Regulatory Resource   Threat Intelligence      Resilient IT      Boardroom Strategies      
Boardroom Strategies / Enterprise Smarts

Effective Email and IM Policies

By Jodi Mardesich

Email and Instant Messaging (IM) are a staple of communications in corporate America, but their use raises all sorts of questions for IT managers. In order to minimize risks, liability, and threats of misuse, experts say it is essential for every organization to develop acceptable use policies for email and IM -- just as many organizations developed policies for Internet usage on the job a few years ago.

The digital equivalent of sending a letter, composed without putting pen to paper, email improves communications between co-workers, customers, and partners, as it arrives virtually instantaneously. Billions of email messages are sent daily. The Radicati Group predicted 183 billion messages would be sent each day by the end of last year. Email volume is expected to almost double in the next four years, with the greatest growth in consumer Web mail -- free Web services accessible from anywhere, from the corporate desktop to email-enabled phones.

IM, an even more rapid form of communication, is also taking off in corporate America. Of the 35% of workers who use IM tools on the job, 50% say they have downloaded free tools from the Internet, often unbeknownst to their employers, while the other half use company-provided IM tools, the Radicati survey found.

Although email and IM are often created and sent more quickly than traditional letters, their content is just as important to an organization, and inappropriate use of email and IM can be devastating. The informal nature of email and IM makes it the equivalent of water-cooler conversation, making it tempting for employees to make inappropriate comments and even share confidential information.

"Workers' email, IM, blog, and Internet content creates written business records that are the electronic equivalent of DNA evidence," said Nancy Flynn, director of the ePolicy Institute.

Half of employees have reported receiving inappropriate email at work, Flynn says. Some 24% of organizations have had employee email subpoenaed, and 15% have gone to court to battle lawsuits triggered by employee email, up from 13% two years ago, according to a survey conducted by the American Management Association and the ePolicy Institute.

Many organizations don't have policies in place
Despite the permanence of the records created by email and IM tools, many companies still don't have policies in place instructing employees on their acceptable use. Flynn says that 76% of companies have a formal email policy, but only 31% have an IM policy in place. Even if an organization has no written email or IM policy, these activities are almost certainly covered by formal policies regarding acceptable employee communications, including prohibitions against sexual harassment or discrimination. Make sure employees know the rules and adhere to them, especially in email and IM, Flynn says. As email and IM use becomes more prevalent in business, it's crucial for CIOs to institute formal policies that mandate how these electronic tools should and should not be used. These policies should also include directives on the use of free, downloaded email and instant messaging services.

Free email and IM tools can increase risk in some ways, especially as a route for viruses, which arrive as email attachments. About 45% of organizations block employee access to public Web mail services at work, according to Gartner. However, CIOs should not necessarily ban employees from accessing personal Web mail accounts from work. Bans are often misguided, says Gartner analyst Peter Firstbrook.

Web mail may not be all business but it can be useful
The most common security justifications for blocking Web mail don't always outweigh the business benefits of employee morale, he says. The major Web mail providers, such as Google, Yahoo, AOL, and MSN, have good security mechanisms, so CIOs should consider letting users have access to them. Running anti-virus software on users' PCs should also safeguard against Web mail virus infection.

Another argument for blocking the use of Web mail is that it typically bypasses mechanisms to enforce regulatory requirements, such as the archiving and monitoring of email records, Firstbrook says. If Web mail and IM access are allowed, CIOs should ensure that the records they create are archived and managed the same as corporate email.

In addition, Web mail may provide a communications backup in case corporate systems go down. And allowing access to Web mail accounts may lessen the use of corporate email to send personal communications and can increase morale.

"Employees tend to resent excessive restrictions on Web access," Firstbrook says. "Blocking Web mail is perceived by employees as a lack of trust in their professionalism."

Writing a policy for email and IM use
Organizations need to follow some basic guidelines when crafting new email and IM acceptable use policies for employees:

  • Find out what's in place Start by polling users and scanning the network to identify the programs employees are using.
  • Decide which tools to allow Determine which are used to meet the needs of the organization and which pose too much risk.
  • Put it in writing Explain acceptable use of email and IM tools, and the repercussions of misusing them. The policy should be "comprehensive, concise, and capable of empowering business units with the information required to make technology decisions," says Matthew Cain of Gartner. It should address employee responsibilities, right to privacy guidelines, security, governance enforcement, and records management, Cain says.
  • Enforce the policy Take the policy seriously by enforcing it. 26% of companies have fired an employee for email misuse, and 2% for misuse of instant messaging.

Email and IM are crucial tools that can improve communications between employees, partners, and customers if used wisely. CIOs should monitor the use of company-provided tools as well as free consumer tools that employees may access from work, and enforce policies regarding acceptable use of email and instant messaging.

Jodi Mardesich writes about business and technology. Her writing has appeared in The New York Times, Fortune, San Jose Mercury News, Salon, and Slate.

IT Strategy Center is a daily editorial resource offering innovative insights and strategies for building an integrated, secure and resilient IT infrastructure.

Articles by Topic
Initiatives
Peers and Superiors
Enterprise Smarts
Related Content

Features

View More


Metrics

View More

Fast Fact

"Workers' email, IM, blog, and Internet content creates written business records that are the electronic equivalent of DNA evidence."

-- Nancy Flynn, director of the ePolicy Institute
Sponsor Tools

Resources

White Papers

View More


Podcast Audio Content

CIO Strategy Center is now available in audio format.

This week's feature topic is:


Preparing for a Disaster
Playtime: 8 min 07 sec



Download | Subscribe

Copyright © 2009 Studio One Networks. All rights reserved.