference attendees helps to avoid the potential for offensive and disruptive Zoombombing by unauthorised users. Other features like requiring passwords for personal or instant meetings, requiring endpoint encryption, or enabling private chat sessions in meetings have corresponding risk considerations that must be considered.

Toggling each of these options has implications for the security and usability of your UCaaS deployments. However, making decisions about enabling these controls is often the easy part—ensuring that they remain enabled and properly configured across your enterprise accounts, often accounting for targeted deviations and exceptions, can be time consuming and frustrating. In an organisation of twenty employees monitoring these controls is a headache, in a multi-national company using several collaboration platforms across several business lines, it’s a migraine.

Relying on manual processes to manage and configure UCaaS technologies is not a scalable or realistic strategy. With routine patches, features, and updates coming at a rapid clip, contemplating their impact and delving into each individual implementation to review settings is not a sustainable practice. The same discipline and technology tools applied to managing corporate firewalls and applications must be applied to UCaaS tools. Given potential misconfiguration risks, the need to deploy solutions that actively monitor, report, and update security settings across an enterprise is absolutely critical. Applications that centrally impose security features and monitor status are available, and must be considered as part of an organisation’s cybersecurity protocols.

In addition to maintaining consistent security controls, organisations must maintain transparency into employee activities on collaboration platforms to ensure they abide by company and industry conduct rules. Employees engaged in inappropriate or abusive behaviour expose companies to significant legal, regulatory, and reputational liability.

Given the proliferation of remote-based customer service, telehealth, and financial services activity, it is no longer sufficient to provide annual trainings on Codes of Conduct and expect employees to act appropriately. Using rudimentary hunt-and-peck searches of transcripts, or relying on routine physical inspections of trading floors or call center facilities to validate employee activity are impossible during the pandemic. Companies that want to manage conduct risk must invest in purpose-built tools that can analyse the dynamic communication features of collaboration platforms, identify risky behaviour, and allow compliance and risk teams to take action to address problematic interactions.

Modern UCaaS supervision technologies must be able to detect risk across what was spoken, shared, or said during interactions with clients, students, patients, and colleagues. Using AI and machine learning to detect abusive or racist behaviour as well as analyse screen shares, whiteboards, and documents that contain URLs with malware or violence is essential. These new tools must also provide transparency into conversations to address data leakage prevention and cybersecurity risks.

UCaaS tools have been forced to adapt and mature as a result of their rapidly expanding use during the pandemic, and the corresponding evolution of supporting security and compliance technologies is underway. Implementing UCaaS tools cannot be a “set it and forget it” exercise—organisations must apply the same rigour to these platforms that they do to their critical business infrastructure.


Guest Blog by Marc Gilman, General Counsel and VP of Compliance, Theta Lake
Marc advises on technology, privacy, and product strategy at Theta Lake, and is also an adjunct professor at Fordham Law where he teaches a course on compliance, technology, and financial services. Prior to joining Theta Lake, Marc held legal and compliance roles at Morgan Stanley and was a litigation associate at Schiff Hardin LLP.

This article first appeared on UC Today,
access the original article here!