Email policy
Posts about corporate email policies
Forrester study reveals workers not ready to give up email any time soon
Dec 23rd
A recent Forrester study held among 3700 knowledge workers reveals that 77% of workers use email for collaborative work and only 5% use social media such as wikis, blogs and social networks. When asked whether they would like to see any improvement in the way they communicate, they responded that they prefer to keep using the same tools with improvements, rather than using a whole new set of tools to communicate. Respondents mostly named the following points that needed improvement in email: miscommunication, scattered files and delays awaiting replies from others. In the study, entitled ‘Building the Future of Collaboration’, Forrester concludes that ‘respondents hope tomorrow will be similar, but better’.
Are companies unknowingly exposing themselves to the potentially harmful effects of cc mass mailings?
Dec 7th
This could happen to you: Your new sales rep is eager to get results and fast. He decides to contact his 200 customers with your latest promotional offer. In order to get the message across in the minimum amount of time, he creates one email, pastes all the email addresses in the Cc: field and hits ‘Send’. Now he just needs to wait for the orders to come in.
Your nightmare has begun. A potential privacy breach and damage to your company’s reputation has been set in motion. Not only has this one email exposed your valuable customer list and opened you up to 200 potential lawsuits for privacy breach, it has severely damaged your company’s reputation. If your company is this careless with its customer information, what does that say about the quality of the services and products you provide? And you don’t even want to think about what will happen when the recipients hit the ‘Reply to All’ button and start complaining about your company’s spam practices and asking you to remove them from the list. A true ‘mail storm’ could erupt with your company as the source. Download the Red Earth Software white paper ‘Preventing Privacy Breach – Why You Need to Block Cc Mass Mailings’ to find out about how these undesirable mass mailings can occur, the damage they can do, and how you can protect your company by preventing these emails from leaving your network.
How to Configure an Email Disclaimer in Microsoft Exchange Server 2007
Oct 1st
Microsoft Exchange Server 2007 includes the ability to add email disclaimers to your internal and external emails by making use of Transport Rules. In this article we will show you how you can configure an email disclaimer in Exchange Server 2007 and the various options that are available, including disclaimer formatting, positioning and avoiding multiple disclaimers. To configure an email disclaimer, follow the next steps:
- In the Exchange Management Console, go to Organization Configuration > Hub Transport.
- In the right-hand pane, select New Transport Rule.
- Enter a name and description for the rule. Leave the checkbox Enable Rule enabled. Click Next.
- In Conditions, you can select a number of options. For instance you can configure the disclaimer to only be added if the email is addressed to or from certain people or groups, when a word is present in the subject or body of the email, when the header contains certain words, when the message is marked with a classification or importance, or when an attachment file name or size is detected. In this example we will apply the disclaimer to all messages sent externally to the organization. To do this we will select the option ‘sent to users inside or outside the organization’.
- Now click on the ‘Inside’ link in the rule description. Select Outside and click OK. Click Next.
- You will now be able to specify the action that must be taken for any email that meets the selected conditions. There are several options such as adding text to the subject, sending a blind copy, removing/adding a header, redirecting the message to another address and setting a spam confidence level. Since we are creating a rule to add disclaimers, we will select the option ‘append disclaimer text using font, size, color, with separator and fallback to action if unable to apply’.
- Click on the ‘disclaimer text’ link. A dialog will appear allowing you to enter your email disclaimer text. Enter the disclaimer text and click OK.
- By default the disclaimer will be added in Arial, smallest font, gray color with a separator and fall back to wrap if unable to apply. Follow the next steps to change any of these default settings:
- To change the font type, click on the ’Arial’ link. From a drop down box you will be able to select Courier New or Verdana, instead of Arial.
- To change the font size, click on the ‘smallest’ link. You will be able to choose from smallest, smaller, Normal, larger, largest.
- If you wish to change the color, click on the ‘Gray’ link. You will be able to choose from a number of colors in the drop down list.
- If you do not wish to have a separator (this is a line separating the disclaimer from your message text), click on the ‘with separator’ link and select ‘without separator‘ from the drop-down list.
- Click on the ‘wrap’ link to select from one of three Fallback actions: wrap, ignore, reject. This option tells Exchange Server what to do if for some reason an email disclaimer cannot be added, for instance if the message is encrypted or digitally signed. If you select wrap, Exchange Server will create a new email message with the disclaimer in the body and the original email as an attachment. If you select ignore, Exchange Server will let the message through without a disclaimer. If you select reject, the message will not be delivered and an NDR will be sent to the sender.
