Bugwatch: Who guards your company email?

Each week vnunet.com asks a different expert to give their views on recent security issues, with advice, warnings and information on the latest threats.

This week Kevin Butler, technical manager at Allasso, stresses the importance of IT and HR working together to control the use of email at work.

The rapid evolution of email to become the de facto communication in many organisations has brought benefits. It has allowed companies to communicate efficiently and effectively with vendors, customers and business partners.

Yet email has also brought a number of problems to the workplace, not least of which is managing the content of emails.

But the responsibility for control over content has not developed in unison with the innovations in the inbox, thus creating a potential gap between deciding what is acceptable and what is actually enforced.

At the core of this problem is the bridge between the human resources and technical departments - or the lack of it.

According to communications policy, it is the HR department that governs what is deemed to be organisationally appropriate content for emails.

This is the department that manages staff contracts and employee handbooks, and it would have to take the lead in any disciplinary process.

But HR rarely plays a part in policing these regulations. Ultimately it is the hard working technical team which enforces what can be sent out in mails and what can be received, even late on a Friday afternoon.

Typically there is no interaction between HR and IT when content control software is configured; often the defining level is set by what the IT team deems as acceptable. This opens up a gap between HR policy and what is actually enforced.

With employees having so much access to information there is always a threat with email that unauthorised content, or potentially obscene material, can be transferred out of the organisation at the press of a button.

This sets up a potential minefield for employers. If employees are not caught because systems do not match the HR policy, critical information could be lost or reputations damaged.

It is unfeasible to think that HR staff can educate themselves to be up to date with the most contemporary IT security issues.

It is also unfeasible to think that they know how much organisational information is available to which employee, or how to configure software to limit access. That, after all, is the domain of the IT department.

What is needed is greater company-wide co-operation to combat security issues. Until companies accept that security cannot be managed by one department alone, they will continue to lose critical information.

Companies need to use an enforced, organisation-wide security policy which allocates clear channels of responsibility and regulates who will enforce these means and measures. To do this, four key measures should be implemented:

1. The IT and HR departments should attend all meetings regarding security policy so that appropriate technical solutions can be implemented.

2. The information security policy should be communicated to all employees, explaining how it is enforced and the penalties of not complying.

3. Email security training should be incorporated into all forms of IT training for employees so that they are consistently kept up to date with threats and are aware of how these can be prevented.

4. The IT and HR departments should meet on a regular basis to discuss any legal developments or technical advances within content control packages so that an appropriate solution is always in place.

The only way to combat email security problems is to put in place a cross-organisation security policy. Unless IT and HR work together, the security gap will not close.