There is no argument that email has become the universally accepted medium for business communication. However, unlike other business applications, email is perceived not worthy of user training due to its relative simplicity and intuitiveness. What companies overlook is that users often unintentionally introduce security risks, create liabilities and use up enormous network & storage resources through inappropriate email use.

While I am not suggesting formal classes on how to use email, I believe that companies and employees could benefit equally from repeat reminders on proper use and etiquette.

Over the next few posts, I will discuss some of the main areas that companies should address in basic corporate email guidelines:

Email Security

Email borne viruses, spam and phishing are a serious threat.

I would hope that every company has a comprehensive anti-spam, anti-virus solution in place by now. Multiple layers of defense at the firewall, application and desktop level are a prudent approach to combat the problem, but let’s not forget that 100% protection is not possible. Users should be reminded not to open files from unknown sources and to scan suspect emails before opening. Spam messages should be discarded or flagged as spam if this mechanism exists. To prevent excessive spam exposure, users must learn to protect their email addresses when subscribing to mailing lists and posting on public message boards. Companies should also consider providing alternate email aliases that can be recycled. Newer email clients prevent the unauthorized download of external images often embedded in spam email as a means to “phone home” a successful delivery. Make sure your users understand how to use this important defense mechanism while also reminding them not to click on any embedded links or trying to unsubscribe.

Phishing for personal information has become a more recent problem. Legitimate looking emails are prompting users to enter personal information, such as login credentials, credit card numbers and other confidential data on fake web sites. The focus of such exploits has mainly been around e-banking and e-commerce so far, but I would not be surprised to soon see phishing techniques used in attempts at gaining access to internal corporate network resources as well. There are some simple rules for avoiding phishing attacks and many email clients and web browsers are getting smarter in their detection capabilities.

There is one golden rule for all security related issues: “If in doubt, ask!”

Employees must not only know whom to contact, but more importantly feel comfortable in making that call should they encounter a suspect message. The IT staff must be trained to encourage such inquiries.

There is no room for the “Nick Burns, Your Company’s Computer Guy” type approach -users that have been patronized and humiliated are unlikely to ask for help again.

Technorati Tags: , , , , ,