When you are ready entering the disclaimer options, click Next.
- You will now be able to enter exceptions to the rule. If the email message meets any of the selected exceptions, the email disclaimer will not be added. For instance an exception can be used to avoid multiple disclaimers being added to the same message. This can be done by selecting the option except when the text specific words appears in the subject or the body of the message.
- Click on the ‘specific words’ link. Now enter a part of the disclaimer that is unique to your disclaimer. To make sure you do not enter text that could also be part of someone else’s disclaimer, it is recommended to enter text that includes your company name. Click OK. You can also select other exceptions such as certain senders or recipients, or when certain words are found in the subject or header. When you are ready configuring exceptions, click Next.
- Read the rule description. If everything looks good, click New. The rule will now be created. Click Finish. Your rule will now be listed under the Transport Rules tab.
As you can see, email disclaimers are easy to configure in Exchange 2007. Although there are quite a few available options, it is possible that the offered email disclaimer/signature functionality might not meet your needs entirely. We have listed some features below that are available in third party email disclaimer applications:
See disclaimers and signatures in the Sent Items of Outlook: Exchange Server does not show the email disclaimer or email signature in the Sent Items of Outlook. This means that the sender does not obtain proof that the disclaimer was added, the sender cannot see the actual message that was sent, and the email archive will not include the disclaimer text. Some third party applications do show email disclaimers in the Sent Items in Outlook, however most of them require client software to be installed or still allow users to edit or remove the disclaimer or signature. Using a server based email disclaimers application that shows disclaimers in Sent Items without allowing users to modify or remove the disclaimer is preferable.
Active Directory Merge fields: In order to create a global corporate email signature that is automatically personalized for each sender, some third party email disclaimer applications make use of Active Directory merge fields. These merge fields can be used in the disclaimer or email signature template. When an email is sent, the fields will automatically be replaced with the sender’s Active Directory properties, such as name, phone number and email address.
Message fields: Exchange Server 2007 does not allow you to use message fields which are retrieved from the email message, such as recipient name and date. It can be useful to include the actual recipient name in the disclaimer as follows: This email is only intended for [recipient name]. It can also be useful to ‘date stamp’ the disclaimer, indicating when it was added to the message.
Include logo or picture in your disclaimer/signature: Exchange Server 2007 does not allow you to include a logo or picture in your disclaimer or email signature. A number of third party disclaimer applications allow you to embed an image within your email disclaimer/signature.
Custom disclaimer positioning: Some third party applications can place the email disclaimer or signature after the most recent message text, not only at the end or beginning of the email. This is especially desirable if you are using email signatures and if you want to recipient to actually ‘see’ the disclaimer.
HTML formatting and inline CSS styles: Exchange Server 2007 only allows you to add formatted text to an email. It offers a limited set of font colors and sizes and does not allow you to use css styles or html tables, and other formatting options. Third party applications allow you to edit the disclaimer or signature straight from HTML, offering many more formatting options.
Add different signature on first emails: Should you wish to add a longer signature on the first email (with for instance the corporate mailing address and company logo), and then a shorter signature with only the person’s phone number and email address, this is also possible by using third party email disclaimer software.
10 things you should be doing to protect your company against email risks
Nov 2nd
Last week we discussed the top 6 email risks that companies face. So what can we do to protect ourselves against these risks? Here are 10 things that you should be doing to protect your company:
#1: Write an email policy. If you do not already have one in place, the first thing you must do is to create an email policy. This is necessary to educate users but also to ensure that employees are aware that the company is monitoring their emails. This will protect your company against possible employee lawsuits regarding invasion of privacy. Have your users sign the email policy to confirm that they have read and understood the regulations. For more information on what to include in your Email policy, got to the blog article Ten points to include in your email-policy.
#2: Train users; Regularly train users in applying the email policy. Help users send effective emails by informing them of best practices, explain that offensive jokes and remarks can be much more harmful than they seem and stress that employees that witness abuse of the email system must report this to their supervisor. This will boost productivity and help avoid many of the email risks.
#3: Install anti-virus software. Even though nowadays almost all companies have virus software scanning files on the server and client machines, not all companies do the same for email. Be safe rather than sorry and scan all your incoming and outgoing emails for viruses too.
#4: Install a spam filter. There are many spam filters out there and most of them will do a good job at blocking spam. However, not all spam filters will allow your users to review their own spam mails, offer customization per user or allow for detailed message tracking.
