Making an email policy work

THE misuse of email systems by staff is by far the most common email security problem.  The potentially devastating consequences associated with the abuse of company email systems highlights the critical importance of developing and implementing a comprehensive email security strategy.

Such a strategy will compulsorily employ a two-pronged approach in which a highly specific email usage policy is combined with the implementation of appropriate technology solutions.

A 2002 survey commissioned by content security solutions company, SurfControl, found that 69 per cent of all IT staff canvassed admitted they were prepared to open ‘suspicious’ emails, with 42 per cent willing to circulate the contents to friends and colleagues. Employee behaviour of this kind is often the result of ignorance on the part of employees as to the potential consequences for themselves, the recipient and most importantly, the company.

An email usage policy, therefore, is very much a pro-active document in that it can prevent significant amounts of ‘thoughtless’ email abuse.

An email policy might clearly state, for example, that the distribution of a tasteless joke or image, even if done without malicious intent, may cause great offence to intended and unintended recipients, exposing both the sender and company to serious consequences.

For many employees, such specificity in regards to what constitutes unacceptable use of company email systems can lead to a noticeable cessation in such activity.

There will always be those, however, for whom a broadly stated email policy will have little impact on the desire to use company email systems inappropriately.  To be effective in these circum-stances an email policy must necessarily meet a number of key requirements.

A legal briefing entitled, ‘Misconduct in E-mail and Internet Use at Work’, published by the Australian Government Solicitor (AGS) in February 2001, lists these requirements as part of a detailed examination of email regulation and Internet use in Commonwealth departments and agencies.

The requirements specified in the AGS document act as a valuable guide to the formulation of a robust email policy. The requirements include:

• create a clear Internet and email policy and issue directions concerning compliance;
• distribute the policy and directions to all staff and ensure that they are understood;
• identify with specificity the type of personal access allowed, both as to the time, duration and sites permitted – statements such as for ‘work-related purposes’ may be too general;
• explain to staff how misuse impacts on productivity;
• inform staff that email and Internet use is not secure or private even if it is deleted and explain how it is being monitored;
• explain how misuse may impact on the legal liability of the organisation and the reputation of the organisation;
• explain enforcement methods, that is, if all email and Internet use by all employees will be audited at regular intervals, whether it will be by random checks or whether it will be only when a complaint is received;
• warn staff about the consequences of contravention and the possibility of termination of employment;
• gather evidence of possible breaches carefully;
• administer the policy and directions in a consistent way and update the documents when necessary;
• explain the obligations under anti-discrimination legislation, giving examples; and
• ensure staff attend appropriate training and keep records of who attends. (Source: www.ags.gov.au.)

These key elements act as a checklist when designing an email policy for implementation within the workplace environment.

Making the policy concise

In addition to general statements regarding the use of company email facilities, the policy document should also provide specific compliance guidelines, an explanation of enforcement procedures to be used and a clear articulation of the consequences resulting from policy infringement. If any of these items are worded ambiguously, or too broadly, then enforcement becomes difficult, if not impossible.

Make the policy easily understood

State policies, guidelines, enforcement procedures and infringement consequences using everyday language. Avoid technical or administrative jargon that may only serve to cloud the message. Employ diagrams, symbols, charts and similar techniques to make the message clearer. Provide the name and contact number of a company representative appointed to provide further assistance and information if required.

Make the policy prominent

Don’t bury the policy document deep in a company handbook where it is unlikely to ever be viewed. Place it where it will be seen frequently by all employees. This might take the form of a message screen that appears each time an employee starts their computer or uses an application. The policy can also be posted on the company Intranet and even as a poster prominently displayed in office areas.

Update the policy regularly

Technology and circumstances change almost constantly. An effective email policy must therefore adapt commensurately. Previously acceptable email practices, for example, may have to be discontinued as a result of a legal decision taken against another company. The emergence of new threats in the form of computer viruses and spam may also necessitate alterations in an organisation’s email policy.

Provide staff with information and training

The provision of information and training to staff in regards to email policy and procedure is vital, for a ‘security conscious’ employee culture is one of the greatest assets a company can possess. To this end, compliance to company email policy will be substantially higher when employees are made fully aware of the threats ever present in the online environment, as well as the potentially devastating consequences of transgression, both for themselves and their employer. Such an approach will serve to ensure that employees come to understand that an email policy is not an attempt to place them under a dictatorial regime, but rather, a necessary measure to protect everyone from the well-documented downside of the digital age.

Vincent Brown is an IT lecturer and writer based in Perth. His website is located at www.iprofessional.info