The popular and feature-packed Microsoft Teams application makes it easy for users to communicate and collaborate, both within the organization and with outside entities such as customers and suppliers.
But does it also represent a compliance risk for banks and financial institutions?
Uses of Microsoft Teams include: one-on-one and group instant messages, audio and video conferencing, and the ability to record sessions. Further, users can store, share, and collaborate on files in real-time.
The availability of dozens of third-party add-ons can extend the application’s utility in myriad ways. But system administrators in the banking industry must carefully configure the Microsoft Teams environment to maintain compliance with applicable regulations and industry standards.
Microsoft Teams Security Basics
The good news is that as a native Office 365 application, Microsoft Teams compliance relies on well-established security features and services provided to all components of the Office 365 ecosystem. This means that you can configure Microsoft Teams security policies and monitoring by using the same tool, the Office 365 Security and Compliance Center, that you use for other Office 365 applications.
The catch is that the security capabilities available to you for Teams (or any other Office 365 application) depend on your Office 365 license. The lower-level licenses, such as Office 365 Business Essentials and Office 365 Business Premium, come with log auditing and reporting capabilities, but little else that banking and finance businesses need for full compliance with applicable requirements.
For full compliance, you need one of the Office 365 Enterprise licenses–specifically, an E3, E4, or E5 license. These higher-priced licenses provide additional Microsoft Teams data protection tools, such as:
- Compliance content search: Enables enhanced searching of any content and exporting of matching content to a designated container for compliance and litigation purposes
- Unlimited archiving of files and emails with immutable preservation
- In-place eDiscovery: Streamlines the litigation discovery process
- Advanced eDiscovery (E5 only): Adds end-to-end workflow to the in-place eDiscovery process
- Legal hold: Prevents designated files and other objects from being edited or deleted as needed for internal or external investigations or litigation
An additional, important data protection capability, conditional access, enables administrators to specify fine-grained access controls to various resources and content types. This capability is available for all Office 365 license types but requires a separate license.
Compliance Best Practices for Microsoft Teams
Because of the sometimes bewildering array of regulations and industry standards that govern the banking industry, it can be difficult for system administrators to understand what security and data protection configurations are required for Microsoft Teams.
However, some best practices that all banking companies should observe include:
- Two-factor authentication: Usernames and passwords are too easy to compromise and are no longer sufficient to authenticate users. Enforcing two-factor authentication, in particular for Teams access by users outside the organization’s network, is key to reliable user authentication.
- Least-privilege access: Use conditional access to enforce the principle of least privileges, which states that each user should have only the access required to perform his or her job.
- Downloads: Prevent file downloads to unmanaged devices such as USB thumb drives.
- External sharing: Enabling external users to collaborate with your internal users enhances productivity, but it also can allow inadvertent sharing of sensitive information. Monitor and audit any external sharing to keep your sensitive documents in their place.
In addition, a word about instant messaging compliance is in order.
Enterprise messaging, such as the instant messaging feature of Teams, is an important productivity tool, but it can be a source of compliance issues.
Take, for example, the Payment Card Industry Data Security Standard (PCI-DSS, or PCI for short). Microsoft Teams PCI compliance, like that of any application, must be monitored to prevent exposure of personal cardholder (PCH) data to unauthorized users.
Instant messages in Microsoft Teams should be audited for the presence of PCH data. In addition, a common practice is to enable automatic and permanent deletion of Teams instant messages that are older than a configurable number of days.
Add a Layer of Compliance with LeapXpert
LeapXpert integrates with Microsoft Teams, adding a layer of compliance monitoring and auditing not available with Office 365’s native data protection capabilities. With LeapXpert, you can set rules for your users’ Teams sessions with both internal and external collaborators and automatically monitor and flag conversations in which the rules are broken.
This advanced capability, among others, provides peace of mind to industries such as banking that are always one minor mistake away from heavy fines, litigation, and bad publicity.
For more information on how LeapXpert can enhance your Microsoft Teams data protection, contact LeapXpert today.
SUBSCRIBE TO OUR NEWSLETTER
Useful tips and helpful information.
You can unsubscribe at any time - obviously!