Managing Email in the New Business Reality



Similar documents
KAHN CONSULTING INC.

Outbound Security and Content Compliance in Today s Enterprise, 2005

Industry Watch. I m From ECM, You re From BPM

The Risk-Cost Retention Model: Randolph A. Kahn, Esq. At the Core

E-Commerce compliance and the Four C's of Business

Integrated archiving: streamlining compliance and discovery through content and business process management

GUIDE TO ACHIEVING COMPLIANCE a South African perspective

Smart Policies for Workplace Technologies , Blogs, Cell Phones & More

A 123Together.com White Paper. Microsoft Exchange Server: To Outsource Or Not To Outsource The affordable way to bring Exchange to your company.

Netskope Cloud Report. Report Highlights. cloud report. Three of the top 10 cloud apps are Storage, and enterprises use an average of 26 such apps

Electronic And Digital Signatures

22 Questions You Should Ask Your Computer Consultant

ELECTRONIC SIGNATURES IN GLOBAL AND NATIONAL COMMERCE ACT

Student use of the Internet Systems is governed by this Policy, OCS regulations, policies and guidelines, and applicable law.

Business Intelligence & Data Warehouse Consulting

Archiving and The Federal Rules of Civil Procedure: Understanding the Issues

Organizational Policy

This paper looks at current order-to-pay challenges. ECM for Order-to-Pay. Maximize Operational Excellence

The IBM data governance blueprint: Leveraging best practices and proven technologies

WHITE PAPER BREACH, PRIVACY, AND CYBER COVERAGES: FACT AND FICTION CYBER COVERAGES

How Effectively Are Companies Using Business Analytics? DecisionPath Consulting Research October 2010

A Look at the Varied Responsibilities of Internal Auditors. internal auditing: All in a days work

Records Management: Seven Best Practices for Staying Ahead of the Curve

File Sync And Share And The Future Of Work

State of Montana Guidelines

Enterprise Content Management. A White Paper. SoluSoft, Inc.

DIOCESE OF DALLAS. Computer Internet Policy

Solving Key Management Problems in Lotus Notes/Domino Environments

SMALL BUSINESS OWNERS and THE CANADIAN LEGAL SYSTEM

PROTECTING YOUR DIGITAL LIFE

ARCHIVING. What it is, what it isn t, and how it can improve your business operations

WHITEPAPER. The Death of the Traditional ECM System. SharePoint and Office365 with Gimmal can Enable the Modern Productivity Platform

By writing to: Cougar Wireless, Attention: Customer Service, 4526 S. Regal St., Suite A, Spokane, WA., 99224

All Users of DCRI Computing Equipment and Network Resources

Blowing the Whistle on Accounting Fraud: The Sarbanes-Oxley Whistleblower Protections Act At A Glance

MEASURING SMB CUSTOMER OUTCOMES: THE DELL MANAGED SERVICES ADVANTAGE

Human Resources Policy and Procedure Manual

Legal and Ethical Issues in Computer Security

The Disconnect Between Legal and IT Teams

Computer Security Log Files as Evidence

Real World Strategies for Migrating and Decommissioning Legacy Applications

Understanding Your Ethics & Code of Conduct Training Requirements. May 29, 2008

SUSTAINABILITY & EMPLOYEE ENGAGEMENT

How To Choose and Use a Risk Management Consultant

Mobilize SharePoint Securely: Top 5 Enterprise Requirements

GETTING YOUR BUSINESS STARTED ON THE INTERNET

Read this guide and you ll discover:

Revised: 6-04, 8-09, 1-12 REGULATION #5420

Embedded Network Solutions Australia Pty Ltd (ENSA) INTERNET ACCEPTABLE USE POLICY

Troy Cablevision, Inc. Subscriber Privacy Policy

Key Steps Before Talking to Venture Capitalists

A SENSIBLE GUIDE TO LATENCY MANAGEMENT

MEMORANDUM INFORMATION TECHNOLOGY SERVICES DEPARTMENT

Data Management in the Cloud Era

retained in a form that accurately reflects the information in the contract or other record,

Reynoldsburg City Schools Computer and Technology Acceptable Use Policy Staff, Volunteers and Students

Acceptable Use of ICT Policy For Staff

Information Security Plan effective March 1, 2010

YOUR MONEY, YOUR GOALS. A financial empowerment toolkit for Social Services programs

INSTANT MESSAGING SECURITY

E-invoices. What they are. Different types. Best practices for implementation. R E A D S O F T W H I T E P A P E R

COMPUTER, INTERNET, & USE POLICY

ESG Report. Data Protection Strategies for SMBs. By Heidi Biggar Storage Analyst, Data Protection Enterprise Strategy Group.

