THE misuse of email systems by staff is by far the most common email security problem. The potentially devastating consequences associated with the abuse of company email systems highlights the critical importance of developing and implementing a comprehensive email security strategy.
Such a strategy will compulsorily employ a two-pronged approach in which a highly specific email usage policy is combined with the implementation of appropriate technology solutions.
A 2002 survey commissioned by content security solutions company, SurfControl, found that 69 per cent of all IT staff canvassed admitted they were prepared to open ‘suspicious’ emails, with 42 per cent willing to circulate the contents to friends and colleagues. Employee behaviour of this kind is often the result of ignorance on the part of employees as to the potential consequences for themselves, the recipient and most importantly, the company.
An email usage policy, therefore, is very much a pro-active document in that it can prevent significant amounts of ‘thoughtless’ email abuse.
An email policy might clearly state, for example, that the distribution of a tasteless joke or image, even if done without malicious intent, may cause great offence to intended and unintended recipients, exposing both the sender and company to serious consequences.
For many employees, such specificity in regards to what constitutes unacceptable use of company email systems can lead to a noticeable cessation in such activity.
There will always be those, however, for whom a broadly stated email policy will have little impact on the desire to use company email systems inappropriately. To be effective in these circum-stances an email policy must necessarily meet a number of key requirements.
A legal briefing entitled, ‘Misconduct in E-mail and Internet Use at Work’, published by the Australian Government Solicitor (AGS) in February 2001, lists these requirements as part of a detailed examination of email regulation and Internet use in Commonwealth departments and agencies.
The requirements specified in the AGS document act as a valuable guide to the formulation of a robust email policy. The requirements include:
These key elements act as a checklist when designing an email policy for implementation within the workplace environment.
Making the policy concise
In addition to general statements regarding the use of company email facilities, the policy document should also provide specific compliance guidelines, an explanation of enforcement procedures to be used and a clear articulation of the consequences resulting from policy infringement. If any of these items are worded ambiguously, or too broadly, then enforcement becomes difficult, if not impossible.
Make the policy easily understood
State policies, guidelines, enforcement procedures and infringement consequences using everyday language. Avoid technical or administrative jargon that may only serve to cloud the message. Employ diagrams, symbols, charts and similar techniques to make the message clearer. Provide the name and contact number of a company representative appointed to provide further assistance and information if required.
Make the policy prominent
Don’t bury the policy document deep in a company handbook where it is unlikely to ever be viewed. Place it where it will be seen frequently by all employees. This might take the form of a message screen that appears each time an employee starts their computer or uses an application. The policy can also be posted on the company Intranet and even as a poster prominently displayed in office areas.
Update the policy regularly
Technology and circumstances change almost constantly. An effective email policy must therefore adapt commensurately. Previously acceptable email practices, for example, may have to be discontinued as a result of a legal decision taken against another company. The emergence of new threats in the form of computer viruses and spam may also necessitate alterations in an organisation’s email policy.
Provide staff with information and training
The provision of information and training to staff in regards to email policy and procedure is vital, for a ‘security conscious’ employee culture is one of the greatest assets a company can possess. To this end, compliance to company email policy will be substantially higher when employees are made fully aware of the threats ever present in the online environment, as well as the potentially devastating consequences of transgression, both for themselves and their employer. Such an approach will serve to ensure that employees come to understand that an email policy is not an attempt to place them under a dictatorial regime, but rather, a necessary measure to protect everyone from the well-documented downside of the digital age.
Vincent Brown is an IT lecturer and writer based in Perth. His website is located at www.iprofessional.info
© Business News 2017. You may share content using the tools provided but do not copy and redistribute.