Risky Business: Managing the Email Security Risk

Page 3 of 3


Communicating the Threat

To get companies to understand the importance of incorporating better responsibility standards for outgoing email, Bradley suggests making sure the companies know what the consequences of not monitoring communications could be. He admits this is easier with industries that are strictly regulated by the government.

In general, there should be ongoing dialogues between a company’s compliance officer and human resources and IT departments to determine what policies need to be in place and how to implement them.

Another way to get companies to recognize the scope of the problem is to have them consider litigation issues. Today, one of the first pieces of information asked for in lawsuits or investigations is outgoing email.

Email Today

Of course, email responsibility is easier said than done, Bradley adds. "There is an inertia to overcome. It involves various parts of the organization. You have to work across departments, with IT, with HR, with legal. But if you don’t start working on the risk now, sooner or later it will likely cost you."

Understanding security risks is vital when it comes to implementing any kind of email policies. Litan suggests that companies consider the following security issues when implementing any email policies:

  • Implement technology to screen out phishing attacks and emails that spread malware.
  • Don’t use email to convey sensitive and confidential information, but rather use it to tell customers or employees to deliberately go to web URLs to get the information.
  • For extremely time-sensitive and/or important communications, however, use another route, preferably the phone or snail mail.
  • Make sure employees know if their email is being read and screened. Don’t take them by surprise; at least warn them about the screening.
Orphaned accounts are also a huge corporate burden and security risk, Crosley adds. Not only do companies need to close down an account the moment employment is terminated, but also when an employee moves from one department to another. By leaving the email account open, the employee could end up receiving information that he or she otherwise no longer has access to, which could violate privacy regulations. According to Crosley, "It’s time for organizations to start automating this stuff, to do things like automatically lock out old accounts."

Overall, however, Crosley feels that the adoption of technology to enforce or police email policies is rather low. He’s found that that most companies prefer to regulate and monitor email manually. "You don’t have to necessarily deploy a solution to block content," he says, "but if you are unable to monitor outbound email in a reliable way, your technology is essentially worthless."

He thinks one reason why companies don’t do a better job at using available technology is cost. "While IT security is a driver, the IT department still struggles to get the budget for anti-spam and anti-virus software. Until the CEO starts getting inundated with spam."

Outbound messaging is looked at differently as well, he adds. "People too often have a head-in-the-sand approach. If there hasn’t been a problem, there’s no incentive to spend money to prevent it. The kinds of leaks that happen through email, including regulatory issues or brand damage, can be very costly to a company, many times more than the cost of the technology solution."

Another issue is that while the technology to prevent breaches has improved immensely over the past year or two and the cost of the technology has decreased, the perceptions that it is expensive or unwieldy remains.

As more companies find that outbound email has become a de facto filing system for corporate communication, they realize that information sent via email can help a business grow … or it can cause irreparable damage. A good grasp of email security issues, a solid email usage and retention policy, and leveraging emerging technologies can add up to an increased opportunity to employ email for the good of the bottom line.


Emailing for Good: Responsible Email Marketing

While all companies need to make sure the email that is sent isn’t risking data breaches, some businesses also have to get their messages out without being treated like spam by their customers.

Luc Vezina, VP of marketing at Campaigner, says that email is still a relatively new marketing tactic, and companies need to change tactics as technology improves and people become more computer savvy. "Email boxes are full," he says. "People are getting a lot of mail. They need to easily be able to decide what they want and what they don’t want."

Stephanie Miller, global market catalyst for Return Path, agrees. "You want your customers to feel like the message is one-on-one, rather than a general broadcast."

Because a lot of companies use newsletters or other types of direct email to reach their clients, Miller suggests having technology in place to track whether or not the email is being read and to make sure that ISPs aren’t treating the email as spam. Vezina adds that the subject line should be direct and that the company should include not only a way to unsubscribe but also a physical mailing address and contact information so the customer can reach the company.

Companies Featured in this Article:


Gartner Research   

MessageGate, Inc.


Proofpoint, Inc.   


Return Path, Inc. 

Page 3 of 3