The Radicati Group recently released a study that found the average business user in the United States sends and receives, on average, 171 e-mails each day. Even that significant volume of e-mail is expected to double in just the next few years. Each e-mail, of course, presents risk. Will the employee say something to create liability for the company? Engage in harassment, send sexually explicit jokes, open an attachment with a virus, send confidential information outside the company without authorization, etc. The study found nearly a third of companies don’t adequately publish their e-mail policies to their employees. More than two thirds of businesses either do not filter outgoing e-mail at all or simply don’t know whether they are using filtering or not. Notwithstanding the foregoing, the overwhelming majority of business identify their top concerns regarding e-mail as either protecting (i) personally identifiable healthcare and financial information or (ii) protecting the business’ own confidential/proprietary information.Businesses continue to need a wake-up call on these issues. I have always advocated a three prong approach to mitigate e-mail risks: policies, technology, and policing. Policies: Policies need to be better written, updated on a periodic basis, and clearly communicated to employees. See my earlier posts on best practices for policies. Technologies: A number of vendors make available affordable, well-thought-out technological aids to assist businesses in filtering and monitoring e-mail in the workplace. While no technology is perfect, these tools can greatly reduce the risk presented by e-mail use by employees. Of course, every business, should be using appropriate anti-spam/virus/spyware software in connection with their e-mail systems. Policing: I have touched on this topic in my earlier posts, but the issue remains the same. Businesses must enforce their policies when an infraction occurs. An initial, minor infraction may only warrant remedial education and a warning. Substantial or repeated infractions may mean disciplinary action, up to and including termination. Employees should also understand breaches may subject them to personal civil and criminal liability. The point is not to threaten employees, but to make it clear infractions will result in very real consequences, including the loss of their job. Related content opinion Finding Common Threads in Privacy and Information Security Laws. By Michael Overly Apr 26, 2013 3 mins Compliance opinion Ensure Your Data is Securely Deleted By Michael Overly Mar 11, 2013 2 mins Cloud Security opinion CIA in the Cloud By Michael Overly Dec 18, 2012 2 mins Cloud Security opinion Overreacting to Information Security By Michael Overly Dec 10, 2012 2 mins Privacy Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe