Risky Business: Managing the Email Security Risk

Page 2 of 3


Eye on the Ball

One thing more companies are doing to help initiate corporate email responsibility, says Keith Crosley, director of corporate communications at Proofpoint, is to hire a person specifically to monitor all outbound email. "That seems to surprise a lot people," Crosley says. "The typical employee is not aware that there is almost always someone besides your intended recipient reading your email."

The reasons companies do this is not to check up on employee performance, but to make sure the confidentiality of customer information is respected and no regulatory statutes are violated.

"The kind of punch line to all this," Crosley adds, "is that even though you have all the manual monitoring of email and there’s a high level of concern about it, 44% of the companies we surveyed still had to investigate a suspected leak of confidentiality. That was the highest we’ve seen."

Policing Policies

While acceptable-use policies are virtually universal today, companies aren’t doing enough to communicate with their employees what those policies are. "When you define your policies, you then need to make sure your employees understand them," Crosley says.

That would include training employees on email policy. In terms of outbound email, policy and training should cover many different topics, such as what is appropriate information to include in any outgoing email messages, what is considered confidential material, and personal use restrictions.

"There’s also a security dimension to that," Crosley adds. "If your company is subject to federal regulations, like HIPAA, that should be spelled out."

Companies should consider developing an encryption policy as well. This includes defining the information that should be encrypted and who has permission to send encrypted messages. Not every employee should have access to sending encrypted messages, and unauthorized encrypted emails should be treated as a potential security breach.

Another policy that companies should consider implementing regards automatic forwarding, or the elimination of this email option. "People are on vacation and set up an auto-forward message or they want to read their email at home, so they have their email forwarded to a personal account," Crosley explains. "This can create a security risk. Auto forwarding means the email is sent to an account that isn’t under the control of the IT department."

Email Management

Email responsibility should also include email archiving. "By archiving email, it is managed as content," says Chris Bradley of MessageGate.

A policy should be put in place before archiving email, however. For operational reasons, a policy would dictate the elimination of any email that is nonbusiness or doesn’t need to be preserved. For governance reasons, email categories should be defined up front to allow email to be located more efficiently, if needed in the future, and to allow it to be stored with a greater level of security.

"Email is content and is becoming increasingly critical," Bradley continues, "and it needs to be managed in the same way as any other type of content. Lack of management creates a significant risk to corporate responsibility."

The daily flow of email, both internally and externally, provides a snapshot of a company’s overall culture. Improperly cared for—from casually hitting the send button or storing email ineffectually—email can end up hurting a company.

"This is important information that should be managed, but often it’s not," Bradley says. He recommends that a company’s first step should be examining a representative portion of its outgoing email to discern how much is uniquely identifiable personal information, such as credit card numbers; how much is nonbusiness; and how much is inappropriate behavior. "It becomes apparent very quickly that in this daily flow there are risk elements to email," Bradley says.

The next step in this tactical approach is that, once the company has a clear picture of what is contained in its email—the amount of intellectual property, privileged communication, and the like—the email should then be prioritized and basic rules should be applied to the information that will be archived. A company must also develop policies around the types of information exchange that shouldn’t be taking place via email at all.

Once these rules and policies are established, a company "can block it, discard it. You can send it back to the sender and ask them if they intended to send it," says Bradley. "One thing we found was that a majority of these breaches are inadvertent."

Bradley agrees with Crosley’s stance that monitoring email is an important component to corporate email responsibility. "We understand that it can feel slightly uncomfortable," Bradley says. "Yet while companies realize that there are threats that are inbound, trying to get past electronic barriers to execute malware, there is a smaller [threat that's] just as much a threat in the email going out."

Page 2 of 3