November/Decemeber issue
Email and corporate governance: a question of control
Philip Richardson
Advanced email content scanning and other technologies can help
organisations to achieve trusted email communications, and reduce
the legal risks of regulatory compliance.
Almost 97% of most organisations' communications are conducted
via email, says a 2002 study by market researcher, Gartner Group.
Yet, with the rising tide of spam, the constant threat of viruses
embedded in emails and attachments, and the legal ramifications
of inappropriate email usage, our favourite business tool is becoming
our Achilles’ heel.
The need to protect against computer viruses and spam continues
to fatigue organisations. But strict new regulations to govern the
use of email are forcing senior executives and their boards to concentrate
on the compliance issue.
These new corporate governance and regulatory compliance pressures
require organisations to rethink completely business communications
and the management of sensitive data. Compliance requires a change
in business processes, sign-offs for audits, technology infrastructure
and corporate culture. This has increased pressure on the business
as a whole and on the IT department in particular.
Broader focus
A few years ago, IT security had an almost single focus —
keeping ‘bad’ things out of the network. Today, the
IT department has to fight through an array of conflicting needs.
It must:
• Block improper email content but grant access to legitimate
and time-sensitive emails
• Monitor email content but provide employee privacy
• Control outbound email content
without increasing administration and operational costs
• Restrict access to sensitive information, but give authorised
users easy access to that information
• Provide a robust and reliable security infrastructure and
policy, without unduly burdening both the users and the IT helpdesk
• Respond to regulators’ demands for audits and proof
of communication controls and protocols.
Corporate governance regulations have added unwanted complexity
to business communications. Businesses across all sectors complain
of too much red tape and confusing and contradictory regulations.
It’s easy to see why, given the introduction of so many new
regulatory guidelines, which include the Regulation of Investigatory
Powers Act, the Data Protection Act, Lawful Business Practices Regulations
Act, the US Sarbanes-Oxley, and Brussels’ Basel II.
Court in the act
Any manager responsible for corporate communication would be reckless
to ignore the need to comply with current regulations. Liability
concerns regarding employee communications have never been greater;
lawyers are using computer records, email logs and, increasingly,
instant message content, as evidence in court. Cases relate to discrimination,
harassment, fraud and antitrust claims, among others.
In recent years, a telecommunications company, a retail bank, the
Inland Revenue, and even a leading law firm have fallen foul of
email misuse by employees. Consequently, companies are quite rightly
becoming more far more cautious about putting company information
in an email.
Any communication that traverses a company's network remains the
property of the organisation, which is therefore responsible for
it. This leaves the company open to severe penalties if a court
finds it guilty of security breaches or of non-compliance with regulatory
law, as well as their corporate governance policies.
To minimise these risks, companies are claiming the right to monitor
employees' use of email as part of the right to use the corporate
network. Their aim is to stop spam, viruses, profane and coarse
language, intellectual property and other sensitive information
from leaving the company network.
Email monitoring is an emotive issue. Many employees and civil
liberties groups complain that it infringes personal privacy. This
is ironic; monitoring and blocking sensitive emails from the corporation
is primarily to protect corporate information assets (including
reputation), and is not intended to violate end user privacy.
It is essential for companies to minimise the legal risks of non-compliance,
as well as protect against security threats in the form of spam
and viruses, unauthorised access to sensitive information and identity
theft.
Lawful acts
However, they have to behave lawfully. Employees need to be told
their email is going to be monitored, and why. It is becoming standard
practice for an end user to sign an employee agreement or contract
as well as an acknowledgement that they have read, understood and
agreed to abide by the firm’s email and electronic information
policy. This should spell out that the employee may use the network
for day-to-day business and not for any purpose that would contravene
corporate or regulatory policy. Contraventions often cited in the
policy include the use of offensive language, harassment, racial
slurs and the deliberate release of sensitive corporate information
to outsiders. The policy should also make clear that electronic
staff communication may be monitored to ensure adherence with policy.
Instant messaging (IM) is an even bigger headache for IT managers.
Some employees’ objection to monitoring of corporate email,
together with attempts by some organisations to sidestep corporate
governance regulations, has made IM an alternative to email.
IM is more of a security and compliance risk than email. Users
can download public IM clients without the IT department being aware.
It therefore has no control over the information leaving the organisation
via IM.
Unless the company blocks public IM, the door is wide open to security
threats and potential legal indictment.
Safety first
The safest way for IT departments to avoid regulatory pitfalls is
to monitor email content. But with hundreds of emails leaving the
organisation daily, this is daunting for IT staff with data administration
and responsibilities other than IT security.
Automated inspection of email content reduces the burden on the
IT department. Most products use pre-defined keywords and allow
random manual checks. It is therefore critical to define what should
and shouldn't enter and leave the network.
While manual checks increase administration and operational costs,
the matching of only single keywords will often wrongly classify
some emails as harbouring inappropriate content. This means that
critical and time-sensitive outbound emails could be incorrectly
quarantined, hurting normal business processes.
Context sensitive
Companies should therefore consider using technologies that can
analyse the context of email content. These concept-based solutions,
which analyse the content and meaning of the message, can minimise
the number of false positives. This leads to more accurate blockage
of damaging outbound email content, less disruption to legitimate
communications and a lower administrative burden.
Even so, this only part of the compliance solution. There are other
steps enterprises must take:
• Understand the regulatory framework within which the organisation
operates
• Hire a compliance expert or specialist law firm, or a specialist
IT security and compliance service provider to vet your policies
and procedures
• Assess current email using an email assessment tool that
highlights non-compliant emails and emails that do not fit within
the corporate governance framework
• Refresh corporate email policy quarterly and remind staff
each time
• Use public IM blocking products to reduce the security and
legal risks of open IM networks, preferably server-based closed
IM services that provide encryption and record all IM communications
If you introduce email monitoring, you must by law inform and have
your staff sign off on the email policy. Include policy education
tools such as a “reconsider” feature, which warns the
user about non-compliant content before an email is released. This
helps to phase in policy enforcement without appearing heavy-handed.
This will encourage greater acceptance of email monitoring amongst
staff and educate them about the appropriate use of email.
Access and retrieve
Companies must by law retain and retrieve emails upon legitimate
request. This requires a secure archive for emails. Encryption of
content and identity access management mean that sensitive content
is available only to authorised users.
Make sure that a security process is in place to allow for the
end-to-end encryption of outgoing emails that include commercially
sensitive information. This will ensure that sensitive information
remains private while traversing the internet.
Compliance is one of the biggest challenges facing organisations
today. It has transformed email into a troubling, rather than trusted,
medium.
Trust in email and regulatory compliance entail control of inbound
and outbound email content. Adopting the correct processes, using
the right security technology and educating users, are the ways
to gain a greater level of compliance.
However, organisations should also bear in mind that the regulatory
landscape is in constant flux. Compliance is a moving target that
will continue to challenge organisations to adapt and evolve to
stay on the right side of the law.
Philip Richardson is vice president Northern Europe, Middle
East & Africa at Entrust
Back to features index
|
