Microsoft 365 Communications Compliance Takes New Look at Employee Interaction
Reduce Risk in Internal and External Communications
Microsoft 365 Communications Compliance is part of the new Insider Risk solution set that recently became generally available. It is the third iteration of functionality designed to help organizations monitor communications sent and received by employees. The idea is to reduce the potential for risk to an organization generated by mistakes or deliberate actions taken by employees as they communicate internally and externally.
The loss caused by inappropriate or illegal communications might be reputational or financial. Either way, it’s undesirable, especially for large enterprises, which is why these organizations want to detect any potential problems early and then prove that they are on top of the situation should the need exist to demonstrate this point to regulators or other corporate bodies.
Office 365 Supervision Policies
The original Office 365 supervision policies expanded from covering just email to include Teams and Skype for Business Online and are still in use today. Microsoft would like customers to move from supervision policies to communication compliance policies because this application covers a wider spectrum of Office 365 communication, includes machine learning assistance to sharpen detection, and is the focus for future development. However, there’s no migration offered to move from supervision policies. In effect, the only course is to stop using supervision policies gradually as you introduce communications compliance.
Mailbox Data Basis for Compliance
Both types of policies depend on messages captured in Exchange Online. Background agents check mailboxes to scan for problems in email, the compliance records captured for Teams chat and channel conversations (including records for conversations with Skype consumer users), and Skype for Business Online transcripts. If you import data through a connector from non-Office 365 chat and messaging sources, like Bloomberg messaging, the agents can also examine those items.
Passwords Haven’t Disappeared Yet
123456. Qwerty. Iloveyou. No, these are not exercises for people who are brand new to typing. Shockingly, they are among the most common passwords that end users choose in 2021. Research has found that the average business user must manually type out, or copy/paste, the credentials to 154 websites per month. We repeatedly got one question that surprised us: “Why would I ever trust a third party with control of my network?
When the agents detect issues, they copy messages to special mailboxes to make them available for review and resolution. This isn’t a real-time process and you can expect a delay of up to 24 hours before problem messages are flagged for review. In most cases, this isn’t a problem because compliance checking is a reactive process. In any case, it’s usual that only a percentage of detected messages are selected for review, so not every message that could contain a violation will turn up in the portal for review.
Easier Policies to Deploy
Microsoft has made many improvements in communications compliance policies to make them easier for organizations to deploy and use. The most obvious example is that you can implement a set of out-of-the-box template policies in a few clicks. These templates include
- Regulatory Compliance: looks for entries in a custom lexicon of words that might indicate violations if present in messages between specific group. Violations of this policy are probably dealt with by an internal compliance team.
- Sensitive Information: looks for the presence of sensitive data types in messages (Office 365 has over 100 default sensitive data types defined from passport numbers to social security numbers). Violations of this policy are like those encountered in Data Loss Prevention processing.
- Offensive and Threatening behavior: looks for text that recipients might find offensive or threatening. Violations of this policy (sometimes called “Code of Conduct” violations are likely to be dealt with by HR. An example of country-level regulations in this area is Japan’s “power harassment” law, which takes effect for large companies on 1 April 2020.
Once you’ve seen how the policies work when exposed to real user traffic, you can tweak them to meet the compliance needs of the organization. For example, you can amend processing to bring more employees within scope of a policy (each user must have an Office 365 E5, Microsoft 365 E5, or Microsoft 365 E3 license with compliance add-on). You could also increase or decrease the percentage of matching items selected for review. Experience of supervision policies proves that selecting too high a percentage of items can generate a huge load on reviewers.
Workflow and eDiscovery
Communications Compliance includes simple workflow processing (what Microsoft calls “flexible remediation workflows”) to help track and resolve violations, mostly by the dispatch of email to offenders and their managers and recording the outcome. For the most serious cases, Communications Compliance is integrated with Microsoft 365 Advanced eDiscovery, allowing for information gathered about violations to be transferred to eDiscovery cases for further investigation and resolution.
