Email practices are one of the most vexing and pressing concerns for companies. Even though other media are now being adopted, email is still the primary method of business communication. Unfortunately, it also creates inefficiencies and presents tremendous cybersecurity risks.
- Security Challenges
In addition to its primary use as a fast and inexpensive mode of communication, for too many companies, email has become a de facto and eternal data repository for employees who exploit its convenience and the absence of controls. As a result, valuable information assets often reside in email systems. Confidential, protected and proprietary information left in unencrypted inboxes, sent items and other folders pose serious potential security risks.
These risks are compounded by the fact that email is also the primary tool used by hackers to deliver malware, especially ransomware, and to gain unauthorized access to the entity’s networks and information. Some of the most notorious cyberattacks leading to massive data breaches have been the result of phishing emails, and although spam filters help, they most certainly cannot block every malicious email.
Further, companies have not historically considered an information governance (IG) framework when selecting and configuring email systems. Because email systems may not be designed with the information management lifecycle in mind, sub-optimal information management habits, such as saving “everything” in inboxes and folders, can become institutionalized. In addition, the email user interface may not be intuitive, and there may not be adequate functionality to advance cybersecurity goals. The limitations of email functionality also make the application of basic IG functionality like litigation holds, collection for e-discovery, and compliance with records retention and destruction policies inefficient and onerous.
- The Solutions
The good news is that there are some fairly common sense, low-threshold solutions that can be applied to mitigate the risk tied to email. By recognizing existing user habits and incorporating them into email management, it is possible to effectively implement solutions without significantly disrupting the user experience.
Establishment and communication of policies to address common areas of concern is a sensible starting place. Those policies can be leveraged to provide a current state baseline against which future improvements can be measured. For example, companies can develop methods to lower the risk of intrusion from heavily trafficked and/or risky sites by restricting company email to business communication and redirecting users to their own personal communications devices.
Restricting network access to popular public communication and collaboration sites (Gmail, Yahoo!, iCloud, etc.) as part of the newly developed policy serves the additional goal of supporting the ever-increasing efforts by companies to have their business partners adopt their own internal policies as part of a broader data protection strategy.
Another simple way to implement solutions includes developing and enacting an email deletion policy created within an IG framework. These policies should be developed with input from counsel as well as relevant business and administrative stakeholders for legal and regulatory considerations.
This is a critical, yet particularly challenging, point of focus for companies attempting to maximize the effectiveness of these streamlined policies. Taking care to design enduring, bite-sized, accessible and intuitive training and education modules is the most practical way to ensure that the biggest risk—the user population—is well positioned to handle the constant stream of active and passive threats they encounter daily. In effect, entities must strive to reduce the burden on users to understand how to “properly” use systems. To maximize effectiveness, companies need to keep things simple. If desired, companies can supplement their internal efforts with training and awareness programs offered by outside specialists.
For more sophisticated companies, a frequently overlooked solution is to map the Outlook folders that most employees already use to store emails to the document management system in their enterprise, with basic guidelines for naming these folders and what goes into them. Once the email to DMS mapping functionality is established, this solution becomes a simple but highly effective formalization of existing user behavior.
Influencing software development (not a short-term fix), while not in the control of most enterprises individually, can also be more effectively done by creating active user groups ideally with the sponsorship of the software developers themselves. Too often, this type of collaborative and creative approach to design and implementation is overlooked in favor of percieved “quick-fix” approaches.
Unfortunately, entities do not always have an IG framework in mind when selecting and configuring information systems. One of the key results is the preponderance of non-intuitive user interfaces that hinder even the best-intentioned user from observing good information management techniques. This, along with inadequate baseline software functionality (e.g. , file management functionality), not using predictive type technology to “auto categorize” content, and not making use of rich metadata to classify information, make it more searchable and aid in its disposition, compounds the information management problem.
To aid in both improving the user experience and fulfilling the goals of structuring a manageable landscape, organizations can promote content management areas that allow systemic collaboration and management, including document management systems, collaboration sites and other platforms, including structured share drives.
Although email systems and practices expose organizations to serious cybersecurity issues, realistic solutions exist. Most critically, even with currently configured email systems, entities can reduce their risks by establishing and enforcing policies to address some of the biggest security threats, and they can support those policies with better training and education to change user behavior.
Co-Author: Bryn Bowen, Director of Information Services at Schulte Roth & Zabel LLP
This article first appeared on Legaltech News on December 8, 2015.