About
Subscribe

E-mail monitoring leads to much debate

Johannesburg, 08 Aug 2000

While email content scanning and filtering helps protect proprietary information, reduce liability, and improve productivity for email applications, of late, email monitoring has developed a bad reputation.

"In the heated debate between employers and employees about email monitoring, the IT department is often in the middle," explains Jako Voges, Symantec marketing manager for the Middle East and Africa region. "While no company wants IT to 'spy' on its personnel, employees may feel that IT is infringing on their privacy. There could be a loss of employee morale or trust for the employer when 'email monitoring' is discussed or implemented.

On the other hand, IT managers appreciate the real business objectives behind email monitoring, including fewer security breaches".

"No one questions the right of companies to monitor email. U.S. and other courts have established that employers may monitor email, since email systems are company property. Legally, a company can determine both how and why that property may be used by employees." Adds Voges

Excellent benefits

Email monitoring helps to reduce the real risks of doing business on Internet-time. Email content scanning and filtering helps protect proprietary information, reduces liability exposure, and improves productivity for email applications. Content can be scanned for proprietary information, and for liable or inappropriate words and phrases to ensure a company's email policies are enforced. Filtering can also increase bandwidth by countering email address forgery attacks.

"Enterprises not only need to protect their infrastructure resources, but also their reputation, assets and employees," says Voges. He cites several benefits of email content filtering solutions:

  • Protecting against intellectual property loss. Whether internally- or externally-driven, intentional or unintentional, intellectual property export is a serious threat to the enterprise. According to the 2000 FBI/Computer Security Institute Computer Crime and Security Study, 273 companies reported a total of $66,708,000 in proprietary data losses in 1999.

  • Limiting liability. Email content can be a potential mine field for sexual harassment and racial discrimination suits. Email is frequently used as evidence in these cases. Also, employers may face litigation for allowing this type of inappropriate email to traverse enterprise networks.

  • Ensuring customer credibility and company reputation. Whenever a security breach occurs, it affects the customer relationship. In the business-to-business environment, the vendor may pass a virus onto its partner or experience slow communications due to network overload. Then, the credibility of the vendor may be questioned. For a consumer-oriented business, a public report about a hack attack or information leak can tarnish a company's reputation for solid business operations.

  • Maintaining employee productivity. Employees are not drones, but the cost of emailing friends and family during work hours can add up.

  • Improving network performance. Spam and non-work related emails can eat up bandwidth. Viruses, worms and other malicious code can infiltrate the network through unmonitored email systems.

A good policy

According to Voges, employees are often the biggest barrier to email monitoring. "Upper-management and IT departments can generally see the big picture on email monitoring - it's about improving operations. Developing and communicating an enterprise email policy is key to obtaining employee support. A policy will also make black-and-white any issues that may seem grey. What is "appropriate email"? What consequences can employees expect for violating the policy? A clear policy can help to extinguish employee fears about email monitoring and clarify expectations."

Voges points out that IT, as well as representatives from the human resources and legal department, should be involved in developing an email policy. Additionally, it is also helpful to have the perspective of both managers and staff. The policy should address the following areas:

1. First, an email policy should outline the primary mission of email monitoring. It may be to reduce the number of security incidents. Or, it may be to improve customer service. Every enterprise will have unique issues to address in an email policy. It is critical to address those issues specific to your individual company culture and/or work environment.

2. Email policies establish how email monitoring will be used by IT. Will employee email be read only when an incident warranting investigation has occurred? Or will employee email be read randomly?

3. The crux of an email policy is to let people know exactly what is and what is not acceptable email use. In some enterprises, no personal email is allowed at all. In others, restricted personal use is okay. Personal email use should not be the only topic addressed, though. Clearly outline business information that may be transmitted via email. Confidential information should be treated carefully and employees need to be aware of potential inappropriate distribution situations. Illustrate the policy with real-life scenarios.

4. Address privacy. Set clear expectations about privacy. According to the law, employee email is considered company property, and can be read for any reason. However, your company may treat privacy differently. It's important to let everyone know how email monitoring may affects their privacy.

5. Disciplinary action. Specify what constitutes a policy violation. Describe what measures will be taken after a violation and by whom.

Communicating email monitoring policies

Before presenting an email policy to the enterprise, it is important to get the buy-in of senior executives. "If they're not going to stand behind the policy, then it's not going to be effective," says Voges. "Presenting the email policy to senior executives first offers an additional chance to clarify and refine the policy."

Email policies are best communicated by either employees' managers or by the human resource department. The greater business objectives for email monitoring should be emphasised. Employees should be given the opportunity to read the policy. In order to ensure employee knowledge of the policy, employees also should be asked sign and date the policy. It's also helpful to give them a copy for their own records. This meeting will provide the opportunity to address individual concerns about the policy and answer questions.

Enforcing email policies

With an established email policy in place, setting up email content filtering solutions to monitor email is easy. Policy-based email content filtering solutions can be tailored to fit in with your corporate policy--even as the policy evolves. Policy-based solutions take the headache out of configuring and maintaining an email monitoring program. "Email content filtering solutions should be easy to manage and maintain," Voges continues. "Centrally managed solutions help to reduce the time needed for management and maintenance. Additionally, solutions should be relatively seamless-and unobtrusive-for users as well. After all, who wants to constantly feel the 'eyes' of a monitoring system? Since needs and technologies change, IT managers also should consider the reputation of the email solution provider. Are they a proactive partner? Are they reliable?" Email content filtering has become a very important issue for enterprise security and is just one way to reduce the content-related risks facing today's enterprises. Complete content security also includes Internet content filtering as well as virus and mobile code protection.

"Of course, no solution can completely eradicate all threats. These solutions will help to minimize and manage the business risks of the Internet computing environment," Voges concludes.

Share

Symantec

Symantec, a world leader in Internet security technology, provides a broad range of content and network security solutions to individuals and enterprises. The company is a leading provider of virus protection, risk management, Internet content and e-mail filtering, remote management and mobile code detection technologies to customers. Headquartered in Cupertino, Calif., Symantec has worldwide operations in more than 33 countries.

Editorial contacts