Unintentional Employee Misuse Top Driver for Enterprise E-Mail Risk

Chris Bradley
October 6, 2008 | COMMENTS

A recent survey by MessageGate has identified the top drivers for rising enterprise e-mail risk. The research shows that employee e-mail misuse and inadequate enterprise e-mail controls are the primary forces behind an increase in unnecessary enterprise risk vulnerability.

“Enterprises continue to focus solely on education programs to change their employees' casual attitude and behavior surrounding e-mail,” says Brian Babineau, senior analyst with Enterprise Strategy Group (ESG). “Unfortunately, there needs to be more done as the informal nature of e-mail is ingrained within today's workforce and can create unnecessary risk. Organizations must find ways to leverage technology to implement and consistently enforce enterprise e-mail controls and usage policies to provide insurance against momentary judgment lapses and unintentional security breaches.”

According to data from activity profile customer audits, the top drivers increasing enterprise e-mail risk include:

Employee E-Mail Misuse

Employee misuse remains the top issue driving enterprise e-mail risk. Employee comfort with e-mail causes misuse and mistakes that are easily avoided. Two examples appear repeatedly in e-mail usage audits:

• Users misaddress e-mail or rely too heavily on auto-complete features, unintentionally leaking sensitive intellectual property or customer data to the wrong audience. Surprisingly, employees take additional caution with credit card numbers, but continue to take unnecessary risks with Social Security numbers and other personal data.
• Employees leverage e-mail to increase efficiency, bypassing established security measures like corporate VPNs. To access files at home, employees send sensitive corporate files to personal web-based e-mail accounts. The web host then indexes the e-mail to its internal servers, exposing the corporate files to unnecessary risk due to insufficient security controls.

Inappropriate E-Mail Abuse

Employees view corporate e-mail as private communication instead of a legal business record. Corporate policies and education programs almost always exist, but little is done to enforce governance. As a result, personal e-mail intermixes with corporate communication that is open to e-discovery regulations. It is common for offensive e-mail to be sent within the enterprise network, exposing the enterprise to potential sexual harassment, discrimination, or other lawsuits.

Insufficient Enterprise E-Mail Controls

Enterprises continue to rely on education policies to change e-mail use, ignoring the casual attitude ingrained in employee behavior. If systems are in place, they typically only include forensic reporting. No action is available within the e-mail stream to enforce enterprise e-mail policies and prevent unintentional misuse or inappropriate abuse.

Rising Regulation Enforcement

Modern enterprises are regulated by numerous mandates, including SOX, SEC rules, FRCP, FERC and countless others. Yet, IT departments still ignore e-mail requirements within the regulations. For example, e-mail controls are not in place to enforce quiet periods or block unauthorized communication between regulated parties. Also, e-mail is archived without proper categorization or management tools, leaving many unable to retrieve regulated e-mail in a timely manner. Mandates are now being enforced with severe consequences. Corporations and its officers are behind held accountable, driving the need to mitigate any unnecessary risk.

Uninformed IT Departments

IT departments turn a blind eye to e-mail use across corporate networks. Most neglect conducting usage audits to find out how enterprise e-mail is being used and abused. Proper policies cannot be implemented or enforced if IT departments do not know what needs to be controlled.

“Corporate e-mail is fraught with risk, generating daily news headlines touting major enterprise e-mail breaches of sensitive corporate intellectual property and customer data,” says Norbert Orth, president and CEO for MessageGate. “It's time for enterprises to manage e-mail risk and accept responsibility for implementing e-mail security controls to prevent sensitive data loss.”

Chris Bradley is VP of Marketing and Business Development at MessageGate, which provides software and services for enterprise e-mail controls. Contact the company at 877-544-8500.