 |
||||||||
 |
||||||||
|
||||||||
|
|
|
Risky Business |
||
| It's a Risky Business! - E-Musings of a Security Consultant Just met up with an old mate - gosh, I hadn't seen him in ages. Let's keep in touch, he said putting down his latte cup to take out his business card, here's my email. That's great, said I, my wiping sticky chocolate fingers on the red paper napkin, taking his card and passing him mine. Had to rush back to work for a meeting. So that was that. Email is a great way to stay connected with people, and if you don't have email at home there's always email at work. In fact, many of us don't think twice to use our work email for personal correspondence. Think about it: Do you give out your corporate email address to friends and family? Do you ever send off that quick email to a friend's work mailbox? Well, and why shouldn't you anyway? All around the world, organisations allow their staff some personal use of the corporate email systems. At first glance, this seems very much like the use of a company telephone to make a private call, or like sending a private letter via the firm's mail system: it's a privilege every employee appreciates, at very little cost to the employer … or is it? Let's take a closer look but from a different angle. Let's look at the What If. Let's look at why, as you sit at your office desk, getting a phone call from a friend to invite you to a stag night is one thing. Let's look at why receiving an emailed invitation to the same party could be quite another - when it comes to What If. What If is about something with a consequence - it's about risk. Corporate Risk Management, by the way, is this author's bread and butter. (Or is it his chocolate slice and decaf latte?) Consider the business risks an employer faces through staff personal email use and perhaps you will agree that the POTENTIAL business cost is more than the few extra cents of the network cost. It is not about sending or receiving personal email as such. It is about the content of these emails. While you are obviously able to control what you personally send out, you cannot control what comes in - or what your staff decides to forward on to their friends behind their desks. And boy can it be embarrassing not just for you but also for your organisation! I am talking about what is termed "inappropriate". In the past years, inappropriate material that ended up on corporate IT networks has frequently resulted in public embarrassment of these organisations. Generally, "inappropriate" material or content includes chain mail ("send this message to 13 of your friends and your wish will have come true by next Friday") and the mass distribution of lovers' tiffs or of descriptions of an employee's love/sex life. It also includes sexually or in other ways offensive text or images and the distribution of explicit hard core porn, possibly of illegal nature. Now: Remember that each email message contains: the COMPANY NAME, and the NAMES of the EMPLOYEES and, quite possibly in the case of chain mail, the NAMES of other COMPANIES and their EMPLOYEES. Potential for lots of embarrassment all around! When you consider the reputation damage incurred through personal email, and the cost of investigating such complaints which arise through the abuse of the personal email privilege, costs quickly increase - we are not talking a few extra cents now, we are talking tens of thousands of dollars. Take, for example, the NZ Police investigation last year, and the subsequent investigations in the 80 government agencies which had been identified as sending inappropriate email to the NZ Police. In a recent audit conducted by eRisk consulting ltd using the PixAlert ® Auditor software, email messages with inappropriate content were found stored within the customer's archive system. This in itself was not surprising, but what was surprising was the staggering number of people who had received the messages: over 55,000 email recipients in many NZ and international organisations. PixAlert audits completed this year showed that, on average, from each of these customers inappropriate content had been sent to around 40 other organisations - along with company name and all. Not the kind of publicity your organisation strives for! In New Zealand (and many other countries) we have a culture of abusing corporate email for excessive personal use. Perhaps it is time for employers to be more restrictive on how much electronic freedom we allow staff. This can be achieved by creating an Appropriate Use Policy for the organisation. But it may also be time to review the common practice of blocking free email sites from the corporate network, a practice that virtually forces staff to use corporate email for personal use. Although this is a two edged sword, companies and organisations should consider encouraging staff to use their personal email accounts for “limited” personal communication with friends during work time and to only use their corporate email for corporate communication. Some IT security officers may roll their eyes at this suggestion, their main fear being the introduction of viruses. However, most good corporate networks should, by now, have comprehensive desktop anti-virus solutions in place, as well as the accompanying patch management systems, to ensure viruses are ineffective. That taken care of, the benefit could be a significant reduction in the volume of inappropriate material coming into the corporate network. There is another benefit. Many of us register at websites using our corporate email address. Unlocking the freemail systems allows staff to register at websites using their private email addresses instead, which reduces the risk that their corporate email addresses will be picked up, or sold to spammers. If you dare to have a look at the risk staff emails expose your organisation to, you could take the first step and complete an audit of your email systems, scanning them for inappropriate content with tools such as PixAlert ® Auditor. Glen McCauley is a Director of eRisk consulting ltd, who specialise in IT Risk Management solutions and are the NZ distributors for the PixAlert (www.pixalert.com) product set. Glen can be contacted on 021 760306 or through email at glen@erisk.co.nz
|
||