Introduction to VoIP for Small and Medium Sized Businesses

IT Security Management 100 Success Secrets

IT Roles in Loss Prevention. Presented by: Ann Ostrander, Director of Loss Prevention Kirkland & Ellis LLP

File-Sharing in the Legal Industry Survey uncovers disconnect between security fears and the everyday practices that can leave firms open to breaches

INTRODUCTION. Ryan White, Vice President of Business Development, DTI Integrated Business Solutions

Security. on your terms SOFTSCAN

plantemoran.com What School Personnel Administrators Need to know

Transcription:

Industry Watch A Summary of Findings from the AIIM International and Kahn Consulting, Inc. Email Policies and Practices Survey Managing Email in the New Business Reality Authored by Randolph A. Kahn, ESQ. and Barclay T. Blair at for

Managing Email in the New Business Reality A Summary of Findings from the AIIM International and Kahn Consulting, Inc. Email Policies and Practices Survey By Randolph A. Kahn, ESQ. and Barclay T. Blair What Is Industry Watch? The AIIM Industry Watch is a summary of industry trends based on survey data that is collected from the AIIM community of end-users. A valid sample of responses received within the allotted time are then analyzed by AIIM and the consultant. A report of those findings is assembled into this concise paper providing a snapshot of an industry at the time of the survey. The survey and corresponding Industry Watch is an occasional series. Survey topics are focused and will vary each time. Charts of the raw data will appear in the Appendix of each paper. 2003 by: AIIM International www.aiim.org Kahn Consulting, Inc. www.kahnconsultinginc.com ISBN 0-89258-401-7 No part of this publication may be reproduced without prior written permission of the publisher or author. Published in the United States of America. Published by AIIM International 1100 Wayne Avenue, Suite 1100 Silver Spring, MD 20910 US Tel: 301-587-8202 / 800-477-2446 www.aiim.org

Executive Summary Email is an indispensable part of today s business process. However, there is a growing policy vacuum in organizations when it comes to managing and controlling the use of information technology. Although a vast majority of organizations use email and other electronic communication technologies for real business every day, too many organizations are failing to implement policies designed to ensure that the technology is used properly and that digital information is properly retained. At the same time, Sarbanes-Oxley and the increased perception that email has important legal and compliance implications are having an effect on email management, with a majority of organizations planning to increase the security of their email systems and implement new policies to address the new realities. Key Findings Despite spam, increasing volume, and security worries, email s popularity continues. One hundred percent of organizations use email for business purposes, and 74% view email as a productivity tool with clear benefits to their organization. Real business use. Organizations are aggressively adopting email for highly-sensitive and valuable business processes and transactions, with 93% using email to answer inquiries from customers, with 84% using it to discuss business strategy, 71% to negotiate contracts, 69% to exchange invoices and payment information, and 44% to file with official bodies. Policy vacuum. Organizations are adopting new technologies to do business, with a majority using email (100%), mobile messaging (59%), wireless PDAs (81%), online discussion forums (71%), and peer-to-peer (P2P) file sharing (51%). However, a majority of organizations are failing to create policies to control and manage these technologies. For example, only 22% of organizations have formal written policies for P2P file sharing. In transition. Organizations have paid attention to Sarbanes- Oxley and the high-profile media coverage of business failures, litigation, and corporate malfeasance, in which email played a starring role. A majority of organizations are making or planning to make changes to the way they manage email as a result, by creating new policies (68%) and taking action to improve security (64%). Retention Inattention. Despite increased awareness of the need to properly manage and store email messages, a majority of organizations are failing to provide written guidance to employees. Sixty percent have NO formal policy governing email retention. A majority of companies do not even tell employees where, how, or by whom email messages should be retained. About the Survey 1 Email Policies and Practices: An Industry Study was jointly conducted in Q3 2003 by AIIM International and Kahn Consulting, Inc. This report provides a summary of key findings from the survey. Over 1,000 respondents from a wide variety of industries across the U.S. participated in the survey. Respondents were quite evenly distributed among major industries, with significant representation from Manufacturing and Engineering (12%); Banking, Finance, and Insurance (16%); and Government and Public Service (24%). 2 The survey also had a good mix of respondents from small and large organizations, with about half of the survey respondents belonging to organizations with less than 1,000 employees and the other half from organizations with more than 1,000 employees. The pool of survey 1 This Study should be cited as: Email Policies and Practices: An Industry Study Conducted by AIIM International and Kahn Consulting, Inc., 2003. 2 Throughout this document, the term organizations is used to refer to all private, public, non-commercial, and other entities conducting business. 2003 AIIM International and Kahn Consulting, Inc. 3

