Banning the use of texting in the workplace would give employers a reprieve on meeting compliance requirements and prevent hackers from infiltrating their networks, but enforcement could be an arduous task.
Since the use of smartphones for business communications is ubiquitous as more companies expect employees to be reachable beyond their standard work hours, preventing the use of texting is not realistic.
"Prohibition of text messaging does not work and leaves an organization exposed," said Mike Pagani, senior director of product marketing at Smarsh, a Portland, Ore.-based provider of cloud-based information archiving solutions.
One of the largest risks to compliance for a company is text messaging and not social media since nearly all employees have either a company-owned smartphone or a personal one. A survey conducted by Smarsh in February and March 2017 of 119 individuals in the financial services industry with direct compliance supervision responsibilities showed that 42% reported that employees requested to use text messaging for business reasons. This number doubled from 2016.
The survey showed that texting presented the largest issue for companies with 52% of the respondents, which ranged from C-level management to chief compliance officers along with compliance department staff, which agreed. Only 33% of compliance employees said social media posed as another problem while 8% said instant messaging was a problem and 7% said website content was the source of the issue.
Out of the companies which said they allowed employees to communicate via texting, 48% said they do not have a retention or oversight solution presently.
Since many employees rely on text messages to cope with urgent business matters, banning its use is not practical.
"Individuals will use what they conveniently have in their hand at the moment they need to," he said. "Herein lies the danger to organizations. Text messaging is the go-to medium when time-sensitive or immediate communication is needed such as approvals from higher ups to proceed on a critical business issue or transaction."
Utilizing text messaging is often faster for employees than sending an email, but not archiving the texts means that companies are failing to meet their requirement for retention of electronic communication, said Alex Hamerstone, head of governance, risk management and compliance at TrustedSec, a Cleveland-based cybersecurity firm.
"Generally, when people use these unsanctioned communication methods such as text messages, it is not for malicious or nefarious reasons, it is simply to be more efficient," he said. "Unfortunately, text messages are not usually captured and stored by the employee's company."
Texts must be included in the surveillance programs in order for companies to monitor their risk, said Cromwell Fraser, vice president of communication compliance at NICE Actimize, a Hoboken, N.J.-based financial crimes software solutions provider.
"In the past few years, it have become clear that any form of surveillance and monitoring must encompass all forms of communication," he said. "This approach will allow you to capture and understand the SMS messages. More importantly, if you review the total activity and behavior of a person you can very quick understand the context and intent behind the isolated conversation."
Even employees who are using a phone owned by the company run into other modern-day issues such as receiving both personal and work texts on their mobile, which is harder to separate than emails.
"It is fairly simple to have multiple email accounts on a mobile phone, including personal email such as gmail as well as work provided email, and capture the work email only," said Hamerstone. "But with text messaging, the employees personal and work texts would be in the same bucket and the company would have to capture and store all of these texts. This would be easier, from a policy perspective, if the company owns the phone, but there are still issues."
The use of texting has always raised serious issues with companies in order for them to meet SEC regulations or other concerns about disclosing sensitive information, said Dave Chronister, managing partner of Parameter Security, a St. Louis-based cybersecurity firm.
Restricting employees from utilizing their own devices at the workplace could lower the risk of violating compliance regulations, data loss and security issues, but many corporate cultures encourage their workers to bring their own devices.
"From a practical standpoint, the more security you have in place as a company, the more restricted your employees are in their activities," he said.
The "ideal situation" for any company is to provide their employees with devices owned by the business so they can utilize additional controls along with more rights over the phones, said Chronister. This also emphasizes the separation between work and personal affairs for employees.
Companies need to enact mobile device management controls on their devices because they have the capability to archive text messages and also block certain types of applications from being loaded on the phone in the first place such as Snapchat, monitor email and web browser activity and lock the device or sensitive data remotely, he said.
"In my own company, we are very strict with our employees when it comes to mobile devices," said Chronister. "We provide them with company phones and we make it clear that they are only to use these devices for work-related activity."
Managers need to determine the happy medium which fits both a company's culture and their industry's requirement.
"Every solution is different for every organization," he said. "It's easy to get on the bring your own device (BYOD) bandwagon or to go in the opposite direction and make phones as restrictive as possible."