Maximizing Email Security ROI: Part III - No More Mr. Nice Guy: Enforcing
E-Mail Policy by CipherTrust
This is the third of a five-part series on Maximizing E-mail Security ROI.
E-mail is an easy, cheap and readily available form of communication. It's a
great tool for businesses, but without proper safeguards in place to regulate
the information transmitted it can also be a potential threat. An effective
e-mail policy should be all-encompassing, helping organizations comply with
federal regulations, protect intellectual property and prevent offensive
materials from being transmitted across their networks.
Companies in the healthcare and financial industries are compelled by law to
ensure that they meet strict requirements with regards to patient and customer
information privacy. In addition, virtually all publicly traded companies must
now implement measures to prevent leaks of confidential corporate information.
A large part of complying with these regulations involves the implementation
and enforcement of corporate e-mail policy.
According to The ePolicy Institute's "2003 E-Mail Rules, Policies and
Practices" study, only about half (52%) of 1100 U.S. companies surveyed have
any form of e-mail monitoring and policy enforcement. Even more alarmingly,
only 19% monitor internal e-mail and only 39% monitor outgoing e-mail, leaving
a large majority of American businesses wide open to a litany of harsh
consequences. These consequences include financial penalties due to violations
of federal legislation, loss of competitive advantage from breaches of
confidentiality, lawsuits from employees alleging a hostile work environment
and destruction of company reputation as a result of disgruntled employees or
irresponsible e-mail use.
This week's newsletter will focus on the issues surrounding e-mail policy
enforcement and what companies can do to ensure that they are not harmed by
regulatory violations, intellectual property loss, costly litigation and
embarrassing headlines.
<h2>Regulatory Compliance</h2>
In nearly every industry, e-mail is the primary method of communication, both
internally and outside the organization. Healthcare professionals use it to
collaborate with colleagues and staff and correspond with patients. Banks,
brokerage firms, insurance companies and tax preparation firms use it to
communicate with customers and partners and perform countless millions of
online transactions every day. Company employees and executives use e-mail to
relay messages discussing corporate financial performance, proprietary product
information and human resource records.
The ever-increasing reliance on e-mail is has brought with it federal
legislation such as the Health Insurance Portability and Accountability Act of
1996 (HIPAA), Gramm-Leach Bliley Act of 1999 (GLBA) and Sarbanes-Oxley Act of
2002 (SoX), mandating the protection of confidential information that is stored
on, or accessible through, enterprise networks. Generally speaking, this
legislation is designed to compel businesses to:
-
Ensure that e-mail messages containing confidential information are kept secure
when transmitted over an unprotected link;
-
Ensure that e-mail systems and users are properly authenticated so that
confidential information does not get into the wrong hands;
-
Protect e-mail servers and message stores where confidential information may be
stored; and
-
Identify and track information that must remain confidential.
Failure to comply with the information privacy laws due to violation of company
policy carries with it stiff financial penalties for the enterprise (up to
$250,000 per incident) and possible criminal charges and jail time for company
executives. The good news is that a comprehensive messaging security approach
can play a major role in maintaining a company's information integrity, greatly
enhancing its return on security investment. <h2>Asset and Intellectual
Property Protection</h2>
Among a company's most important assets are its proprietary product- or
service-related data and other information designed to attain competitive
advantage. However, e-mail's prevalence and ease of use make it a ticking time
bomb for companies wishing to protect this information. A study published by PC
Week revealed that upwards of 30% of 800 employees surveyed admitted that they
had sent confidential information such as financial reports, customer records
or product data via e-mail to recipients outside the company. Ten percent
admitted receiving e-mail containing confidential information.
Not surprisingly, most breaches of confidentiality originate within a company. A
classic example of this is Borland International, a U.S. software company. A
Borland employee used the company's e-mail system to send confidential
information to Symantec, his new employer and one of Borland's main
competitors. The information transmitted included product design
specifications, sales data and information regarding a prospective contract for
which both companies were competing. As a result, both the (former) Borland
employee and the message recipient were charged with trade secret theft, and a
civil lawsuit followed (though it would seem unlikely that any financial award
could repair the lasting damage caused by the intellectual property loss).