respondents is sufficiently broad and deep to provide statistically significant and useful insights. The business world has changed. While the use of email and other electronic communications technologies is seemingly growing, a rash of high-profile business failures, corporate malfeasance, litigation, and new laws and regulations, such as the Sarbanes-Oxley Act, have placed a renewed emphasis on good management controls and organizational accountability. Anecdotally, the increasing frequency of a starring role for email in lawsuits and investigations over the past few years had led the survey s authors to believe that there may be a gap in the way that technology is being managed (a suspicion that is largely confirmed by the result of the survey). As such, the survey was designed to gather information on how email and other electronic communications technologies are being used by organizations today. More specifically, it sought to explore how policies and practices are being used (or not being used) as a management control are they being used, what issues are they addressing, and where are they failing. It also sought information on how email is being used today, and with what frequency. Finally, the survey sought to find out if organizations today are changing the way that they use email and why. Email Continues to Transform Business Resp to litigation Filing official docs Invoices Customer Inq Resp to regulators Confidential info Oper/prod strategies HR issues Contracts 23% 38% 44% 56% 64% 69% 71% 84% 93% 0 20 40 60 80 100 Source: Managing Email in the New Business Reality, AIIM International and Kahn Consulting, Inc., 2003 The Survey should remove any lingering doubt that email and other electronic communications technologies have profoundly changed the way that we do business today. Email isn t about the company picnic anymore. In fact, 100% of organizations surveyed indicated that they use email for business purposes. Email has played a part in many high-profile lawsuits and investigations, scores of employees have been terminated, and a myriad of other ills have been attached to email. Despite this, organizations not only continue to rely on email, but also seem to be expanding email use to activities with real business, legal, and compliance implications. 4 2003 AIIM International and Kahn Consulting, Inc.

Recently passed laws like the federal E-SIGN Act and the state-level Uniform Electronic Transactions Act that encourage the use of electronic documents and signatures may be having some affect, as 71% of organizations now use email to negotiate contracts and agreements, and 69% use it to exchange invoices, statements, and payment information. Nearly all organizations (93%) use email as a tool for communicating with customers. The use of email for sensitive business process indicates a comfort with the digital medium. And, it is not just companies that feel this comfort regulators and government agencies seem to increasingly be on board too. The Survey shows that 38% of organizations use email to respond to regulators, and 44% use it to file with official bodies. Email plays a big role both inside and outside organizations. A majority of them use email to discuss human resource (HR) issues (56%), to discuss operational or product strategies (84%), and to exchange confidential or sensitive information (65%). The bottom line is that email is used every day in our organizations for real business purposes. The Survey also indicates that, while organizations are increasingly comfortable with doing business in the electronic world, many have not invested in the hardware and software that supports proper management and retention of digital information. For example, only 35% of organizations have a separate back-end system specifically used for retaining email messages, and a minority use records management (23%), document management (34%), or email management and archiving software (40%). Properly capturing and retaining email and other types of important digital information is clearly more challenging without a supportive technology environment. Similarly, although organizations are clearly using email to transmit sensitive information with privacy, confidentiality, and trade secret implications, less than half have invested in encryption technology. This suggests that for many organizations, comfort with using email for important business processes is likely more the result of familiarity with the technology than investment in security. Many organizations have had their false sense of security shattered when unprotected email messages have ended up in the wrong hands and trade secrets have been lost, or customer s privacy has been violated, for example. The Policy Vacuum P to P FTP Newsgroups Voice mail Int/Ext disc forums Wireless/PDA Laptops Text messaging IM Email 0 20 40 60 80 100 Source: Managing Email in the New Business Reality, AIIM International and Kahn Consulting, Inc., 2003 Allow Use Have Policy 2003 AIIM International and Kahn Consulting, Inc. 5