Thought must be put into how to integrate what’s available in the application to complement and build on existing HR procedures. For instance, what should happen when a violation is detected for an employee? And what escalation steps are taken if someone proves to be a serial offender? These are decisions that Microsoft can’t make because every company is different. The implementation of employee monitoring is highly dependent on the industry the organization works in and the applicable regulations.
What Microsoft can do is deploy its expertise in artificial intelligence and machine learning to improve the effectiveness of its detection technology, most notably by reducing the number of false positives detected as apparent violations. The task of reviewers is onerous enough without having to deal with false positives. Although it’s difficult to approach zero false positives, Microsoft is confident that the application of machine learning means that communications compliance policies generate far fewer false positives than supervision policies do, especially at high data volumes.
Even the best machine learning detection experiences problems with the way language flexes and evolves. One person’s offense is another person’s norm, which makes it imperative that reviewers consider messages selected for review in context. For instance, a scatological reference about someone in a comment might be innocuous or offensive, depending on how it is phrased. And calling someone a pile of brown smelly bovine output is likely to pass most machine learning tests.
After taking the opportunity to create some policies and sending some email and Teams chats to provoke a reaction, I looked at what a communications compliance policy flagged in the Microsoft 365 Compliance Center (Figure 1). To see this information in the Microsoft 365 Compliance Center, reviewers and administrators must be assigned some specific roles.
You can see that a couple of alerts have appeared. These are generated by Office 365 alert policies. Alerts aren’t flagged for every potential violation. Instead, to keep the number of alerts to a reasonable level, the alert policy is fired when a threshold of four violations are detected within a 60-minute period.
We can also see that 28 items are pending. This means that the people defined as reviewers in the communications compliance policy need to check the content of the detected items to establish if a violation exists.
Reviewing Potential Violations
In the past, supervision policies relied on Outlook add-ins to allow reviewers access to items selected for review. Microsoft has moved away from that approach and the only way to review items detected by communication compliance policies is through the Microsoft 365 compliance center.
The detected items can be filtered to focus in on specific recipients, senders, domains, item types, subjects, and other properties. Items can then be grouped by family (for instance, show all email together) or by conversation. This view brings all the messages in a Teams or email conversation together (like a Skype for Business transcript) to allow the reviewer to see how an interaction unfolds. This is important because a remark taken out of context can look quite different when considered amid a full conversation.
The reviewer can then examine items to decide if a violation is present. The Compliance Center offers three views:
- Source: View an item as the user sees it.
- Text: Strip away all the formatting to focus on just the text.
- Annotate: Allow the reviewer to make notes or redact text using a copy of the message (Figure 2). I found this editor irritatingly bad and hard to use.
In addition, the reviewer can see the user history to know if the sender of the message has previous violations for the same behavior. First-time offenders often receive more flexibility and understanding than serial offenders do. If the reviewer needs download an item they can do so as a message item or PDF.
The steps that a reviewer can take to progress an item include:
- Tagging: Mark the item as compliant, non-compliant, or questionable.
- Notify: Send email to the sender to tell them a problem has been detected and (possibly) ask for their input. Template messages help ensure that the right tone and words are used and any necessary references to organization policies are included in the email.
- Escalate: Send the message forward to a higher authority for their review and decision. For instance, a message might go to the sender’s manager.
- Resolve: Complete processing for most cases after items have been reviewed and any necessary consultations have occurred.
- Create an eDiscovery case: Send all details of the item and any associated comments forward in an Advanced eDiscovery case. This step might be used when a systematic problem is detected involving multiple people, such as potential insider trading.
- False positive: Help refine the machine learning model by marking an item as not being a problem.
Remember that Microsoft has created a framework in communication compliance policies. It’s up to an organization to take what’s available and use it in whatever way makes sense considering their business, regulatory environment, and HR policies.
A Hint of Big Brother
Communication compliance policies are not for every Office 365 tenant. Only those who need to prove to regulators that they comply with applicable regulations and laws are likely to consider using software like this. Microsoft has made steady progress in the space since the first run at supervision policies. I’d be happier, if they had a better annotation editor (Exchange on-premises had one years ago), but you can’t have everything you want.