In-Depth
Fostering a Culture of Compliance: Six Steps to E-Mail Security
To successfully address weaknesses in current e-mail security, IT departments can take six proactive steps now to help their enterprises meet compliance regulations and prevent e-mail misuse.
by Chris Bradley
It is no surprise that most IT executives love to hate e-mail. Managing e-mail communication in a large organization is a tough proposition. Managing e-mail in heavily regulated industries creates a whole new set of concerns. This is exponentially true considering the complexity of regulations such as SOX, HIPPA, and FERC. Such regulations have resulted in a rising amount of e-mail being stored. It is more critical now than ever before that organizations leverage real-time enterprise e-mail controls to solve compliance and security concerns.
Despite the regular headlines, many IT departments do not have an ongoing proactive risk management strategy for e-mail. IT departments still ignore e-mail requirements within the regulations and turn a blind eye to e-mail use across corporate networks. Worse yet, most neglect conducting usage audits to find out how enterprise e-mail is being used and abused. Proper policies cannot be implemented or enforced if IT departments do not know what needs to be controlled.
For example, e-mail controls at many companies have not been established to enforce quiet periods or block unauthorized communication between regulated parties. Also, e-mail is archived without proper categorization or management tools, leaving many unable to retrieve requisite e-mail in a timely manner. Executives should be aware that mandates are now being enforced with severe consequences. Corporations and its officers are being held accountable, driving the need to mitigate any unnecessary risk.
Enterprises continue to rely on education policies to change e-mail use, ignoring the casual attitude ingrained in employee behavior. If systems are in place, they typically only include forensic reporting. No action is taken within the e-mail stream to enforce enterprise e-mail policies and prevent unintentional misuse or inappropriate abuse.
Growing Compliance Gap
As e-mail further becomes a workflow tool, its relevance deteriorates in many ways. Most see e-mail as somewhat of a burden in the work day (despite being a necessary communications tool). Users are copied and blind copied as both a courtesy and requirement. Due to the inherently informal and casual nature of e-mail within today’s workforce, organizations must find ways to “insure” themselves against the risk of momentary lapses of judgment and security breaches that are intentional and unintentional. To implement safeguards, organizations should leverage technology for consistent e-mail enterprise controls and usage policies.
Although corporate policies and education programs almost always exist, little has been done to enforce governance. As a result, personal e-mail intermixes with corporate communication that is open to e-discovery regulations. It is common for offensive e-mail to be sent within the enterprise network, exposing the enterprise to potential sexual harassment, discrimination, or other lawsuits.
To avoid the risk of security breaches or failure to comply with regulations, enterprises should begin to manage e-mail risk and implement e-mail security controls to prevent sensitive data loss.
Six Steps to E-mail Security
Even organizations with existing e-mail management solutions in place can be unaware of the dangers that lurk within their e-mail stream that can potentially trigger a violation of regulatory mandates. To successfully address weaknesses in current e-mail security, IT departments can take proactive steps now to help their enterprises meet compliance regulations and prevent e-mail misuse:
- Provide real-time blocking and re-routing of outbound e-mails. E-mail remains the de facto communication method requiring controls. Near-real-time reporting functions are no longer sufficient given that a majority of intellectual property is stored somewhere within the e-mail network. Enterprises need real-time e-mail controls with the ability to take action on e-mails in-stream through proactive security and archive management.
- Simplify accurate retrieval of archived e-mail. According to a recent Osterman Research survey, 36 percent of surveyed CIOs are more concerned about the need to archive e-mail today than 12 months ago. Many companies try to retain all e-mail, but the vast and growing volume of e-mail impacts storage budgets and resources. Often e-mail records must be produced immediately upon request, and frequently no later than 24 hours. Real-time e-mail management and archive categorization can save costly and lengthy litigation battles.
- Manage employee e-mail misuse. Because e-mail messages are often casual, communications, there is growing unintentional misuse and security violations are growing. Growing e-mail-technology sophistication coupled with insufficient e-mail controls can lead to potential data leaks and leave the door open to e-discovery problems. Managing unintentional e-mail misuse within the e-mail stream at the employee level helps provide insurance against casual e-mail misuse.
- Reduce e-mail archive storage costs. The greatest expense of e-mail storage lies in its management. Each administration task, including backups and restoration, consumes up to 43 percent of IT support costs. Companies are concerned with managing their e-mail glut as much as their critical database storage. E-mail archive categorization can automatically verify the quality and accuracy of the archiving process while scheduling deletions according to compliance timelines.
- Analyze e-mail usage and patterns. To enforce e-mail policy controls, IT departments need to create proactive e-mail security policies to effectively maintain compliance and prevent e-mail misuse. By conducting usage audits to determine how enterprise e-mail is being used and abused, IT can then implement policies to manage and control content.
- Eliminate unwanted e-mail. Enterprises may have e-mail management and security software in place but still fail to have a comprehensive end-to-end e-mail risk management solution using archive categorization and controls. Many companies try to retain all e-mails, but the huge and growing volume of e-mail impacts storage budgets and resources.
Summary
Bottom line: employee misuse continues to be a top issue driving enterprise e-mail risk. Employee comfort with e-mail causes unnecessary enterprise risk vulnerability. With frequent headlines touting data leaks and flagrant compliance breaches, it is clear that enterprises of all sizes have not yet committed to the integration of a viable, long-term approach to e-mail risk management. To meet mandatory compliance mandates, organizations need to evaluate their specific enterprise e-mail activities and commit their IT departments to leverage a sustainable ongoing policy-based approach that addresses incidents in real-time before it’s too late.
Chris Bradley is vice president of marketing and business development at MessageGate, a provider of e-mail controls for enterprise risk management. You can reach the author at [email protected].