Effective email policies: Why enforcing proper use is critical to security
Computers & Technology → Site Security
- Author Ted Weber
- Published February 3, 2010
- Word count 2,763
Effective email policies:
Why enforcing proper use is critical to security
The unmonitored and unguarded use of email by employees poses a multitude of risks to
organizations. The distribution of inappropriate or offensive content, malicious emails, and the
risks of data leakage all threaten working environments, IT resources and an organization’s
reputation. A comprehensive, transparent and enforceable email acceptable use policy
(AUP), combined with robust email security solutions, dramatically reduces exposure to
these risks. This paper investigates why organizations need an email AUP and highlights
how they can enforce it. It also provides practical guidance on developing a policy that
meets the combined requirements of an organization’s IT, HR and legal departments.
Effective email policies: why enforcing proper use is critical to security
Effective email policies:
Why enforcing proper use is critical to security
Acceptable use policy and IT security
While banning staff from sending or receiving personal emails is unrealistic, organizations can
set boundaries that define reasonable, excessive or inappropriate use, through a comprehensive, updated and enforced email acceptable use policy (AUP). A well-articulated email AUP addresses four core security and operational areas:
Compliance
Safe working environment
Data leakage
Asset abuse.
A framework for corporate governance
According to IDC Research 97 billion emails are sent worldwide each day1, and it is estimated
that 80 percent of an organization’s operational records are stored within the email infrastructure.
Governments around the world have responded to email’s growing use as a business-critical tool by introducing increasing levels of legislation governing the security, storage and retrieval of email. Falling foul of such legislation not only damages an organization’s reputation, but can lead to fines, market de-listings and, in extreme cases, prosecutions and prison sentences for senior management.
Keeping abreast of such legislation is challenging, and an AUP can help by providing a formal framework that is easily reviewed, audited and enforced to ensure compliance.
Increasing compliance
Email is now central to the day-to-day operation of practically all organizations, regardless of size
or sector. Yet, while it is far too important to lock down, email poses a large enough risk where it cannot be left unregulated, especially as nearly all employees expect a certain level of personal email use while at work. According to employers, however, it is their own workforces that pose the greatest threat to security (figure 1).
Effective email policies: why enforcing proper use is critical to security
Creating a safe working environment
An email AUP will promote a safe, productive working environment where employees can operate without fear of exposure to illegal, abusive, inappropriate or malicious material, such as pornography, jokes, harassment or threats. By removing ambiguity and ensuring all employees work to the same rules, the policy sets clear expectations on what constitutes acceptable email content.
Preventing leakage of confidential information
According to IDC email is the number one source of leaked business information2. Additional research confirms that most organizations are concerned about the loss of sensitive data via email.
Most of the time this can be accidental (thanks to functions like Autofill) with research showing
that half of employees have sent a message containing sensitive or potentially embarrassing information by mistake3. In addition, analysts The Radicati Group found that 77 percent of users have forwarded business emails to their personal accounts in order to complete work when away from the office4. Even this most innocent of practices can leave an organization in breach of compliance regulations and can place commercial information in unauthorized hands.
Preventing asset abuse
Excessive and/or inappropriate personal use of email wastes bandwidth and places
storage archives under strain, impacting on an organization’s ability to use its email infrastructure.
This is particularly problematic when employees circulate non-critical attachments, such as family photos or videos. Prohibiting or restricting this practice preserves the integrity of the email system and can extend the life of storage solutions. It also ensures that IT staff remain focused on their core responsibilities and do not spend time clearing personal emails from the system.
What an AUP should cover
An AUP should set out exactly how an employee is expected to use an organization’s email system, containing prescriptive advice on best practice and clearly defining prohibited behavior.
It is essential that regulations are explicitly stated and easily understood. The content of an
AUP will vary between organizations, reflecting their regulatory environment, email quantity, IT resources and culture. Some may choose to incorporate rules governing email use into a wider AUP that covers all technology use, from telephones to web browsing to photocopying.
use is critical to security
However, in general, an email AUP covers three
main elements:
Appropriate and inappropriate email use
Policy enforcement
Policy sanctions.
