E-mail is probably the most used software application in any company. Undoubtedly, e-mail has improved the productivity and profitability of enterprises -- by improved communication and ease of data transfer. However, there is also a downside associated with the growth of e-mail in business. Various studies corroborate the fact that a large proportion -- up to 60 percent -- of e-mail received in business is unsolicited, commonly referred to as spam, and costs enterprises in numerous ways:
+ Reduced employee productivity
+ Increased risk from e-mail-borne viruses
+ Reduced E-mail server resources and Internet Bandwidth
+ Delayed or lost business communications
In addition to these important business and productivity issues, there are legal and compliance issues to consider:
+ Corporate confidentiality leaks
+ Liability claims for inappropriate e-mail use
Corporate confidentiality leaks
It's easy for an employee to attach a confidential file to an outgoing e-mail message. Whether it's by mistake or on purpose, the outcome of the loss of confidential data is the same. Borland International experienced this first-hand. A Borland employee used the company's e-mail system to send out confidential information to competitor Symantec, his prospective employer. The trade secrets included product design specifications, sales data, and information regarding a prospective contract for which both companies were competing. The employee and recipient were both charged with trade secret theft.
Although it's difficult to police the leaking of confidential reports, there are measures you can take to safeguard the accidental distribution of sensitive material. A good (and simple) policy is to ensure all relevant documents include the statement, "Confidential—for internal use only." Then, you can set your e-mail filters to block any outgoing messages and attachments that contain this phrase. Table 1 shows how a company might configure its e-mail filter to protect itself against the distribution of confidential data, as well as reduce spam and viruses.
Liability claims for inappropriate e-mail use
It's easy to send e-mail without thinking about the content and its consequences. Yet, corporate e-mail is a business tool that can have the same legal weight as a letter written on company letterhead. Unlike printed letters, once the Send key is hit, there's way to recover the message. No matter how amusing some employees may find jokes, others may be offended. Take the case of The Chevron Corporation, which in 1995 paid out $2.2 million to female employees in settlement of a law suit, in which the women successfully argued that jokes sent via Chevron's e-mail system amounted to sexual harassment.
Similarly, Norwich Union recently settled for £500,000 for sending libelous messages about a competitor. Here are other notable litigation issues involving e-mail (company names will not be included as these cases are not yet settled): Five Wall Street brokerages were fined a total of more than US$8,000,000 for failing to keep e-mail for the appropriate length of time; a major consumer products manufacturer was fined for destroying records stored in its e-mail system; a leading telecommunications company was fined for recycling its back-up tapes after the company had been sued, thereby destroying records pertinent to the legal action.
The bottom line: Having an e-mail policy is no longer a nice-to-have guideline; it’s a must-have procedure if you want to be sure your organization is secure against internet-borne blended threats and protected against all kinds of litigation.
Introducing an e-mail policy
If you don't already have an e-mail policy in place, the following section provides some guidance about the steps you should take.
Step 1: Get senior management approval
Because an e-mail policy affects all staff that have access to e-mail, it is essential to get the buy-in and support of senior management.
Step 2: Designate an e-mail policy team
To ensure that the policy is introduced smoothly, you should form a policy team to oversee and drive e-mail policy creation and implementation. The policy team, at the very least, should include individuals representing:
Senior management -- This ensures that the e-mail policy will receive the required support and funding.
Human resources -- Because dealing with e-mail abuse is a behavioral rather than a technical issue, your HR department must be involved at the outset.
Information services -- Your IS staff can add the technical expertise to help bridge the gap between behavioral problems and technical solutions. They can help identify the electronic risks and recommend the most effective software tools and techniques to manage those risks.
Legal counsel -- Before implementing your e-mail policy, be sure you're addressing all the relevant laws, and that your company's rights, in addition to those of your employees, are protected. ??anything else to say here??-cca
The e-mail policy team might also comprise the following:
Public relations manager -- In the event of an e-mail crisis, your PR manager/consultant will be responsible for keeping employees, media, customers, and shareholders informed. You should consider including an e-crisis communications plan as part of your comprehensive e-mail policy.
Writing coach -- An effective way to control e-risks is to train employees in e-mail writing techniques. Establish an electronic writing policy to ensure that employee e-mail is compliant with both your e-mail policy and corporate ??something missing here??-cca
Research consultant -- A research specialist can help in the development, undertaking, and analysis of an internal e-mail audit.
