Email Policy: Self-Governance or Central Enforcement?

Related Articles

• SMBs Need Email Archiving Too, Five Common Mistakes to Avoid
• Can You Allow BYOD and Still Secure Business Data?
• Retain Emails Or Risk Fines

Subscription Options

Subscribe Newswire

Widgets & RSS Feeds

We all know email is the backbone of business communication. When the corporate email system goes down, productivity of the workforce plummets and there is a greater outcry than when any other “utility” function provided by the enterprise IT department is out of service. In the enterprise, email has arguably become more reliable and trusted than the telephone or any other human collaboration tool. However, if not properly secured, email can also pose a great risk for corporations because confidential and sensitive communications can end up quite costly in legal fees, compliance fines, and erosion of brand.

So why is it that so many large organizations have not implemented reliable email use and enforcement policies to govern security and compliance risks, data leak protection, messages accidentally sent by mistake, or even best practices for communication and systems efficiency? Is it the lack of available and trusted technology, human apathy, or a little of both that prevents most organizations from doing more about it?

On the technology front, we know there are many Data Leak Protection (DLP) solutions that have been purchased and implemented by enterprise security departments, which is required for most regulated industries. These DLP systems help security, compliance, and legal departments determine corporate email policies. The systems are also useful tools in analyzing email traffic and for discovering when there has been a leak of sensitive or confidential information, accidental or on purpose, to warn employees of their company email use policies, legal risks, and liabilities.

In many of these organizations using DLP systems, it cannot be apathy which causes the lack of enforcement because policies are written down, employees are informed, understand the consequences, and even sign their names saying they will abide by the policies, even being totally aware that their emails may be inspected without their involvement. Despite this, confidential information such as social security numbers or embarrassing personal comments are still found in messages, and compliance violations continue to occur even in encrypted messages, and the email policies intended to prevent these risks are not enforced.

Most often, the reason for these violations is that humans make unintentional mistakes and such accidents will continue if left to self-governance. DLP systems are wonderful systems for discovering and analyzing what has already happened, but they lack the ‘in-stream’ email policy enforcement capabilities needed to get in front of a potential issue and prevent unwanted actions from occurring before messages are sent.

Sendmail Inc., which provides message processing appliances and applications for enterprise messaging infrastructures for large enterprises of 10,000 employees or more, believes it is critical for enterprise IT to formulate email policies and not to leave enforcement to self-governance. To mitigate the human element, an intelligent centralized policy management system should be put in place by the corporate IT department for all email systems (enterprise, Web mail, and public email networks such as AOL, Yahoo, Gmail).

The requirements of an intelligent “policy management engine” must include:

1. Full message content scanning (message body, header, footer, and attachments) performed “in-stream” (i.e., before it is delivered to the recipient) for which any email policy can be intelligently applied based upon any content attribute (i.e., key words, phrases, destination, sender, attachment type, data field, etc.).
   
   While scanning the message in-stream the email policies should be automatically applied, which can result in the message being stopped, delivered, archived, forwarded to another party, copied, an alert notification sent, etc. There are unlimited policy-based routing and enforcement actions that can be applied centrally, or by each department, location, authority based upon user requirements. And email policy should be able to dynamically change and be implemented “on the fly” at any time.
2. Directory synchronization. With an intelligent policy engine that is also tied to the internal employee directory, unlimited actions such as authorization rights can be applied seamlessly on any record including employee name, department, position, rank, or title within groups, locations, or through various “Ethical walls.”
3. Scaleable and extendable to social media networks. An intelligent centralized policy engine should also be scaleable to support any size organization and extended to support all email enabled applications and social media networks such as Twitter, Facebook, LinkedIn, et al.

Fortunately, such technology exists today. Large organizations utilizing a message processing platform and powerful policy engine, have found the technology to be integral to central policy enforcement, whether their email systems remain on-premises (most commonly with Microsoft Exchange) or even more valuable when moving their human collaboration email systems to the cloud (such as to Microsoft Exchange BPOS/365 or Google Gmail Apps). With a message processing platform in place, unlimited email policies can be implemented for both incoming and outgoing messages.

In this scenario, the same intelligent policy manager can also integrate policy-based applications such as true in-stream enforcement of DLP, encryption, malware filtering, and even policies that enable end-users to recall messages that were sent by mistake, before they reach their destination. For example, every email user has suffered the panic when realizing they hit the SEND button too soon on a message and want to recall it for modification of the sender list, the attachment, or even the content in the message body.

Bottom line? The first step for an enterprise should be to develop and adopt email policy based on its own unique requirements, risks, and best practices. The second step to ensure email policy is adopted by the organization is to ensure a high performance email backbone is in place, one with an intelligent central policy management engine to ensure enforcement. Just as critical as it is to adopt email policy, is having a system to remove the human-only enforcement element and administer it. And once email policies and the systems for enforcement are in use, the same policy engine can be extended to the growing use of social media networks.

Until these critical steps are taken, email, one of the world’s most critical business communication tools, can leave an organization at risk for violation of various legal, compliance, and security policies as well as embarrassment and brand erosion.

About Glen D. Vondrick
With more than 30 years of high-tech industry experience, including executive leadership roles from the last 10 years in the messaging security space, Glen Vondrick heads Sendmail customer-facing, global operations including sales, professional services, customer technical support, business development, marketing, and sales operations.