Areas that should always be covered include:
Inbox management
In response to the continued growth in email use, organizations should attempt to limit the volume of messages stored in employee mailboxes. The number of emails held in archiving systems that capture both internal and external mail should also be limited, ensuring resources are not overloaded and allowing for easy message retrieval.
Circulation of attachments
Users commonly view email as a quick method of sharing content with colleagues. However, this practice needlessly uses up bandwidth and archive space. Instead, all attachments should be removed before an email is stored and saved on an appropriate server. Additionally, employees should be instructed on how to use shared network folders to circulate files internally, rather than attaching them to emails. Consider that one person sending a 5 MB attachment to five other employees results in more than 25 MB of email server storage requirements. Placing this file on a shared server and circulating a link to its location not only greatly reduces the size of the email, it prevents unnecessary duplication of files across multiple locations.
Remote access of email services
Rules should be set governing remote access to the corporate email network, both from employees’ own computers and over the internet/public Wi-Fi networks. Some organizations ban this practice altogether, while others permit it only if the computer accessing the network is certified as secure by, for example, a network access control (NAC) solution.
Personal/non-business critical use of email
File types categorized as non-business critical (for example, JPEGs, MP3s, executables and anything considered potentially malicious) should not be received or sent. The dissemination of illegal, offensive or other inappropriate content should also be prohibited. Employees should understand that companies are obliged to report any unlawful behavior to the authorities, and that inappropriate activity can invoke disciplinary proceedings. Some organizations may also choose to block access to web-based email services, such as Hotmail and Gmail.
AUP enforcement
The email AUP must be enforced if employees are to adhere to its rules. If they realize that
their messages are reviewed and stored – and then retrieved if needed – employees might think
twice before misusing the email system. An AUP should provide total transparency about how an organization intends to police its email system, ensuring that there are no surprises in the event of disciplinary action being invoked.
Enforcement through technology
The key to enforcement is the deployment of IT security solutions capable of auditing everyday
email use, spotting and tracking potential or confirmed violations and notifying the appropriate managers if a violation has occurred. Although it is not necessary to inform staff about the actual technology behind the solutions deployed, it is worth explaining their top-level capabilities.
*This is an example only. You should seek formal legal guidance when developing your own AUP.
Effective email policies: why enforcing proper use is critical to security
Gateway email protection. Commonly deployed to block spam and malicious emails from entering networks, gateway protection is highly effective at stopping suspicious or unwanted file attachments, offensive content and sensitive corporate information. The leading solutions scan outbound and inbound messages and
attachments, ensuring that no unauthorized content leaves the network. Organizations can choose either to block or quarantine these emails, and administrators are automatically
notified of attempted violations.
Email server protection. Security solutions at the email server level protect against the internal circulation of unwanted content. By scanning inter-departmental emails for jokes, photos, chain letters, malware and confidential information which the recipient has no authority to access, organizations can further bolster their email security. As with gateway protection, any violation will be flagged up to the relevant managers.
Endpoint protection. Organizations that permit access to web-based mail over the corporate network should ensure that all endpoint computers – desktops, laptops and mobile devices – are running up-todate security software. Emails from webmail accounts bypass corporate gateway defences, and so have an unobstructed route into an organization. Endpoint protection closes this loophole by picking up any malicious or unwanted content that employees attempt to download from this source.
Procedures for reporting misuse
Employees should be encouraged to report the alleged misuse of email resources and a clear and
anonymous procedure must be put in place to facilitate this.
Sanctions for breaching AUP regulations
All users must understand the potential consequences of not complying with the email
AUP. These consequences will depend on several factors, including whether the abuser is a first or repeat offender, whether the breach represents illegal, offensive or merely wasteful behavior, the regulatory environment in which the company operates and the firm’s cultural outlook. The sanctions will relate to the severity of the offense, ranging from verbal and written warnings, and on to dismissals.
