Personal Web-Based Email Puts Enterprise at Risk

IT managers who allow their users to access personal email accounts via

Web-based sites are putting their companies at risk, according to

experts.

”If companies are allowing employees to use personal email tools, but

not retaining those messages, they could be facing serious legal and

regulatory trouble,” says Nancy Flynn, executive director of the ePolicy

Institute in Columbus, Ohio. ”Email today is the electronic equivalent

of DNA evidence. If there is a lawsuit, you can take it to the bank that

email will be subpoenaed.”

In fact, a 2004 Workplace Email and Instant Messaging Study, co-sponsored

by the ePolicy Institute and the American Management Association, found

21 percent of the 840 U.S. businesses surveyed had employee email and

instant messages subpoenaed in the course of a lawsuit or regulatory

investigation.

Flynn says courts are not discriminating about whether the emails were

sent via personal email accounts or business email accounts. ”They want

all business-related emails that are being transmitted by employees,”

she says. Not producing these emails could result in a

”five-to-six-figure fine”.

This puts companies that allow access to popular Web-based services like

Google’s Gmail, Microsoft’s HotMail, AOL and Yahoo Mail on the hot seat.

”How many legitimate business records are escaping the company system

via these services, and won’t be available if the company gets involved

in a lawsuit,” she says.

Web and security experts agree the use of personal Web-based accounts is

a problem for companies under strict compliance and regulatory rules,

such as the Sarbanes-Oxley Act of 2002, as well as those trying to

protect intellectual property.

”It’s about risk minimization,” says Mark Gibbs, founder of Gibbs &

Co., a Web and network consultancy in Ventura, Calif. ”Can you fully

defend your compliance? If you are allowing the use of personal Web mail,

you are introducing a whole new realm of risks.”

Policy and Enforcement

Gibbs says companies must decide if they’re going to take a soft or hard

approach.

”If you go for the hard approach, then you’ve decided you are not going

to let them access those accounts and you have to make your network

bulletproof,” he says.

This requires a two-pronged approach that includes clearly stated

policies and advanced monitoring, blocking and filtering technology.

First, he says, you should develop and articulate a policy to all

employees regarding the use of personal email. You should have a written

statement that clearly says employees cannot use Web-based email from

inside the corporate envelope, Gibbs says.

Joel Snyder, senior partner at Opus One security consultancy in Tucson,

Ariz., agrees. ”Make sure you not only have a policy, but that you

explain to employees why you have a policy,” he says.

According to the 2004 ePolicy Institute/AMA study, 37 percent of

organizations surveyed were unclear about the difference between an

electronic business record and an insignificant message. Flynn says this

indicates that companies need to clearly understand what information is

important to them and would pose a risk if it were to get out.

She says it’s critical for companies to make employees aware of the risks

involved in everyday communications, adding that companies have to put

muscle behind their policies. In the survey, although 79 percent of

companies have a written email policy in place, only 25 percent

terminated employees for violating that policy.

Flynn says companies often are unclear about what constitutes personal

use. Executives must set guidelines about how much time users can spend

on personal messaging, via what systems, and with whom they can

communicate.

To make sure these rules are being enforced, she recommends companies put

in place sophisticated monitoring and filtering tools.

Gibbs suggests employing software to block popular mail service Web

sites. He also says IT managers can use tools that perform on-the-fly

keyword monitoring to ensure that messages do not contain sensitive

information.

Some IT groups employ virus scanners to keep an eye on personal

messaging, but Snyder warns that ”most, if not all” of these tools

don’t handle Web-based email very well. Instead, he says some of the free

tools, like Snort, might be better suited to examine these packets. He

adds that companies could force all outbound HTTP/HTTPS traffic through a

proxy as a safeguard.

Flynn says organizations that can’t afford the risks associated with any

kind of personal email use should ban it altogether.

”The risk, in terms of lost business records and lost productivity and

lost intellectual property, far outweigh any argument anyone would give

in terms of giving employees flexibility. There is just no reason for

employees to have to access personal email tools in the office,” she

says.

RELATED NEWS AND ANALYSIS

• Ethics and Artificial Intelligence: Driving Greater Equality

  FEATURE |  By James Maguire,
  December 16, 2020

• AI vs. Machine Learning vs. Deep Learning

  FEATURE |  By Cynthia Harvey,
  December 11, 2020

• Huawei’s AI Update: Things Are Moving Faster Than We Think

  FEATURE |  By Rob Enderle,
  December 04, 2020

• Keeping Machine Learning Algorithms Honest in the ‘Ethics-First’ Era

  ARTIFICIAL INTELLIGENCE |  By Guest Author,
  November 18, 2020

• Key Trends in Chatbots and RPA

  FEATURE |  By Guest Author,
  November 10, 2020

• Top 10 AIOps Companies

  FEATURE |  By Samuel Greengard,
  November 05, 2020

• What is Text Analysis?

  ARTIFICIAL INTELLIGENCE |  By Guest Author,
  November 02, 2020

• How Intel’s Work With Autonomous Cars Could Redefine General Purpose AI

  ARTIFICIAL INTELLIGENCE |  By Rob Enderle,
  October 29, 2020

• Dell Technologies World: Weaving Together Human And Machine Interaction For AI And Robotics

  ARTIFICIAL INTELLIGENCE |  By Rob Enderle,
  October 23, 2020

• The Super Moderator, or How IBM Project Debater Could Save Social Media

  FEATURE |  By Rob Enderle,
  October 16, 2020

• Top 10 Chatbot Platforms

  FEATURE |  By Cynthia Harvey,
  October 07, 2020

• Finding a Career Path in AI

  ARTIFICIAL INTELLIGENCE |  By Guest Author,
  October 05, 2020

• CIOs Discuss the Promise of AI and Data Science

  FEATURE |  By Guest Author,
  September 25, 2020

• Microsoft Is Building An AI Product That Could Predict The Future

  FEATURE |  By Rob Enderle,
  September 25, 2020

• Top 10 Machine Learning Companies 2021

  FEATURE |  By Cynthia Harvey,
  September 22, 2020

• NVIDIA and ARM: Massively Changing The AI Landscape

  ARTIFICIAL INTELLIGENCE |  By Rob Enderle,
  September 18, 2020

• Continuous Intelligence: Expert Discussion [Video and Podcast]

  ARTIFICIAL INTELLIGENCE |  By James Maguire,
  September 14, 2020

• Artificial Intelligence: Governance and Ethics [Video]

  ARTIFICIAL INTELLIGENCE |  By James Maguire,
  September 13, 2020

• IBM Watson At The US Open: Showcasing The Power Of A Mature Enterprise-Class AI

  FEATURE |  By Rob Enderle,
  September 11, 2020

• Artificial Intelligence: Perception vs. Reality

  FEATURE |  By James Maguire,
  September 09, 2020