Step 3: Consult with departments and senior managers
Monitoring employees' e-mail can be an emotional subject. Some employees might be concerned that their e-mail is being scrutinized and controlled, and might regard it as an infringement on their privacy. Therefore, from the outset it's essential to get senior department managers to buy into the new policy.
Employees must understand what constitutes an acceptable level of personal communication in using the company e-mail system. Make it clear that the company e-mail system offers a low level of privacy as any message could be inspected. By informing each department head of the proposed policy, and accepting their input and agreement to its implementation, you will help prevent negative reactions from employees.
A confidential employee audit survey is also a good way to identify what issues may be at hand. For instance, you might address the following questions:
+ Do employees use the corporate e-mail system for personal use? Why and to what extent?
+ On an average day, how many e-mails do employees receive and how much time do they spend managing e-mail?
+ Do employees receive/send inappropriate or offensive messages at work? What type of mail is it (e.g., pornographic, threatening, racially discriminating)? Do they find this particularly upsetting?
+ Have employees been disciplined in the past for e-mail abuse?
+ How much unsolicited e-mail are employees receiving? How do employees deal with spam (i.e., do they read before deleting or delete immediately)?
+ Have employees received viruses via the corporate e-mail system? If so, how many and what action was taken?
+ Do employees take care to check content, grammar, spelling, and punctuation before sending an e-mail? Have they ever sent e-mail by mistake, for example by hitting the Send key by accident?
+ Are employees aware that e-mail can be used as evidence in workplace lawsuits?
+ Are employees aware that management has the right to read employee e-mail?
The above are some suggestions you may wish to cover in a workplace audit, but by no means are they exhaustive. Thus, you may wish to think of other issues you need to consider before drafting the policy.
Step 4: Write policy document
When you've collected all the feedback from each department, you can begin constructing the policy and a guide that specifies acceptable use. Key elements of the policy should include:
+ Purpose of introducing policy
+ Scope of policy (who is affected by it)
+ Explanation of what and how e-mail is being monitored
+ Clear description of what is and what is not acceptable
+ Disciplinary procedure in cases of policy breach
Although the policy should state what constitutes a breach, it's a good idea to also make a user guide available to each employee. The guide should not only clarify what is and is not deemed adequate, but it should also demonstrate the benefits of having a policy in place.
Step 5: Select e-mail filter software
Having decided on the areas that your policy will monitor, you're now in a position to decide what software will do the job. Due to the increase in unsolicited e-mail, currently there are numerous products available on the market to choose from.
The first step you should take is to decide if you wish to outsource the filter management to a third-party hosting company or maintain it in-house. Some of the pros and cons of each choice are discussed in the box at the bottom of this article.
Second, you must verify which application will ensure that each of your filter requirements can be easily monitored. For example, if you want to restrict e-mails by file size, attachment types, keywords (subject and/or body), to and from addresses, number of recipients, mailbox limits, and individual user customization, you must make sure the software lets you customize these filters.
Step 6: Educate employees
Although sometimes difficult, it's essential to receive employee support, agreement, and acceptance of the policy. You should state clearly the reasons for the action undertaken: To emphasize your point, perhaps cite recent court cases, productivity loss statistics, etc.
Communicate the benefits to the employees and the business in the same way that you would sell the benefits of your product or service to your customers.
Step 7: Monitor and review
You will need to regularly monitor the results of your policy and modify the filter settings accordingly. Should the changes affect the original guidelines you put in place, you will need to inform all users. For example, you may want to extend the policy to cover Internet access and use, instant messaging, and video conferencing.
It can also be good to provide all users with feedback on how the e-mail policy is helping your business. For example, provide regular reports on increases in productivity and resulting profit, decline in spam and virus receipt, and increased system bandwidth.
Step 8: Remind employees of the policy
Finally, research shows that people require five to seven exposures to new messages/concepts before they understand and consequently adopt them. You need to remind employees (and inform new hires) of the e-mail policy recurrently. You can do this by sending the policy out via e-mail once a quarter, including it in your employee handbooks, holding seminars on the most effective ways of using e-mail, and reporting back on the benefits of having the policy in place.
An important aspect of this last step is also to penalize offenders as laid out in the policy document. If employees discover that the policy can be breached without consequences, you will quickly find yourself back to the situation prior to implementing the policy.
Cover your bases
Any one of your employees has the power to put your company at risk by sending an e-mail containing confidential, offensive, or private financial or health information. You need to be clear about what's acceptable to put in an e-mail and what isn't. An e-mail policy is an absolutely necessary first step, but you also need to regularly remind employees of the "rules" -- and have the right technology in place when they don't follow them.