Who is responsible for the AUP?
The HR IT, and legal departments are all stakeholders in the creation and enforcement of an email AUP. Employees should also contribute to an AUP, enabling greater transparency and buy-in and ensuring that everyone is aware of its existence. At some organizations, the CEO or other board members may take an active involvement,
as they can be held personally liable for email misuse by any employee. Typically, staff from all three departments should work together to develop the policy, with specific responsibilities divided as follows.
HR role
The HR department owns the overall process of developing an email AUP, taking responsibility for awareness, distribution and training. Using data provided by the IT department, and by responding to reports of alleged misuse, HR conducts audits to ensure that rules are observed, investigates suspected policy contraventions, and implements disciplinary procedures.
Effective email policies: why enforcing proper use is critical to security
IT role
By using the security solution’s reporting features, the IT team generates the forensic evidence
needed to identify and log email abuse. The data gathered represents the company’s principal source of security intelligence, and can be pieced together to analyze each breach and pinpoint the staff responsible. This information can then escalated to HR.
The IT department also advises HR on the changing capabilities of the organization’s IT defenses. For example, if a new solution is deployed to scan outbound messages for sensitive material (e.g. credit card or social security numbers), the AUP might need to be amended and email users might require additional training.
Legal role
The in-house or external legal department ensures that the AUP is in line with legal and compliance requirements, and will advise HR to amend it if regulations change.
Summary
While the threat of spam and malware is usually linked to inbound emails, an organization’s own users can often cause just as much or more damage through the emails they send or share.
Employees can be responsible for data leakage,
the dissemination of inappropriate or offensive content, and consuming bandwidth through the unnecessary sharing of files, each of which represent a considerable threat to the email network. To ensure that employees recognize these risks, organizations should implement a comprehensive email acceptable use policy which, to be effective, requires enterprise-grade security solutions for the gateway, the email server and all endpoint computers.
Effective email policies: why enforcing proper use is critical to security
APPENDIX
Acceptable Use Policy for email
- Overview
The use of email by users is permitted and encouraged when it supports the overall business objectives
of [organization name]. This policy defines what [organization name] considers an appropriate and
inappropriate use of the email system and sets out what action [organization name] will take in
order to ensure and enforce appropriate use.
The overall objectives of this policy are to comply with all applicable laws and industry regulations, to
encourage a safe and pleasant working environment for all users, to minimize email service disruptions and to
prevent unnecessary strain being placed on [organization name]’s IT resources.
- Scope
This policy applies to all users – employees, contractors, consultants, temporary staff and other workers –
who can gain access to email systems owned by [organization name]. It applies to all equipment owned by
[organization name] and covers all email records.
- Appropriate use of email
a. Email users are expected to check their email accounts and respond to messages on a regular basis.
b. Users should use the email system to send and receive relevant business information which is in line with
the responsibilities set out in their job descriptions.
c. Users should use email to communicate with fellow employees, customers, clients, business partners and
other key stakeholders of the business.
d. All email correspondence should be courteous and professional, and users should take care to ensure
correct spelling and grammar.
e. Users are expected to manage their mailbox by organizing messages and by deleting emails that are no
longer required.
f. All emails should include a signature. This should include the sender’s email address, telephone number
and [organization name]’s web address.
g. All emails should include [organization name]’s approved disclaimer.
h. Personal use of [organization name]’s email system is permitted unless it impacts on the user’s
ability to fulfil his or her job description, or if it prevents other users from utilizing the email system.