#5: Content check emails; Even though you have educated your users, you cannot assume that all employees will adhere to the policy. Therefore you need to install software that can check all emails for inappropriate content. For internal mails this is to protect users from an unsafe work environment. For external mails this is to protect the reputation of your company and to avoid libel lawsuits. You must also check attachments and use word filtering to avoid confidential data leaving the company. For instance you can block external emails containing Social Security Numbers, credit card details or patient information.
#6: Add a disclaimer; In order to disclaim against company liability, ensure confidentiality and comply with regulatory rules you must add a disclaimer to all sent emails. Disclaimers must be added to internal mails as well as external mails. It is also a good idea to add a different disclaimer for internal mails to specifically address the unsafe work environment issue. For instance in your internal mails you can include a line saying ‘Employees are expressly prohibited to make offensive, disruptive or defamatory statements.’
#7: Compress attachments; by compressing attachments you can reduce the size of files by up to 95 percent. Needless to say this will save bandwidth and network storage.
#8: Limit personal emails; Personal emails not only cause loss of productivity, they can be the source of viruses and bandwidth hogging attachments. You might want to allow some personal use, but in your email policy you must stipulate in exact terms what is allowed and what is not.
#9: Archive emails; Many industries now face regulations that require them to archive emails for a number of years, including the health care, legal and financial industry. Fail to archive your emails and your company might face substantial fines. In addition, you need to be able to quickly search and access messages in case you need to retrieve emails on a court order.
#10: View reports on usage; Check how the email policy is being implemented by looking at email usage reports. Find out what attachments users are sending and their size. View reports on email policy violations and determine which rules are being violated and by which users. On the basis of this information you can adjust your email policy, tweak your email filtering software, or schedule further trainings to re-iterate certain email policy rules.
The top six corporate email risks
Oct 27th
We all know that email is a great business tool. It’s fast, cheap, universal and easy to deploy. However, companies that make use of email are confronted with a number of risks. So what are the email risks that companies face? Red Earth Software has identified the following top 6 email risks:
#1 Legal liability; In most cases the employer is held responsible for all the information transmitted on or from their systems. Consequently inappropriate emails sent on the company network can result in multi-million dollar penalties. In the last few years there have been several high profile lawsuits such as the case against a global oil company filed by four female employees. The employees alleged that sexually harassing emails sent through the company email system caused a threatening work environment. One of the sexually offensive messages was a sheet entitled ’25 reasons why beer is better than women’. The company settled the case for no less than 2.2 million dollars.
#2 Regulatory compliancy; this now affects many companies across several industries. New and existing regulations are forcing companies to keep a record of their emails and to protect their client’s privacy. The Health Insurance Portability and Accountability Act requires health care institutions to keep a record of their email communications and secure confidentiality of information. In the new IRS regulation Circular 230, the IRS requires tax advisors to add an email disclaimer to any emails including tax advice, expressly stating that the opinion cannot be relied upon for penalty purposes. The U.S. Securities and Exchange Commission and Gramm-Leach-Bliley Act impose similar duties on financial institutions. Steep penalties can apply to those organizations that do not comply with their industry’s regulations. In a case lasting from 2000 until 2005, a well-known financial institution was recently forced to pay 20 million dollars in penalties by the Securities and Exchange Commission for not diligently searching for email back-up tapes and over-writing multiple back-up tapes.
#3 Lost productivity; Employees sending personal emails and sifting through spam mail can cause major loss of productivity. To give you an example, if each employee takes 5 seconds to view a spam mail, based on an average salary of 25 dollars per hour, this will cost the employer 3 cents per spam mail. If every employee received 25 spam mails per day, spam would cost a company with 100 users no less than 20,000 dollars per year. In addition to spam and personal emails, viruses can also lead to network downtime and lost productivity.
#4 Confidentiality breaches; Most confidentiality breaches occur from within the company. These breaches can be accidental, but they can also be intentional. Some years ago, a well-known software company filed a lawsuit against one of their former employees who had used the company’s email system to send out confidential information to their competitor, his new employer. The trade secrets included product design specifications, sales data and information regarding a prospective contract for which both companies were competing. The employee and competitor were both charged with trade secret theft.