<h2>Liability</h2>
Part
I of the Maximizing E-mail Security ROI
series discussed the serious problem of the spam flood rushing toward the
enterprise gateway. While the primary costs of spam are largely volume-related,
just one offensive or disparaging internal e-mail can be equally damaging to
the company coffers. As the overall volume of e-mail sent across the Internet
rises exponentially, we have seen a corresponding spike in the number of
messages containing jokes, images, video clips and other
non-workplace-appropriate content sent from one employee to another within an
organization or to friends and family outside the organization.
The frequently sexual or racial nature of this "friendly fire" spam means that
organizations must be more vigilant than ever in ensuring that these messages
never reach their intended targets. The U.S. Supreme Court has ruled that
employers are potentially liable for sexual harassment by their employees, even
if they are unaware of it. Employees who feel violated by an e-mail sent from a
coworker can file a lawsuit alleging a hostile work environment and cause
significant financial harm to an enterprise found legally liable for the
violation. According to the ePolicy Institute, over a quarter (27%) of large
companies have defended themselves against claims of sexual harassment
resulting from inappropriate e-mail and/or Internet use. For example, Chevron
paid $2.2 million to settle a sexual harassment suit stemming from tasteless
e-mail sent to female employees from male employees.
Enterprises face the additional risk of an employee sending false or slanderous
e-mail about coworkers, the employer or their competition. One of the most
egregious cases involves UK firm Norwich Union. In 1999, an employee sent an
e-mail stating that one of their main competitors was in financial trouble and
being investigated by the Department of Trade and Industry. The competitor took
legal action against Norwich Union and received 450,000 (over $840,000 USD) in
an out-of-court settlement.
<h2>Reputation and Credibility</h2>
They say "Hell hath no fury like a woman scorned." Don't believe them. A
sufficiently disgruntled employee, male or female, could giveth her a serious
run for her money. While airing gripes around the water cooler is relatively
standard practice in many organizations, airing those same gripes via e-mail
can prove devastating to a company's image. Damage from negative remarks
e-mailed outside the company by employees is both immediate and residual--the
message recipient might choose to forward it to a friend, or post it on an
industry message board or Internet rumor mill. Once the message leaves the
enterprise gateway, you don't know where it may turn up.but you know that it
will. Whether the information being circulated is true or not is completely
irrelevant--the damage is done the instant the "Send" button is clicked.
There is no doubt that the contents of corporate e-mails reflect on the
business. UK law firm Norton Rose learned this the hard way when two of their
employees distributed the sexually graphic "Claire Swire" e-mail, which has
been read by over 10 million people around the world (there's a decent chance
you're one of them). As Norton Rose was clearly identified by name in the
e-mail, this scandal caused massive reputation damage and continues to
circulate today, compounding the harm already done. This is but one example; a
UK study revealed that small- to medium-sized businesses are losing 1.5
billion ($2.8 billion USD) every year to e-mail and web abuse and misuse,
representing a 15% dent in their potential profits. Can your company afford to
operate on a fraction of its normal revenue every year? Neither can most.
<h2>Lay Down the Law</h2>
E-Mail policy enforcement must be an ongoing effort across the enterprise. To
learn more about how to ensure that your company doesn't suffer the
consequences of careless e-mail behavior, download CipherTrust's FREE
whitepaper,
Controlling Spam: The IronMail Way
.
Part IV of this series will consider the issues involved in determining ROI for
preventing e-mail system intrusion.
About the Author
CipherTrust is the leader in anti-spam and email security. Learn more by
downloading our free whitepaper, "Controlling
Spam: The IronMail Way" or by visiting
www.ciphertrust.com.
|
