E-Mail Risk Management: Winning the High Stakes of Enterprise E-Mail Controls

Chris Bradley, MessageGate
May 28, 2008 | COMMENTS

E-mail is one of the most mission critical applications in the enterprise today. According to a December 2007 report by the Radicati Group, the corporate user receives an average of 93 e-mails per day, 18 of which contain attachments, and sends 38 e-mails per day. The result is some 183 billion e-mails sent and received each day throughout 2007.

As e-mail further becomes a workflow tool, its relevance deteriorates in many ways. Most see e-mail as somewhat of a burden in the work day, despite it being a necessary communications tool. Users are copied and blind copied as both a courtesy and requirement.

E-mail has replaced memos, voice mails, and face-to-face meetings as a means of sharing information and getting work done. In fact, according to the META Group, 80 percent of employees prefer e-mail over telephone conversations, citing the top two reasons being the ability to communicate easily with multiple parties and the creation of a paper trail.

Other “opt-in” e-mail traffic, such as periodicals, newsletters, order confirmations, and personal e-mails, only add to the volume of messa gi ng activity. With e-mail now considered a legal business record, this growing volume of information signals a source of increased legal liability within the enterprise.

Underscoring the importance of properly categorized and managed e-mail archives, the Federal Rules of Civil Procedure (FRCP) requires that e-mail and other electronic communication be provided in a timely and organized manner during the litigation discovery process. C-level executives must find methods to comply with laws and regulations while keeping capital expenditures and operating budgets at a minimum.

As methods of electronic communications have matured in both functionality and usage, organizations are realizing the benefits from a more connected business world, while at the same time be gi nning to understand that this type of free-form connectivity and commu­nication comes with inherent risk. This risk forces companies to create and enforce e-mail specific privacy policies.

By nature, e-mail is unstructured, meaning there are limited constraints on what can be said, who can be addressed, or what kinds of attach­ments can be sent. This translates into increased communication risks within the enterprise if proactive measures are not taken to manage the archiving of this information.

A Practical Compliance Framework

Enterprises need to carefully examine electronic communications as a source of risk and accountability in order to regain control over e-mail as a mission critical enterprise asset. To start, any organization in the process of incorporating e-mail risk management needs to identify current email user behavior and its associated risks to structure a customized compliance framework.

The auditing process reveals that e-mail activities are difficult to control and even more difficult to anticipate, especially since the purpose, intent, and timing of each message varies from user to user and situation to situation. Organizations struggle to manage the risk of these unconstrained activities by attempt­ing to control what users do and say.

Electronic communications are inherently risky gi ven the great difficulty in controlling and anticipating user activity. No one likes a “big brother” looking over his/her shoulder. As the compliance framework is defined, remember to implement a control system that manages risks where possible and can engage human judgment where required.

Legal and IT departments must work more closely together to understand the various forms of data, where they reside and how to access them. Enterprises must take responsibility for corporate e-mail, just as firms have both inside and outside legal counsel to mitigate risks and address situations as they arise while brokerage firms have compliance and surveillance organizations.

Many companies are turning to e-mail risk management tools with an archive categorization component to address e-mail security risks and empower employee responsibility. This integrated framework can provide real-time information and controls that can be quickly adapted to chan gi ng security, regulatory and business requirements and communications risks in a practical manner while reducing operational burden and creating transparency.

Any tool implemented must engage the employee and educate the employee on corporate governance policies and appropriate e-mail use. This means that at the time of hitting send, any violations contained in the e-mail are presented to the employee. The employee must choose whether or not they want to continue and send the e-mail. Not only does this method prevent accidental breaches, it also educates employees on appropriate e-mail behavior, thus reducing the number of future security breaches.

How to Build an E-Mail Compliance and Controls Framework

Although e-mail use is not always black and white, it is important to stress the importance of practical e-mail controls built with archiving compliance in mind as legal regulations continue to evolve.

Non-compliant activities impact an organization on many levels, ran gi ng from reputation damage to legal liability to stock price declines. In the wake of recent Wall Street scandals, one leading firm saw its market capitalization decline by more than 25 percent when e-mails were released that revealed the inappropriate and unethical treatment of certain stocks. Firms that have public trust built into their share price run the risk of substantial declines if non-compliant activity is allowed to occur, and is then made available to the public in the form of e-mails.

Less tangible, but equally as important, is damage to reputation and brand. One pharmaceutical firm learned this the hard way after inadvertently releasing names and e-mail addresses of a group using an e-mail reminder service. The service sent an e-mail when it was time to take or refill a prescription for an antidepressant. Almost 700 people had their names and e-mail addresses disclosed when their information appeared in the “To” field of an e-mail reminder. The costs extended to fines and sanctions imposed by regulatory authorities.

Regulatory compliance is moving from being necessary to do business, to being essential to stay in business. The time has come for practical enterprise e-mail controls to become a strate gi c business priority as well.

In many cases, judgment is required to make the final decision on what is or is not allowable or acceptable. While not all messages are at risk, taking responsibility for enterprise e-mail means meeting compliance head-on. It's critical to provide users with relevant information about what is or is not compliant. Enterprises can proactively manage e-mail risks and costs by adjusting archiving policies to filter areas of exposure against incoming threats and to eliminate non-business e-mail and duplicates from the archive before they become legal business records.

Without a sound archive categorization component in place, simply archiving all e-mail files can spell a recipe for disaster. Electronic discovery of e-mail is an unfortunate (and expensive) business reality in today's business climate. The Federal Rules of Civil Procedure (FRCP) place strict timelines on when e-discovery materials must be presented—including e-mail. Companies should plan on spending between $1 and $3 per e-mail recovered and reviewed during the course of litigation. Regardless if claims are frivolous or unfounded, companies must be in a position to defend and to respond efficiently.

Faced with the above realities on an ongoing basis, in order for practical e-mail control policies to be effective, a system that manages electronic communications must provide intuitive, user-focused interfaces to provide the right information at the right time and in the right amount.

Implementing enterprise e-mail risk management is a strate gi c priority that requires business driven polices and a flexible technology deployment to enforce them. There are message compliance opportunities that apply to every individual in an organization, as well as specific business or regulatory policies that may apply to a few individuals.

With the formation of security councils, companies are seeking to manage risk while maintaining employee privacy in corporate e-mail communications. By developing a set of processes and implementing technology solutions that enable organizations to gain control of massive volumes of e-mail, security councils can reduce risks associated with e-mail and other messa gi ng applications.

FRCP and other email-derived risks are driving the need for cross-functional attention and an agenda for action. Companies can no longer ignore e-mail-related risks and must take proactive measures to safeguard intellectual property, maintain shareholder value, and prevent embarrassing headlines. The key is to start with the issues that are most pressing from business perspective, and evaluate how they might translate into policies to enforce in electronic communications. Only then can enterprises build an effective compliance framework that works with users, not against them.

Chris Bradley is vice president of marketing and business development for MessageGate, a provider of e-mail controls for enterprise risk management.