The threat of an employee inadvertently infecting a business computer network via malware received through a work email or instant message is one that most businesses have taken steps to prevent. Even businesses that are small or not very technically savvy have antivirus software, firewalls, and other security measures in place to prevent the costly and sometimes risky issue of an infected network. However, with all the fuss about incoming email, a surprising number of businesses pay little to no attention to the dangers associated with outbound email.

According to a recent study performed by Proofpoint Inc., a California-based security company, possible security risks that stem from lack of protocol related to emails sent from company computers. Concerns such as protection of sensitive data, privacy, legal risks, and embarrassment to the company have inspired many businesses to put in place standards of practice for employees who send email (and there are very few who don’t these days) and to enforce security policies on outgoing messages. Many employers are also concerned about employees posting sensitive information on blogs or message boards. The Proofpoint Inc. study, which focused on businesses in the United States and the United Kingdom that employ more than 1,000 people, gathered information on the following aspects of email security:

1. The level of concern about outgoing email content leaving large organizations
2. The methods and technologies those organizations have used to control or otherwise secure outgoing emails
3. The state of messaging-related policy implementation and enforcement in large organizations
4. The frequency of various types of policy violations and data security breaches

The 2006 study drew from surveys of several hundred “decision makers” from different companies, almost 40 percent of which were in technical, professional, financial, or government fields, who answered questions about their companies’ outgoing email policies. It turns out that many companies actually hire employees to read or check outgoing email to see that it fits standard email protocol. In fact, in the U.S., 38 percent of companies have employees to do this job, and 46.9 percent perform regular audits on employee email content. Through these actions, they have estimated that over 20 percent of outgoing workplace emails contain confidential or other internal business information. Disturbingly, almost 35 percent of those surveyed claim their company was negatively affected by the wrong information leaving via employee email in the past year. Some companies have even had non-public financial information posted online by employees.

However, the companies are not the only ones that suffer from these breaches. The study shows that in the past year, over 50 percent of the employers surveyed disciplined employees for violating email policies. Additionally, 17.3 percent took corrective action over employee violation of blog or message board policy, and more than 7 percent actually fired an employee for their outbound messaging actions.

With more than half of the company representatives voicing concern over the reduction of security risks associated with lax outgoing email practices, Proofpoint suggests that companies create and implement policies dealing with the following issues:

1. An acceptable use policy for email, defining appropriate uses for company email systems
2. An acceptable use policy for blog and/or message board postings
3. An audit vulnerability scanning policy, which gives the company’s information security team the authority to conduct audits and risk assessments, investigate incidents, enforce security policies, and monitor activity
4. An acceptable encryption policy that defines types of encryption used within the organization
5. An automatically forwarded email policy that governs the automatic forwarding of email
6. An ethics policy, defining ethical and unethical business practices, including disclosure rules, conflict of interest rules, and communication guidelines
7. An information sensitivity policy or content classification policy, which reduces the risk of confidential information being leaked to outside parties
8. A risk assessment policy that defines requirements and provides authority for the information security team to identify, assess and take action on possibly risky information
9. An email retention policy that defines guidelines for retaining information in an email