Risk Management Blog - ClearRisk

How to Protect your Company’s Communications with E-mail Policy

Posted by Craig Rowe on Wed, Sep 9, 2009 @ 15:09 PM

In the wake of a large-scale online denial of service attack made possible through the hacking of personal e-mail accounts, we asked the LinkedIn community if employees should be able to use external e-mail addresses for work-related communications. We share their views and insights with you below.

Not only does the use of external e-mail addresses pose the significant security risk of a breach, but it also complicates ownership of content. When outside e-mail addresses are used for work-related communications, company intellectual property slips out of the control of the organization. The organization’s ownership over all things created at work becomes compromised. Beyond ownership, the company must bear responsibility for the information that is transferred via external e-mail.

When external e-mail addresses are used for work communications, the company loses the audit trail that would be possible with internal company e-mail. Should any situation arise that requires reviewing past e-mails that have been sent or received, the company has no way to access communications facilitated by an outside e-mail address.

So, what is the solution proposed by our LinkedIn respondents?

They suggest that the onus rests with the organization to provide internal e-mail addresses that are remotely accessible. With secure, remote accessibility, employees can maintain the responsiveness asked of them without providing an opportunity for any breach that may jeopardize the organization’s survivability.

No matter what the risk management policy, the organization will then need to formalize and enforce the policy, and maintain responsibility for those e-mails and messages that are deemed to be company communications.

A clear and concise e-mail use policy will make employees aware of the organization’s position on:

  • Acceptable Use: What e-mail should be used for, and how these acceptable communications should occur.
  • Prohibited Use: What should be avoided and what will bring about disciplinary action. It can be expected that every organization will communicate that company e-mail will not be used to create or send disruptive or offensive messages.
  • Personal Use: All organizations should outline if personal e-mails are allowed and how these personal e-mails should be stored.
  • Monitoring: If it is the position of the organization, it should be expressed that employees should hold no expectation of privacy in the e-mails they send, receive or store on the company’s e-mail system.
  • Enforcement: Employees should be made aware that violations of the policy will result in disciplinary action.

As we’ve always seen in our past LinkedIn questions, the experiences and views shared by the community made for a great discussion. With that said, there’s nothing like a real life example to hit home a point.

Do you have an example of a situation where e-mail use resulted in a loss or where risk management prevented or mitigated such a loss?

photo via user svilen001 at www.sxc.hu

Topics: email risks, creating a email policy, e-mail policy