One-Third of U.S. Firms Read Outbound Staff E-mail, Study SaysBy Deborah Perelman | Posted 07-24-2007
Do you know who is reading your e-mail?
Has the fact that there is a good chance that your place of work is reading your outbound e-mail, even those that you send from your personal Web mail accounts, changed your behavior?
Did you know that more than one-quarter of U.S. companies have fired an employee in the last year for violating e-mail policies?
If your answer to all three of the above questions was "no," you might breathe a sigh of relief to learn that your answers put you squarely in the majority of U.S. employees. But the relief will last only until the implications of these answers set in. The odds are, someone else in your company knows you're reading this article right now.
Nearly one-third (32 percent) of large U.S. companies employ staff to read or otherwise analyze outbound e-mail, and this amount grew to 39 percent among companies with more than 20,000 employees.
This was among the findings of the 2007 Outbound E-Mail and Content Security in Today's Enterprise study conducted by Forrester Research and released July 23 by Proofpoint, an e-mail security firm based in Cupertino.
Not only are companies reading outbound e-mail, they're employing individuals whole sole purpose is to sift through the contents of an employee's computer. More than one in six of the companies surveyed employed staff whose primary or exclusive job function was to monitor e-mail content. This number jumped to nearly one-fifth (19.4 percent) among companies with more than 20,000 employees.
Who are the paid snoops at large organizations? Is "E-Mail Eavesdropper" a new job title?
"There are a multitude of people within an enterprise that may have this role, from the e-mail administrator to compliance folks who are responsible for making sure that e-mail isn't violating any internal policies," Keith Crosley, director of market development at Proofpoint told eWEEK.
While this level of peering over an employee's shoulder may seem excessive, the companies in question are not likely to agree. They estimated that nearly one in five outgoing e-mails (18.9 percent) contained content that posed a legal, financial or regulatory risk. The most common form of non-compliant content was e-mail that contained confidential or proprietary information.
Companies weren't found to be sitting idly by when they learned of a potential leak. More than one in three (33.8 percent) organizations surveyed had investigated a suspected e-mail leak of confidential or proprietary information in the last 12 months. Just shy of one-third (31.8 percent) had investigated a possible violation of privacy or data protection in the same time frame.
Furthermore, more than one quarter of companies (27.6 percent) had terminated an employee for violating e-mail policies in the last year, and nearly half (45.5 percent) had disciplined one.
Of all violations that companies monitored for, offensive content that did not threaten an organization's security was the least of their concerns.
"While companies are concerned about all of these things, offensive content consistently comes in at the bottom of these concerns. For all companies, 57 percent said they were concerned about monitoring e-mail for offensive content," said Crosley.
Despite cracking down on employees who were putting confidential information at risk, a surprising number of companies had no published e-mail policy whatsoever, though the number had declined since 2004, the first year the survey was conducted.
"One thing that was really good to see was we saw the biggest adoption of acceptable use policies this year of all the years we've done this survey. But, I was still surprised to see that 11 percent still did not have a formal mail use policy," said Crosley.
In addition to e-mail policies, the wide variety of opportunities to share information with Web 2.0 and social media software signaled a need for policies with a greater reach.
"Organizations really need to have well thought out and clearly articulated policies on media and information sharing, from YouTube to blogs, e-mail and message boards," said Crosley.
Though the majority of organizations surveyed (59.4 percent) had conducted a formal training on e-mail security policies in the last 12 months, a significant amount had not.
"Policies aren't any good unless employees know what they are. You need to articulate it and educate them," said Crosley.
"You want to be able to consistently apply these kinds of actions and be clear about what you allow and what you don't allow; what you want to protect and what is public. The point is not to get people in trouble, [but] to protect digital data and comply with regulations," said Crosley.
Check out eWEEK.com's Careers Center for the latest news, analysis and commentary on caree