IT organizations that allow users to access personal email accounts from inside the corporate network infrastructure are placing their corporations at risk on several fronts. However, despite these risks the use of personal email accountsl has become a widespread practice, and it would appear that many IT managers and executives are even unaware of the implications.
According to an informal survey conducted last month by Computer Economics, most IT organizations have not addressed this situation. We asked IT professionals the following question: “Does your organization allow employees to access personal email (e.g., Gmail, Hotmail, Yahoo Mail) from within the corporate network?” Although not a scientific sample, the results are interesting and suggestive of broad trends.
As Figure 1 indicates, only 17% of all organizations have a policy against the use of personal email from within the corporate network and also have mechanisms in place to monitor and/or block its use. Another 7% have a policy against the use of personal email, but do not monitor or block its use. Most disturbing, over three-fourths of all respondents have no policy against this practice at all.
While it may seem a trivial point at first blush, the issues surrounding the tolerance of personal email within the corporate network can be far reaching. According to the 2004 Workplace and Instant Messaging Study, co-sponsored by the ePolicy Institute and the American Management Association, over one-fifth of the 840 U.S.-based companies surveyed had employee email and instant messages subpoenaed in the course of a lawsuit or regulatory investigation (ref. http://www.epolicyinstitute.com/survey/survey04.pdf).
Good Things Leaking Out
The first problem with allowing personal email from within the corporate network is that it represents a path through which trade secrets and other intellectual property can leave the organization with no record or audit trail concerning the correspondence. Many companies have adopted an HR policy that explicitly allows the employer to monitor employee email traffic. But if the organization does not monitor or block the use of personal email accounts, the email monitoring policy is effectively nullified.
Bad Things Sneaking In
A second problem is that personal email may be an avenue through which non-business-related content may enter the corporate network. Although most personal email providers take appropriate actions to screen malware from their systems, such controls may be less stringent than those required for corporate networks. Even if malware is blocked by the personal email provider, personal email accounts may be an avenue through which music files, jokes, chain letters, spam, and other distractions may enter the workplace.
Losing Control of Business Records
A third problem with the use of personal email from within the corporate network stems from the fact that employees will sometimes use such accounts to send both personal email and business email. Regardless of its origin, emails sent from behind the corporate network firewall can be considered the responsibility of the company. Thus, an email sent from a personal email account in this manner can be subject to a subpoena. However, personal email is seldom tracked and is even less likely to become part of the company’s official records. Should a legal issue arise, the inability of the company to produce all emails sent or received on the matter at hand can have severe legal implications and the fines involved can quickly reach six figures.
Additionally, the 2004 ePolicy Institute/AMA study pointed out that many executives are unclear as to what represents a risk from the perspective of personal email accounts. The study showed that almost 40% of the respondents were unclear of the difference between a bona fide electronic business record and an insignificant message. Clearly, many companies are facing not only a tough educational process on this subject, but an even larger task of mitigating the risks involved.
Just Say No to Personal Email Accounts
Most security experts agree that the safest way to manage this risk is to have a policy forbidding the use of personal email accounts while attached to the corporate network. This is a key first step. For companies that have been lax concerning the use of personal email accounts, the policy is likely to be unpopular at first. Therefore, it is important to educate all email users concerning the reasons for this policy and that the violation of this policy is grounds for discipline.
Of course, the policy is of no real value unless security measures are automated to minimize the risk and monitor possible violations. While automating security policies is no easy task, companies that are facing regulatory requirements such as those imposed by Sarbanes-Oxley may have little choice. There are advanced blocking and filtering tools available that can eliminate most of the risk, and by adding other safeguards, such as routing all outbound HTTP/HTTPS traffic through a proxy server, an even tighter level of control can be imposed.
The bottom line is that many companies cannot afford the risks associated with the use of personal email inside the corporate network. As Nancy Flynn, executive director of the ePolicy Institute in Columbus, Ohio stated in her press release on the 2004 study, ‘The risk, in terms of lost business records and lost productivity and lost intellectual property, far outweigh any argument anyone would give in terms of giving employees flexibility. There is just no reason for employees to have to access personal email tools in the office.’
While the use of personal email accounts is a real problem for many companies, this discussion doesn’t even touch on what may be an even bigger problem–instant messaging–but that is another story.