Personal Web-Based Email Puts Enterprise at Risk

IT managers who allow their users to access personal email accounts viaWeb-based sites are putting their companies at risk, according toexperts.

”If companies are allowing employees to use personal email tools, butnot retaining those messages, they could be facing serious legal andregulatory trouble,” says Nancy Flynn, executive director of the ePolicyInstitute in Columbus, Ohio. ”Email today is the electronic equivalentof DNA evidence. If there is a lawsuit, you can take it to the bank thatemail will be subpoenaed.”

In fact, a 2004 Workplace Email and Instant Messaging Study, co-sponsoredby the ePolicy Institute and the American Management Association, found21 percent of the 840 U.S. businesses surveyed had employee email andinstant messages subpoenaed in the course of a lawsuit or regulatoryinvestigation.

Flynn says courts are not discriminating about whether the emails weresent via personal email accounts or business email accounts. ”They wantall business-related emails that are being transmitted by employees,”she says. Not producing these emails could result in a”five-to-six-figure fine”.

This puts companies that allow access to popular Web-based services likeGoogle’s Gmail, Microsoft’s HotMail, AOL and Yahoo Mail on the hot seat.

”How many legitimate business records are escaping the company systemvia these services, and won’t be available if the company gets involvedin a lawsuit,” she says.

Web and security experts agree the use of personal Web-based accounts isa problem for companies under strict compliance and regulatory rules,such as the Sarbanes-Oxley Act of 2002, as well as those trying toprotect intellectual property.

”It’s about risk minimization,” says Mark Gibbs, founder of Gibbs &Co., a Web and network consultancy in Ventura, Calif. ”Can you fullydefend your compliance? If you are allowing the use of personal Web mail,you are introducing a whole new realm of risks.”

Policy and Enforcement

Gibbs says companies must decide if they’re going to take a soft or hardapproach.

”If you go for the hard approach, then you’ve decided you are not goingto let them access those accounts and you have to make your networkbulletproof,” he says.

This requires a two-pronged approach that includes clearly statedpolicies and advanced monitoring, blocking and filtering technology.

First, he says, you should develop and articulate a policy to allemployees regarding the use of personal email. You should have a writtenstatement that clearly says employees cannot use Web-based email frominside the corporate envelope, Gibbs says.

Joel Snyder, senior partner at Opus One security consultancy in Tucson,Ariz., agrees. ”Make sure you not only have a policy, but that youexplain to employees why you have a policy,” he says.

According to the 2004 ePolicy Institute/AMA study, 37 percent oforganizations surveyed were unclear about the difference between anelectronic business record and an insignificant message. Flynn says thisindicates that companies need to clearly understand what information isimportant to them and would pose a risk if it were to get out.

She says it’s critical for companies to make employees aware of the risksinvolved in everyday communications, adding that companies have to putmuscle behind their policies. In the survey, although 79 percent ofcompanies have a written email policy in place, only 25 percentterminated employees for violating that policy.

Flynn says companies often are unclear about what constitutes personaluse. Executives must set guidelines about how much time users can spendon personal messaging, via what systems, and with whom they cancommunicate.

To make sure these rules are being enforced, she recommends companies putin place sophisticated monitoring and filtering tools.

Gibbs suggests employing software to block popular mail service Websites. He also says IT managers can use tools that perform on-the-flykeyword monitoring to ensure that messages do not contain sensitiveinformation.

Some IT groups employ virus scanners to keep an eye on personalmessaging, but Snyder warns that ”most, if not all” of these toolsdon’t handle Web-based email very well. Instead, he says some of the freetools, like Snort, might be better suited to examine these packets. Headds that companies could force all outbound HTTP/HTTPS traffic through aproxy as a safeguard.

Flynn says organizations that can’t afford the risks associated with anykind of personal email use should ban it altogether.

”The risk, in terms of lost business records and lost productivity andlost intellectual property, far outweigh any argument anyone would givein terms of giving employees flexibility. There is just no reason foremployees to have to access personal email tools in the office,” shesays.

Top Products

Related articles