Messaging Newswire
Follow Us on Twitter
Facebook Page
Google Plus Page
RSS feeds
An Email Policy Can Reduce Liability and Prevent Data Leaks
Widgets & RSS FeedsWith so much buzz around social media and collaboration it is easy to take little notice of email these days. Quietly steady and having emerged somewhat victorious from spam attacks and malware, email is the backbone of business communications, but as such email deserves to be protected with rules and use guidelines.
While email as a technology is very stable and reliable, the people using it are not quite as consistent. With the continued reliance on email for the most sensitive, as well as the day-to-day conducting of business, organizations of all sizes should have a well-thought-out email policy to help protect the company and its employees.
A recent Ponemon Institute survey of 830 IT and IT security practitioners (as well as IT compliance, legal and other specialists) found everyday email practices and mobile email security caused significant concerns for data protection and regulatory compliance among 59 percent of respondents. The human element, it seems, is still our greatest risk.
The survey, done in conjunction with Zix Corporation and announced last week, points to everyday email practices that contribute to leaks (such as ignoring policies, mistakenly emailing data, etc.)
Deborah Galea, co-founder and COO of Red Earth Software, believes one of the most important steps to securing the small-to-mid-sized business is a solid email policy. “It is important that employees understand what the risks are when they use email and that you have guidelines to ensure that these risks are minimized.”
On its Web site the company—providers of email content security software Policy Patrol for Microsoft Exchange Server and recently introduced Policy Patrol Archiver for Exchange—offers a sample email policy to download.
“Our products are aimed at the smaller sized businesses between 25 and 250 users, although we have customers that are larger,” says Galea. While the product offers threat protection, it also inspects emails for certain content or attachments. “It checks for inappropriate or confidential emails leaving the organization.”
What should be included in an email policy? Guidelines on personal use, confidential information, passwords, email retention, encryption, and a review of best practices, for starters. Understanding the consequences of not following the email policy or what is defined as libelous, defamatory, or offensive should be clearly articulated to all employees. Employees also need to realize that they personally and / or the company can be held legally liable. Every employee ought to be required to read and sign a copy.
In the Ponemon study, nearly 70 percent of respondents believe employees ignore policies about emailing unencrypted sensitive or confidential documents through insecure channels.
“Email is essential to business productivity and collaboration,” comments Dr. Larry Ponemon, chairman and founder of Ponemon Institute. “It is such a significant tool that employees are inclined to circumvent policy and email sensitive information, so they can effectively perform their responsibilities in a timely manner.”
Educating employees includes letting them know that emails might be monitored. Policies need to clearly state that the content of emails is being inspected. Without this advanced notice to employees, organizations might be liable for privacy infringement.
Beyond signing the email policy, employees also need to be instructed on how to be defensive. “There are not many ways for spammers to invent their way out of today’s spam blocks,” comments Galea. “I think spam is under control after 10 years and also phishing. Now the concern is spear phishing. This is how they are trying to circumvent the spam filters. Education, training employees is something that all companies should be doing,” recommends Galea. (Spear phishing scams are extremely targeted toward high-value and specific organizations or people for identity theft and other fraudulent purposes.)
In addition, says Galea, employees need to be reminded of email etiquette so that communications going outside the company are professional and in keeping with the organizations principles. Red Earth offers a list of 20 Email Etiquette Tips.
For most businesses, email is still king. Even though social media is alluring, it is not best for business communications of significance. Why? Because, at the moment, with social media we have to rely strictly on user training for managing the content. “On Twitter, for example,” says Galea, “you have no control over the messages. You can’t centrally record them, like you can with an email archive or search. It is very difficult to retrieve this information.” For regulated industries and companies that have concern for legal discovery, this can be very important. As time goes on treatment of social media is becoming more aligned with email rules, however we are not nearly there when it comes to automated tools for content managing and archiving.
For business, with so many social media platforms available, there has to be strict rules on what can be said through social media and what cannot. “It is not a good method for business communications for anything that could be relevant later,” believes Galea.
So for now, employees should be instructed to use email instead of social media for any communication that could be of relevance for a company. As for companies, email policies can function on a number of levels from etiquette to best practices to security to legal protection and beyond.