#5 Damage to your company’s reputation; A badly written email, or an email containing unprofessional remarks will cause the recipient to gain a bad impression of the company that the sender is representing. A UK law firm had to find this out the hard way when two of their employees originated the ‘Claire Swire’ email, a sexually explicit email that ended up being read by over 10 million people around the world. Especially since the company in question was a law firm, and the employees were attorneys, this email caused severe damage of reputation.
#6 Increasing bandwidth and storage needs; Not only is the use of attachments growing, their size is increasing as well. According to the Radicati Group, attachments make up more than 85% of all email data. Large attachments use up bandwidth and storage space. Although the cost of storage space has decreased over the years, the larger the message store, the more management it requires and the longer it takes to restore messages after a mail server failure.
Next week we will be discussing what you can do to protect yourself against these email risks.
Email footers now required by EU
Mar 1st
A European Union Directive has recently come into effect requiring companies to add their company address, registration number and VAT number to all business emails or risk a fine. In the UK and Germany this law came into effect on January 1, 2007 but in other countries such as the Netherlands this law was already passed in 2006. More information on the new requirements for UK companies can be found at the following website: http://www.out-law.com/page-7594.
10 points to include in your email policy
Aug 20th
Email policies are important since they spell out what the company considers as appropriate email usage and more importantly, what is considered as inappropriate usage. You can either create a separate email usage policy or you can include an email policy section in your Employee handbook. In both cases it is a good idea to ask the employees to sign the policy, indicating that they have read and understood the document.
What kind of subjects should you cover in your email policy? Here is a list of then points to include:
#1 Email risks: The policy should list email risks to make users aware of the potential harmful effects of their actions. Advise users that sending an email is like sending a postcard: if you don”t want it posted on a bulletin board, then don”t send it.
#2 Best practices: This should include email etiquette and writing rules in order to uphold the good reputation of the company and to deliver quality customer service. For instance, include 5 etiquette rules: 1. Use proper grammar and punctuation, 2. Enable spell checking, 3. Read the email before you send it. 4. Include a signature conform company format, 5. Do not write emails in capitals. Also include instructions on compressing attachments to save bandwidth.
#3 Personal usage: The policy should state whether personal emails are accepted and if so, to what extent. You can for instance set limits on the times of day that personal emails can be sent (only during breaks), or you could require personal emails to be saved in a separate folder. In addition, state that employees are prohibited from sending or receiving certain email attachments, such as exe, mp3 or vbs files. You could also include a maximum file size for attachments sent via email.
#4 Wastage of resources: Warn users that they are making use of the company’s email system and that they should not engage in non-business activities that unnecessarily tie up network traffic. The policy must also cover the use of newsletters & newsgroups. For instance you can state that employees may only subscribe to a newsletter or newsgroup if this directly relates to their job.
#5 Prohibited content: The policy should expressly state that the email system is not to be used for the creation or distribution of any offensive, or disruptive messages, including messages containing offensive comments about race, gender, age, sexual orientation, pornography, religious or political beliefs, national origin or disability. State that employees who receive any emails with this content should report the matter to their supervisor immediately. Moreover, employees should not use email to discuss competitors, potential acquisitions or mergers or to give their opinion about another firm. Unlawful messages, such as copyright infringing emails should also be prohibited.
#6 Document retention policy: Include information on whether or not email will be archived and for how long. If your organization is required to archive email messages, state that all emails will be archived and include the number of years that the records will be kept. If you are not required to archive your emails, notify your users about whether they can or should delete emails after a number of months or years.
#7 Treatment of confidential data: Include rules and guidelines on how employees should deal with your company’s confidential information and trade secrets. They should also be aware that they should not forward any confidential messages or attachments from other companies without permission. Make employees encrypt any confidential information that is sent via email and change passwords regularly.
#8 Email disclaimer: If you are adding a disclaimer to employees” emails, you should inform them of this and state the disclaimer text that is added.
#9 Email monitoring: If you are going to monitor your employees” emails, you must state this in your email policy. Warn that employees should have no expectation of privacy in anything they create, store, send or receive on the company’s computer system and that the company may, but is not obliged to monitor messages without prior notice. If you do not mention that the company is not obliged to monitor messages, an employee could potentially sue the company for failing to block a particular message.
#10 Measures & violation reporting: Warn that if an employee is found to be in breach of the email policy rules, this could result in disciplinary action, up to and including termination. If an employee witnesses email policy abuse they are required to report the incident immediately. Include contact details of who to contact if a violation of the policy rules is detected. This could be a supervisor but it might also be a good idea to appoint a specific contact person to report email policy breaches to.