What comes to your mind when you think about your email? Email makes possible
almost instant communication with your co-workers without leaving your desk, a quick
note to a family member who lives far away, but also has a very annoying downside
such as junk mail. Since the introduction of the Internet, email has been one of
its primary uses. The fact that it is a fast, cheap and easy means of communication,
makes email a great business tool. But there are also a series of threats for employers
associated with email usage. Email threats such as confidentiality breaches, legal
liability, lost productivity and damage to reputation cost organizations millions
of dollars each year. In the majority of cases, companies are held responsible for
all the information transmitted on or from their systems. As a result, inappropriate
emails can result in multi-million dollar penalties in addition to other costs.
For example, a Federal Communications Commission (FCC) employee unintentionally
sent a dirty joke entitled ?Nuns in Heaven' to 6,000 journalists and government
officials on the agency's group email list. This employee's lapse in judgment and
electronic mistake resulted in negative publicity and national embarrassment for
the FCC. In the US, Chevron settled a case filed by four female employees for $2.2
million. The employees alleged that sexually harassing emails sent through the company's
email system caused a threatening work environment. One of the sexually offensive
messages was a joke sheet titled '25 reasons why beer is better than women'. A company
can also be liable if one of its employees sends an email containing a virus. Confidentiality
breaches can be accidental, for instance when an employee selects a wrong contact
name in the ?To:' field, or intentional, such as the case where an employee uses
his corporate email account to send confidential information to one of the company's
competitors. In the latter case, both the employee and the recipient could be charged
with trade secret theft. Nonetheless, whether it is by mistake or on purpose, the
result of the loss of confidential data is the same. Lost productivity due to inappropriate
use of a firm's email system is becoming a growing area of concern. A recent survey
revealed that 86 per cent of workers used their company email to send and receive
personal emails. Given that it has become very hard in our modern world to segregate
people's personal lives outside of the workday, companies struggle to find effective
ways of balancing employee freedoms and corporate protection. In addition to personal
emails, unwanted spam messages are a significant time waster. Spam and personal
abuse of email can also cause a corporation's email system to waste valuable bandwidth
resources. A Gartner Group study held under 13,000 email users found that 90 percent
receive spam at least once a week, and almost 50 percent get spammed more than 6
times a week. Personal emails cause network congestion since they are not only unnecessary,
but tend to be mailed to a large list of recipients and often include large attachments
such as mp3, executable or video files that users do not zip. Adopting an anti-spam
system alone has not proven effective to stop spam. The combination of spam- blockers
with other methods of spam control technologies such as SIDF, SPF, Bayesian Filters,
Blacklists, Whitelists, Anomaly Detection, and Spam Signatures has proven to be
much more effective. There are also special organizations such as the Anti SPAM
League.org that give Internet users the chance to report those individuals and companies
that are responsible of spamming. You can become a member for free and learn how
to control the spam problem by visiting their website at www.antispamleague.org.
For more details on how to deal with spam, read the article ?How Can I Stop It?
- The Challenging Task of Controlling Spam'. How can a company protect itself from
these threats? The first step in securing your organization is to create an email
usage policy. Every company needs to establish a policy regarding use of and access
to company email systems, and then tell all employees what its policy is. After
you have created your email policy you must make sure it is actually implemented.
This can be done by providing regular trainings and by monitoring employees' email
using some type of email security software. The email policy should be made available
and easily accessible to all employees and should be included in employee handbooks
and company intranets. It is best to include the email policy, or a short statement
regarding the policy, in employment contracts. In this way the employee must acknowledge
in writing that he/she is aware of the email policy and of the obligation to adhere
to it.
What are some of the benefits of having a clear and effective email policy? First,
it helps prevent email threats, since it makes your staff aware of the corporate
rules and guidelines. Second, it can help stop any misconduct at an early stage
by asking employees to come forward as soon as they receive an offensive email.
Keeping the incidents to a minimum can help avoid legal liability. For example,
in the case of Morgan Stanley, a US investment bank that faced an employee court
case, the court ruled that a single email communication - a racist joke, in this
case - cannot create a hostile work environment and dismissed the case against them.
