| The threat within - why businesses need to manage and monitor employee e-mail usage
In a few short years, e-mail has become a business-critical tool of communication. However, while companies have been more than willing to embrace the business benefits of e-mail, they continue to remain oblivious to many of the responsibilities this new form of communication brings, particularly as it affects their employees. It is a commonly held misconception, due to the informal traditions of electronic communication, that e-mails carry less weight than letters on headed notepaper. But this is not the case. The law treats e-mails as ‘discoverable documents’ in exactly the same way as all other forms of written communication, and as such, just as much care and attention should be taken regarding the content of e-mails as with other forms of business communication. An employee’s e-mail address at work identifies not only the individual, but also the company. If an employee is using his work e-mail to send inappropriate comment or material, there is always the potential for messages sent via the company address to impact negatively on the business. For instance, a company would never allow employees to use its letterhead to send out correspondence of a scandalous or personal nature – why then should it allow its e-mail to be used in this way? Unmonitored e-mail leaves companies open to fraud, lawsuits, loss of confidential data, sexism, racism, pornography, not to mention reputation damage, loss of business, and decreased productivity. Quite simply, if a company does not have a clear and consistent e-mail policy, it needs to get one. From an internal point of view, an employer has a duty of care to protect its staff from e-mail abuse and harassment. According to a recent UK Department of Trade and Industry survey into communication practices in British businesses, nearly a quarter of employees have suffered crossed-wires with colleagues or clients because their use of humour in an e-mail has been misinterpreted. Given the fact that there were 115,000 employment tribunals last year based on work disputes, often on the grounds of racial or sexual harassment, these figures are no laughing matter. However, an employer’s duty to educate staff on what constitutes acceptable online office banter is just the tip of the iceberg. Unwise or unguarded e-mail use is almost always the source of blame when a security breach of the company network occurs. Many employees are still reckless in the type of e-mail they open and respond to, and this is despite the extensive media coverage on the dangers of viruses and hacking programmes. Hackers and virus writers have become increasingly sophisticated, designing and targeting messages to people based on their interests or spoofing e-mail addresses known to the recipient. As well as the cost in terms of productivity and downtime when a virus strikes, a hacker has the potential to access and steal confidential information and intellectual property. Although it has not happened yet, it surely won’t be long before a test case for damages caused by virus transmission is brought against a business – already some security software vendors are being forced to sign SLAs in which they have to pay damages if their products fail to protect their customers. It is only another step before companies start to sue each other, for transmitting viruses via their e-mails. The problem of how to control corporate e-mail usage is compounded by the growing numbers of people who work remotely. Using a personal account or ‘unregistered’ mobile device to send or access work-related e-mail are common yet unintentional methods of bypassing the security measures that companies put in place. It is hardly surprising then that employers frequently cite their staff as the biggest security risk to their business. Undoubtedly, the only way a company can prevent malicious, offensive or confidential information being transmitted across its network is by invoking the company’s ownership of e-mail rights to monitor mail and enforce a consistent and coherent e-mail policy. Not only should such a policy be clearly articulated to each and every employee, but should also exist as a ‘contract’ that employees have to sign up to. In this way, everybody in a company should be made explicitly aware of the penalties for e-mail misuse. Education on its own has proved to be ineffective in curbing inappropriate e-mails – there also has to be an element of compulsion if the policy is to be taken seriously. In addition, an effective e-mail policy not only needs to be enforced, but also regularly updated. Phishing scams and virus writers are constantly deploying new means of attack. Employees need to be constantly kept abreast of all potential threats and informed as to how they should respond and the level of care they are expected to deploy. E-mail has become an integral part of business communication and can continue to be of enormous benefit provided the necessary safeguards are met. But companies can no longer turn a blind eye to the security indiscretions of their staff. They must accept ownership and liability for all the information sent across their company networks. Only when companies stop burying their heads in the sand, and define and enforce clear e-mail policies, will the upward trend in security breaches and e-mail-related harassment lawsuits be reversed. Jamie Cowper is senior technical consultant, Mirapoint. Mirapoint is exhibiting at Infosecurity Europe 2005. Now in its 10th anniversary year, the conference and exhibition will be held on the 26th - 28th April 2005 in the Grand Hall, Olympia. www.infosec.co.uk
•Date:
7th January 2005 •Region: UK/World •Type:
Article •Topic: ISM |
