Survey Reveals Holes in E-Mail and Internet Monitoring Strategy

Security Strategies highlights key elements of successful corporate monitoring programs

• By Matt Migliore
• 12/11/2002

According to the survey, 75 percent of employees never receive formal security training on how to use the Internet and e-mail at work in a way that minimizes network security problems. Moreover, 60 percent of employees indicated they open e-mail even when the subject line makes it clear that the content is from an unknown source or contains potentially harmful material.

From an enterprise perspective, these results call into question the effectiveness of today’s corporate e-mail and Internet monitoring policies. As such, Security Strategies this week offers a quick overview of the key characteristics of a successful monitoring program.

A recent survey by The ePolicy Institute, the American Management Association, and US News & World Report found that 63 percent of U.S.-based employers monitor their Internet connections, while just 47 percent monitor e-mail.

However, according to Nancy Flynn, executive director of the ePolicy Institute and author of the books “E-Mail Rules” and “The ePolicy Handbook,” monitoring is moving up the corporate priority list. “Employers are tightening up primarily because of legal liabilities,” says Flynn. “The corporate scandals of 2002 have made most employers mindful of the fact that the bad acts of employees can come back to haunt an organization. Those bad acts often involve e-mail and Internet abuse or misuse.”

Simply recognizing the need for e-mail and Internet monitoring does not ensure an appropriate level of protection, Flynn warns. She says an effective monitoring system requires a coherent corporate strategy that addresses a number of different issues.

Policy Comes First

Once a company has a full understanding of the need for e-mail and Internet monitoring, the first step in actually implementing a program is to develop an Acceptable Use Policy (AUP). “Your written e-mail and Internet rules and policies should guide the software, not the other way around,” says Flynn.

Dennis McCabe, vice president of business development for monitoring provider Wavecrest Computing Inc., says an AUP will also help achieve employee buy-in. “It’s important for companies to articulate their e-mail and/or Internet monitoring policy to employees so as not to negatively impact morale or foster resentment in the workplace.”

Pearl Software Inc., a provider of e-mail and Internet monitoring software, packages a sample AUP with its monitoring platform. The policy suggests explaining the rationale for monitoring to employees in a positive manner. For example:

• It is our goal to increase productivity by reducing private Internet usage during working hours and allowing it off hours and during breaks.
• It is our goal to ensure a positive work environment by eliminating inappropriate usage that may result in legal liabilities.
• It is our goal to support competitive advantage by reducing the risk of unauthorized or accidental transactions and communication of sensitive data.
• It is our goal to preserve access bandwidth for planned and intended network use.
• It is our goal to reduce redundant Internet research by identifying key resources that can be shared between departments.

In addition, most experts agree, an AUP should also include consequences for non-conformance and processes for appeal. These statements, says McCabe, will increase the likelihood that employees will actually adhere to the AUP.

Software Comes Second

With a clear policy in place, companies should next look for software that can deliver on the parameters outlined by their AUP.

According to Mike Reagan, a senior vice president with monitoring provider Vericept Corporation, one of the biggest mistakes companies make when deploying monitoring software is limiting their efforts specifically to e-mail and URL filtering. “Some companies feel that if they’re monitoring e-mail, they’re covered. With all the other forms of communication now available, companies really need to understand where all of the potential areas of exposure are.” Some of those other areas are instant messaging, Internet chat, peer-to-peer, FTP, and telnet, which when ignored, says Reagan, “is like leaving on vacation and locking your front and back doors but leaving all of your first floor windows wide open.”

In a more general sense, Geoff Webb, a representative with monitoring provider FutureSoft Inc., says ease of use and good support are the most crucial characteristics of a monitoring platform. “Both Internet and e-mail filtering solutions directly impact an organization’s ability to communicate with the outside world, and any product that they choose has to be easy to maintain and well supported. It’s surprising how many organizations forget those basic truths.”

Regarding specific features, a company should be looking for:

• Scalability: The sheer volume of Internet and e-mail traffic has increased tremendously in recent years, a trend that figures to continue going forward.
• Flexibility: Web surfing and e-mail policies vary greatly from company to company, and within an organization, from department to department.
• Interoperability: Network infrastructure in a corporate environment is in a constant state of evolution, which often makes integration of disparate systems a necessity.
• Multimedia support: Whereas once e-mails and Web sites consisted primarily of a simple text/image mixture, multimedia files have achieve widespread adoption.
• Discrete spam filtering: Purveyors of spam are becoming more sophisticated in their ability to disguise junk e-mail, making it difficult to differentiate between spam and legitimate e-mail.
• Discrete URL filtering: Much like spam, differentiating between legitimate and inappropriate Web content is also difficult (look for systems that filter specific URLs rather than entire Web sites).
• Information protection: Losses to intellectual property are a huge problem in the corporate world, and often go unreported because organizations are unwilling to admit such thefts occur.

Training is a Must

To really ensure the effectiveness of an e-mail and Internet monitoring strategy, a company must provide its employees ongoing training on what constitutes acceptable use.

“Unfortunately, while most employers have written policies governing e-mail and Internet use, only 24 percent [according to the ePolicy Institute survey cited earlier] offer e-risk management/e-policy training for employees,” says the ePolicy Institute’s Flynn. “Employers should not expect untrained employees to understand e-risks or why or how to comply with e-policy.”

Flynn suggests employers conduct face-to-face training sessions first, and follow up with electronic training on a regular basis. Her advice: “Be sure employees understand the e-risks facing the organization as a whole and them as individuals. Share e-disaster stories to put the risks into real-life perspective. Address the individual concerns of the employees. Explain that the loss of trade secrets via an accidental e-mail transmission could lead to layoffs. Explain that an e-mail-related lawsuit could cost the company millions and put the company out of business.”