Third, if an incident does occur, an email policy can minimize the corporation's
liability for the employee's actions. Previous cases have proven that the existence
of an email policy can prove that the company has taken steps to prevent inappropriate
use of the email system and therefore can be freed of liability. Fourth, if you
are going to use email filtering software to check the contents of your employee's
emails, you must have an email policy that states this clearly. Some employees may
argue that by monitoring their emails, companies are violating their privacy rights.
However, court cases have shown that if the employer has warned the employee beforehand
that their email might be monitored, the employer has a right to do so. People usually
respond better when they know where they stand and what is expected of them. The
recent spike in the volume of spam traveling across the Internet, combined with
the dangers of phishing and virus attacks that frequently accompany these messages,
has forced corporations to reconsider how they determine which messages will be
allowed into their network. For years, companies have addressed their email security
needs through a mixture of third party software solutions designed to address specific
areas of vulnerability. Today, however, this approach appears to be ineffective.
New threats adapt to even the latest security technology, helping hackers and spammers
stay a step ahead of most stand-alone protective measures. System administrators
remain in a reactionary mode, waiting for the next attack and hoping their mixed
bag of security software is up to the test.
The role of email in Sarbanes-Oxley compliance cannot be overstated. The Sarbanes-Oxley
Act of 2002 and associated rules adopted by the Securities and Exchange Commission
(SEC) require certain businesses to report on the effectiveness of their internal
controls over financial reporting. Effective internal controls ensure information
integrity by mandating the confidentiality, privacy, availability, controlled access,
monitoring and reporting of corporate or customer financial information. Companies
that must comply with Sarbanes-Oxley include U.S. public companies, foreign filers
in U.S. markets and privately held companies with public debt. U.S. companies with
market cap greater than $75M and on an accelerated (2004) filing deadline are required
to comply for fiscal years ending on or after Nov. 15, 2004. All others are required
to comply for fiscal years ending on or after April 15, 2005.
Because the bulk of information in most corporations is created, stored, transmitted
and maintained electronically, IT departments are responsible for ensuring that
sound practices, including corporate wide information security policies and enforced
implementation of those policies, are in place for employees at all levels. Information
security policies should govern the following items: ?Network security ?Access controls
?Authentication ?Encryption ?Logging ?Monitoring and alerting ?Pre-planning coordinated
incident response ?Forensics Most of us would agree that today email is the primary
internal and external communication tool for corporations. Unfortunately, it is
also one of the most exposed areas of a technology infrastructure. Email systems
are critical to ensuring effective internal control over financial reporting, encryption
of external messages and active policy enforcement, all essential elements of compliance.
Companies must install a solution that actively enforces policy, stops offending
mail both inbound and outbound and halts threats before internal controls are compromised,
as opposed to passively noting violations as they occur. An effective email security
solution must address all aspects of controlling access to electronically stored
company financial information. Given the wide functionality of email, ensuring appropriate
information access control for all of these points requires: ?A capable policy enforcement
mechanism to set rules in accordance with each company's systems of internal controls;
?Encryption capabilities to ensure privacy and confidentiality through secure and
authenticated transport and delivery of email messages; ?Secure remote access to
enable remote access for authorized users while preventing access from unauthorized
users; ?Anti-spam and anti-phishing technology to prevent malicious code from entering
a machine and to prevent private information from being provided to unauthorized
parties. On a final note, some clear guidelines for a good and effective email policy
include the following points: a) Emails should comply with the proper RFC protocols
for email, 2) Employees should not attempt to obscure content or messages in emails,
3) Companies should post privacy policies where they can be read and understood,
prior to submission of a request, 4) Employees should not send email to unverified
or nonexistent email addresses, 5) Companies should offer users opportunities to
opt-out of programs. Given that developments in email and the Internet are changing
so rapidly, it is essential to review the email policy at least once every quarter.
Keep an eye on new developments in email and Internet law so that you are aware
of any new regulations and opportunities. When you release new updates, it is preferable
to have each user sign as acknowledgment of their receipt of the policy. With all
of this said, if you want to reduce electronic risks in the workplace you must take
the initiative. Electronic disasters can ruin businesses, sink careers, send stock
prices plummeting, and generate public relations nightmares. Do not wait for a disaster
to strike; prevention is always your best defense. Visit www.AntiSpamLeague.org
and they will help you develop and implement written email usage and privacy policies
that clearly reflect your organization's expected standards of electronic behavior,
along with privacy and monitoring policies.
