February 18, 2005

The bad news is no amount of hardware or software antispam tools can eliminate 100 percent of e-mail spam.

The good news is an e-mail policy along with user education can go a long way toward mitigating the risks associated with spam.

Unfortunately, only about 50 percent of companies provide that policy or training.

“Users want to do the right thing,” said Ned McClain, vice president of engineering with Boulder-based network security firm Applied Trust Engineering. “They want to get off the Viagra list, and the best thing they can do is ignore it. … That’s the root of the security — the user element is the hardest to deal with.”

Having an e-mail policy is one way to educate users, McClain said. But the policy should deal with much more than spam; it should educate users about e-mail security in general and tell them specifically what is and is not permitted using company electronic resources.

Betty Pierce, president of Erie-based information technology consulting firm Secure Network Systems LLC, said many of her company’s clients have some kind of e-mail policy that’s usually tied to their Internet acceptable use policy, “because they had such a bad Internet abuse situation.”

According to Pierce, it’s not so much whether or not a company has a policy, it’s more about the complexity of the policy — some are informal and verbal while others are detailed written policies.

According to email-policy.com, a good written e-mail policy should include the following the e-mail do’s and don’ts:

E-mail risks: E-mail is never completely private, so users should be made aware of the potential harmful effects of sending offensive messages.

Personal usage: The policy should state whether personal e-mails are accepted and if so, to what extent.

Resources waste: Since users are making use of the company’s e-mail system, they should be warned to not engage in nonbusiness activities that tie up network traffic.

Prohibited content: The policy should state that the e-mail system is not to be used for the creation or distribution of offensive messages.

Document retention policy: E-mail should be deleted after a certain amount of days. Certain regulated industries, however, are required to archive e-mail messages.

Treatment of confidential data: Include rules about encrypting confidential information that is sent via e-mail and changing passwords regularly.

Joyce Colson, a partner with Boulder-based law firm Colson-Quinn, emphasized the importance of having a written e-mail policy and said “you may want to put some limits on public mail forums, discussion groups and the like.”

Colson also stressed including guidelines for the consequences if employees fail to comply, “otherwise the policies are useless.”

The Business Report found that smaller companies tend to not have formal e-mail policies, but that larger ones do, like 300-employee Spectra Logic Corp. in Boulder.

Spectra Logic has a four-page Computing Devices and Telecommunications Equipment policy that spells out guidelines for both Internet and e-mail use.

Specta Logic Vice President of Information Technology Jeff Biley said despite the formality, “Our policies are pretty open. As long as it doesn’t affect your job we let it go at that.”

For example, the policy states that both personal e-mail and Internet use “is acceptable provided this privilege is not used for personal commerce and does not, in any way, encumber an associate’s ability to perform their assigned job duties.”

“It’s not like ‘do whatever you want,’ but it’s ‘be smart about it,’” Biley said.

The company also sends out a monthly IT bulletin and a weekly reminder on new viruses. “We do a lot of user education,” he said.