7
Effective email policies: why enforcing proper use is critical to security
- Inappropriate use of email
a. Confidential business information must not be emailed outside [organization name]. Neither should it
be forwarded to unauthorized departments or unauthorized personnel within [organization name].
b. The use of email for illegal or unlawful purposes, including (but not limited to) fraud, libel, harassment,
the spreading of computer malware or obscene/defamatory content, is prohibited.
c. Users must not use email to propagate computer viruses. Users should also not open unsolicited or
unexpected file attachments, which often harbor malicious viruses.
d. [organization name]’s email system should not be used for personal business purposes or to broadcast
personal opinions on political, religious or other non-business critical matters.
e. Users must not store file attachments in their mailboxes. All files should be stored at the appropriate
location on [organization name]’s shared network.
f. Users should not "cc" or "bcc" multiple recipients unless there is a proven need to do so.
g. Users must not store any personal emails or personal files sent via email on their work computer or on
[organization name]’s shared network.
h. Users must not access the email system from their own personal computers or email devices, from
public computers, or over the public internet or public Wi-Fi networks, unless these devices and networks
comply with [organization name]’s IT security specifications.
- Monitoring and enforcement
[Organization name] has the right to monitor all email messages passing through, or stored within, its email
infrastructure, and deploys monitoring technology to ensure all users adhere to this policy. Users should
be aware that authorized IT, HR and legal personnel at [organization name], may – from time to
time – access user emails. If, as part of this process, non-compliant emails are discovered, these messages
will be retrieved and can act as evidence in disciplinary or legal proceedings.
- Procedure for reporting misuse
Allegations of misuse of [organization name]’s email resources should be immediately reported to [insert
name and contact information of designated person in HR]. Users reporting misuse should also provide a
copy of the non-compliant message to the above person. Users should not forward the email to any
other person, and must not reply to or delete the message.
8
Effective email policies: why enforcing proper use is critical to security
- Sanctions for non-compliance with this policy
Failure to comply with this policy will invoke disciplinary procedures. These include warnings (verbal and
written), the withdrawal of email access and termination of employment. If appropriate, legal action will also
be taken.
Further details of these procedures are provided in [organization name]’s disciplinary code [insert title].
- Signature
I confirm I have read and understand [organization name]’s Acceptable Use Policy for email.
NAME:
SIGNATURE:
DATE:
Effective email policies: why enforcing proper use is critical to security
This article was provided by Sophos and is reproduced here with their full permission. Sophos provides full data protection services including: security software, encryption software, antivirus, and malware.
Article source: https://articlebiz.comRate article
Article comments
There are no posted comments.
Related articles
- A Brief Guide: The A-Z of Tailgating Attacks
- Essential Tips for Proofreading and Editing University Assignments
- Stop the Bleeding
- Top 10 Digital Forensics Tools: An In-Depth Exploration
- All You Need To Know To Secure Your Data From Phishing
- Crypto Security Guide: Everything You Need to Know to Protect Your Crypto
- Advancing Email Validation in Laravel
- Fortifying the Digital Fortress: Understanding the Foundations of Cybersecurity Architecture
- How is GenAI Changing Cybersecurity?
- AI-Enhanced Cybersecurity Trends for 2024
- The Game of Trust: A Guide to the Future of KYC in Gaming
- AI in Cybersecurity: The New Frontier in Digital Protection
- Metadata: The Attorney’s Secret Weapon in Civil Litigation
- The importance of cyber security
- 5 Reasons to Comply with CMMC
- Payless CCTV Security Camera
- How Bitdefender Protect From Pegasus Spyware
- Printer Security? Here Are 6 Tips To Keep Your Business Safe
- Why it is important to install Access control system at your business
- Powerful Keyloggers for Windows
- Website security check: Tips on how to protect your website from hackers
- How will cyber threats evolve in 2020?
- When to choose red teaming over penetration testing: A guide to a robust cybersecurity program
- Protect your files with drive image backup software
- How Cloud Management Values Change Your Business
- The U.S. Government and Zero Day Vulnerabilities
- Spyware – Yet Another Cyber Menace
- Reset lost passwords in Windows with Active@ Password Changer
- Antivirus measures you should know when your PC is infected with a virus
- Security Fit For Royalty!