Falling Short? Data Protection and Microsoft Teams
 

When the COVID-19 pandemic was declared, millions of employees around the world made an almost overnight switch from a business office to a home office. In the process, collaboration tools like Microsoft Teams became essential to corporate life.

Now a new white paper from Osterman Research examines the ramifications of Teams’ wholesale adoption. Entitled Archiving and Data Protection with Microsoft Teams and sponsored by Mimecast, the white paper is based on a survey of 142 IT decision-makers from midsize and large companies. The key question addressed by the study is whether the collaboration platform’s native data management features are adequate to satisfy the regulatory, legal and business continuity risks faced by a contemporary business.

In 2020, the number of Teams users surged 625%, from 20 million in November 2019 to 145 million as of April 2021, according to figures provided by Microsoft. But in the mad rush to collaborate, compliance officers, information governance professionals and other risk management decision-makers were rarely consulted. That, the Osterman report notes, created a significant mismatch between many companies’ regulatory and legal risks and their ability to archive, search and protect the integrity of the burgeoning amounts of data generated by Teams.

Data Retention Features Don’t Always Meet Corporate Needs

Nearly half of those surveyed by Osterman researchers said they view Microsoft 365’s archiving and data retention capabilities for Teams as falling short of their companies’ requirements (46% and 44%, respectively). Some of the key limitations include:

• Archiving a Teams workspace locks it from further activity, but this is only useful when a project or initiative has come to a close. Data from long-term, ongoing projects cannot be archived.
• On the flip side, even after a Teams workspace has been locked down, the workspace owner or an MS 365 administrator can still permanently delete all of its content. From a compliance and legal discovery standpoint, this represents a substantial risk.
• Microsoft’s data retention policies can be configured to mitigate the above by preventing the deletion, modification and unauthorized access to certain Teams content. But these safeguards only apply to some of the data generated by the platform; some Teams data cannot be protected.
• Likewise, MS 365 search capabilities only work for some Teams content; other content types, including source files and documents, are excluded from the search results. For corporate legal teams, this can severely hinder their e-discovery efforts.

Pressured by a Variety of Legal and Regulatory Requirements

Behind these concerns are a variety of legal and regulatory pressures to preserve and be able to quickly reference the data collected by Teams. Chief among these are the need to:

• Comply with Europe’s General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA).
• Conform to a wide range of industry-specific regulations.
• Retain content for legal holds.
• Conduct e-discovery searches.
• Perform proactive internal data monitoring.

During the past 12 months, three out of four Osterman survey respondents indicated they experienced at least one incident where they needed to search and access the content in Teams; nearly half had to do so on two or more occasions.

Closing the Gap with Third-Party Solutions

To achieve the level of data protection and searchability that these issues warrant, the Osterman report recommends using a third-party archiving solution. This is especially the case when the organization in question has certain requirements that can only be met by the brawnier features these solutions provide. Foremost among these are:

• The ability to search across multiple collaboration platforms and content repositories without having to migrate the data to a central repository.
• The ability to capture the full range of data types employed by MS Teams.
• The ease and efficiencies of having a single solution for archival, e-discovery and compliance that works across both Microsoft and non-Microsoft data sources.
• A reduced risk that user or administrator changes will undermine compliance requisites.
• The ability to employ fewer and more consistent data retention policies.

To quote the report: “Third-party archiving solutions are more likely to offer a unified approach to policy definition and enforcement that works across multiple data types from various products, services and solutions. Fewer policies that cover a broader remit of data types can be created and managed under such an approach, decreasing the likelihood that important data types are inadvertently missed by falling between an intended space in multiple different policies.”

The Bottom Line

While the Osterman study observes that native MS 365 archiving capabilities for Teams may be adequate for some businesses with limited regulatory and e-discovery requirements, it concludes that most organizations need a more robust set of data management features. Third-party solutions can provide those features, ensuring that corporate compliance and legal officers are prepared to meet the regulatory and legal demands imposed on their companies.

Now generally available, Mimecast Archive for Microsoft Teams combines best-of-breed governance and archiving to help organizations reduce risk for the way people work today. Download the full Resource Kit to learn more.