Effective email policies: Why enforcing proper use is critical to security
Effective email policies: Why enforcing proper use is critical to security
Acceptable use policy and IT security
While banning staff from sending or receiving personal emails is unrealistic, organizations can set boundaries that define reasonable, excessive or inappropriate use, through a comprehensive, updated and enforced email acceptable use policy (AUP). A well-articulated email AUP addresses four core security and operational areas:
Compliance
Safe working environment
Data leakage
Asset abuse.
A framework for corporate governance
According to IDC Research 97 billion emails are sent worldwide each day1, and it is estimated that 80 percent of an organization’s operational records are stored within the email infrastructure.
Governments around the world have responded to email’s growing use as a business-critical tool by introducing increasing levels of legislation governing the security, storage and retrieval of email. Falling foul of such legislation not only damages an organization’s reputation, but can lead to fines, market de-listings and, in extreme cases, prosecutions and prison sentences for senior management.
Keeping abreast of such legislation is challenging, and an AUP can help by providing a formal framework that is easily reviewed, audited and enforced to ensure compliance.
Increasing compliance
Email is now central to the day-to-day operation of practically all organizations, regardless of size or sector. Yet, while it is far too important to lock down, email poses a large enough risk where it cannot be left unregulated, especially as nearly all employees expect a certain level of personal email use while at work. According to employers, however, it is their own workforces that pose the greatest threat to security (figure 1).
Effective email policies: why enforcing proper use is critical to security
Creating a safe working environment
An email AUP will promote a safe, productive working environment where employees can operate without fear of exposure to illegal, abusive, inappropriate or malicious material, such as pornography, jokes, harassment or threats. By removing ambiguity and ensuring all employees work to the same rules, the policy sets clear expectations on what constitutes acceptable email content.
Preventing leakage of confidential information
According to IDC email is the number one source of leaked business information2. Additional research confirms that most organizations are concerned about the loss of sensitive data via email.
Most of the time this can be accidental (thanks to functions like Autofill) with research showing that half of employees have sent a message containing sensitive or potentially embarrassing information by mistake3. In addition, analysts The Radicati Group found that 77 percent of users have forwarded business emails to their personal accounts in order to complete work when away from the office4. Even this most innocent of practices can leave an organization in breach of compliance regulations and can place commercial information in unauthorized hands.
Preventing asset abuse
Excessive and/or inappropriate personal use of email wastes bandwidth and places
storage archives under strain, impacting on an organization’s ability to use its email infrastructure.
This is particularly problematic when employees circulate non-critical attachments, such as family photos or videos. Prohibiting or restricting this practice preserves the integrity of the email system and can extend the life of storage solutions. It also ensures that IT staff remain focused on their core responsibilities and do not spend time clearing personal emails from the system.
What an AUP should cover
An AUP should set out exactly how an employee is expected to use an organization’s email system, containing prescriptive advice on best practice and clearly defining prohibited behavior.
It is essential that regulations are explicitly stated and easily understood. The content of an AUP will vary between organizations, reflecting their regulatory environment, email quantity, IT resources and culture. Some may choose to incorporate rules governing email use into a wider AUP that covers all technology use, from telephones to web browsing to photocopying.
use is critical to security
However, in general, an email AUP covers three
main elements:
Appropriate and inappropriate email use
Policy enforcement
Policy sanctions.
Areas that should always be covered include:
Inbox management
In response to the continued growth in email use, organizations should attempt to limit the volume of messages stored in employee mailboxes. The number of emails held in archiving systems that capture both internal and external mail should also be limited,