Email is perhaps the primary source of business communication today. Every day there are over 100 billion business emails sent daily. This figure is expected to grow to 132 billion by 2017. Other Internet-based communications channels – such as Instant Messaging and Social Media – are experiencing rapid growth within business. It is important that an organisation can control the flow of information both within and external to the organisation as well as capture the intelligence held within these communications formats.
What are the risks?
Because of the open nature and ready availability of Internet services, such as email and Instant messaging, there are a number of potential dangers. These include:
Compromising information security
The internet and email are the most common source of computer viruses, malware, spyware and other malicious code. Infected files could be unwittingly downloaded from the internet, or contained in email attachments. Any deliberate file downloads must also comply with relevant copyright or licensing regulations.
Creating Information Overload
Most email services operate via a central server that forwards on email messages – with corresponding attachments – to everyone on the email distribution list. This results in everyone on the list receiving a copy of the email and any attachments. Often the recipient will allow the email to remain within their in-box – some even use their inbox as a form of filing system. This inevitably leads to many duplicate copies of a document within the organisation and, over time, significantly increases the potential for different versions of the same document. In addition, it is very easy for an email message to be forwarded on to additional recipients who were not on the original distribution list.
Compromising personal data
Misuse of Internet services or email is likely to contravene one or more of the computer use or data protection legislation that most countries or regions have in place. Emails and Instant messages that include personal, sensitive or confidential information represent a risk – both legal and reputation – to the organisation.
Compromising record retention
The information held within Internet services and email has to be accessible, searchable and retrievable in the same way as any other piece of unstructure data within the organisation. The proliferation of emails within he corporate network means that an eDiscovery process may need to analyse millions of email records. In addition, if auto-delete is set important information may be lost which later proves necessary for the organisation.
What should an organisation do?
A comprehensive range of policies and procedures need to be created that covers:
The Internet is a vital business tool for most organisations and it’s use for work-related research and communications is commonplace. However, an organisation should govern how an employee uses the Internet, the type of sites that are acceptable to access and how they are able to download files and documents from the Internet. In addition, the organisation should monitor usage and track which internet sites have been visited to ensure that subject matter and content is deemed to be appropriate.
Every user within an organisation should clearly understand corporate policy for the usage of email. Private, personal and confidential information should only be sent when absolutely necessary and under controlled circumstances. Employees should be discouraged from using their business email for personal correspondence. In addition, a corporate policy should be established for the treatment of attachments within emails and employees made aware that no attachment should ever be opened unless it has been virus checked.
Where it is essential to send and share confidential and personal information, the email should feature some form of security. At the very least, most mail packages feature encryption to ensure that confidential or sensitive messages can only be opened by known and authorised recipients. Much more secure and sophisticated technology is available but there are cost and training implications attached.
Nothing should ever by stored in an email client unless there is a very good reason. Authorised attachments should be downloaded and saved into the corporate file structure. Employees should not forward on attachments unless absolutely necessary. As soon as possible, the email should be deleted from the client system and from the central server if it meets the requirements of defensible disposal.
- Monitor and manage employee Internet access
- Strictly control files and documents downloaded from the Internet
- Ensuring adequate firewalls and virus checking is place
- Ensure email is part of your Records Management process
- Ensure information within emails can be identified, accessed and searched
- Ensure personal and confidential information is secure
- Ensure nothing is stored in email unless absolutely necessary
- Ensure information is removed from email at the earliest possible point
- Ensure email is deleted quickly as long as it meets your disposal criteria
- Ensure the same policies are applied to Instant Messaging and Social Media