Email is a staple of workplace communication. However, without the proper IT policies in place, your business is exposed to unnecessary risk and liability.
Defining Email IT Policies
are a combination of technology-based monitoring and restrictions, paired with corporate documentation and training, used to guide employee email communication internally and externally.
A clearly defined policy serves three business specific purposes:
- Expectations – A good policy will establish the behavioral expectations of the employer regarding all email sent or received with corporate-owned equipment and services, as well as company email addresses.
- Security – All policies should emphasize the need for users of all corporate-owned equipment and company email address to employ common sense awareness regarding modern cyber-threats. Well written policies will underscore that it is ultimately up to the user to ensure company equipment and email systems are not leveraged for malicious purposes.
- Liability – A detailed policy will reduce a business’s liability by establishing that well-defined expectation’s, as well as consequences that will follow if/when the policy is breached, were clearly spelled out to all users upon employment, and routinely throughout their tenure.
Technology Monitoring & Restrictions
Regardless of the infrastructure used to provide email services (cloud, hosted, or on-premise), technology-based monitoring and communication restrictions must be utilized to ensure compliant business use.
Restrictions should include:
- Suspicious Email – Whether inbound or outbound, all suspicious emails need to be blocked. Blocking suspicious inbound emails will protect the organization from phishing and malware attacks. Blocking suspicious outbound email will safeguard a business’s email domain reputation — preventing it from being blacklisted and interrupting email flow.
- Emails Containing Protected Information – The communication of protected information across digital media is heavily regulated in many industries — HIPAA, SoX, and PCI-DSS are the most common examples. Technology restrictions must be in place to monitor for, and prevent the public exposure of, personally identifying information, financial information, Social Security numbers, private medical information, etc. Failure to comply with these regulations, especially in the wake of a breach, comes with heavy financial penalties.
- Harassing & Unlawful Correspondence – Threats and harassment (cyberbullying) is a well-documented issue in the US that comes with steep fines and penalties, depending on the outcome. Emails containing vulgarity or harassing/threatening language must be monitored for, reported on, and blocked to protect a business from civil and criminal prosecution.
Additional Items For Consideration
There are several additional items your business should consider when creating a comprehensive policy:
- Training – Many Federal regulations require that a business establishes and documents a routine training program to ensure that all staff members, individuals that may use corporate-owned equipment, and all users of company-owned digital communication systems are provided training covering the areas discussed in this article, as well as industry-specific topics.
- Insurance – Even the best plans, policies, and practices cannot account for all eventualities or future threats. Maintaining a sufficient level of liability insurance is the only way to safeguard your business when something unforeseeable occurs.
- Assessment – Certain regulations, such as HIPAA, require an organization to routinely review their policies, training, monitoring systems, and technology used to prevent the communication of protected information or harassing communication. Regulations aside, it is a good idea to, at the least, review your policies and procedures internally on a yearly basis.
- The general acceptance of email by businesses as the go-to tool for internal and external communication requires many companies in various industries to create and enforce well-documented policies to protect themselves, their customers, and their users.
- These policies should include language to cover common issues, such as expectations, security, and liability.
- Further monitoring and restrictions should be implemented to prevent the forwarding of emails which may contain malware or pose a security threat, protected customer information, or harassing or threatening dialogue.
- Additional steps should be taken to ensure all corporate technology users are trained and well-informed regarding their responsibilities, that sufficient liability insurance is in place to protect the business in the event of an unforeseen circumstance, and that the policies, procedures and technologies in place are professionally reviewed on a regular basis.
If you would like to learn more about how email and other IT policies can help protect your business, contact us