Information technology is clearly transforming business today. Fully 100% of organizations surveyed are using email to conduct business. As expected, nearly every organization uses laptop computers and voicemail (both 98%), but organizations are also using a surprising variety of less common technologies including Instant Messaging (IM), message boards, and Peer-to-Peer (P2P) file sharing for business purposes. However, while most organizations surveyed are allowing employees to use these technologies, many are failing to ensure that they have adequate management controls and security precautions in place. For example, even though 59% of organizations allow employees to use newsgroups for business, only 17% of organizations provide formal written policies for their use. It s much the same story with wireless-enabled handheld devices such as Personal Digital Assistants (PDAs) and Tablet PCs, where 81% of organizations allow their use, but only 28% have formal written policies. P2P file sharing is no better, with less than half of organizations that allow its use providing employees with written guidelines, despite recent cases where companies have become embroiled in copyright disputes over music files shared over the corporate network. Instant Messaging (IM) is graduating from a chat tool for teenagers to an enterprise messaging tool with real business uses and real legal implications. Forty-six percent of organizations use it for business, but less than half of those have a formal policy this despite new rules from regulators like the National Association of Securities Dealers that require IM messages to be retained like any other business correspondence. The disconnect between the use of these technologies and the lack of rules to regulate their use is problematic. Failure to provide rules creates security risks and retention issues, and may allow technology to be used in a way that does not promote business interests. Some of this policy vacuum can be attributed to the lag time that seems to occur between a technology s adoption and the creation of a policy. In other cases, the cause is not so clear. For example, the fact that text messaging or email-enabled mobile phones may be relatively new to many organizations may partly explain why only 21% of organizations have a written policy even though a majority of them (59%) allow its use. However, it is hard to apply the same logic to newsgroups (59% use/17% policy) or file transfer protocol (FTP) (82% use/35% policy) since both are mature technologies that have been in widespread use for many years. In many organizations, the answer may be as simple (yet potentially dangerous) that they have never had a problem with the technology, so they haven t felt the need to create the control. A passive approach to policy-making can be dangerous, as the business world learned over the past decade or so as email evolved to become the commonplace tool it is today. In the nascent days of email use, organizations took a passive approach to email management that forced them to react to problems, after the fact, by drafting policies, training, auditing, monitoring, and retraining and occasionally firing violators just to get email use under control. Email was rolled out across the business world without enough consideration of what could go wrong, and the liability that lay within the email system. Indeed, much that could go wrong did go wrong. Consequently organizations were forced to legislate better behavior through policy or other means. Now, while employees still violate email policies (and a few employees likely always will) the majority of organizations (80%) have prohibited use policies, at a minimum, that tell the workforce how to deal with all kinds of conduct that could get the employees and the organization in serious trouble. 6 2003 AIIM International and Kahn Consulting, Inc.

Pay Attention to Retention Content of email determines whether or not that email constitutes an official record. If so, it is to be retained outside of the email system. If it is not a record, it should be deleted. There is no way there can be one retention period for all email messages. Survey Respondent #14 Each email user pretty much determines this individually. I do it for my department, since I m the department head. Survey Respondent #39 I drafted an email use and an email retention policy two years ago, and I m still waiting for upper management s review! Survey Respondent #175 Most organizations have clearly got the message that they need to guide employees on the proper way to use the email system. For example, 70% of organizations tell their employees what to expect in terms of the privacy of email at work, 80% dictate acceptable use of the email system, and 73% provide guidelines on email content. Maybe the countless highprofile lawsuits involving pornography and inappropriate email content are finally starting to have an effect. On the other hand, even though a majority of organizations are making changes to they way email is managed because of its increasing legal importance (due to Sarbanes-Oxley, lawsuits, and so on), 60% have NO formal policy governing its retention; 54% do not even tell employees where, how, or by whom email messages should be retained. It is little wonder that the nearly two-thirds of survey respondents felt that their organization needed new policies and more email retention and storage training. And, even when organizations do retain email messages, only 37% retain messages according to their content. As the respondent quotes above help to illustrate, the remaining organizations use a hodge-podge of techniques, with 31% keeping email indefinitely, and 26% retaining it less than 120 days. Sixty-seven percent use maximum mailbox sizes as a method of creating a de facto retention limitation. While email use has eclipsed telephone use in many businesses, the replacement of one technology with the other does not mean that they can be handled with the same ease. Email, unlike phone calls, is memorialized in a form that sometimes makes it tough to manage. And yet, it is clear from the Survey, substantive business relationships are now formed via email, and important documents and evidence may only reside in email form. Losing the email means losing your ability to defend your organization s legal position. Where are the rules that make sure the company has evidence of its business dealings and can defend itself in the context of litigation, audit, or investigation? Those rules are not drafted with the necessary regularity. A Transition Period Many organizations are in a period of transition in the way that they manage and use email and related technologies. Organizations have paid attention to Sarbanes-Oxley and the high-profile media coverage of business failures and corporate malfeasance (such as Andersen/Enron), with 40% citing these as the reason they are making (or planning to make) changes in the way email is retained and managed. Others cite lawsuits, business losses, viruses, system downtime, or other damage directly experienced by the organization as the reason for change (30%). Finally, fully 47% cite the increasing volume of email in their organization as a reason that email practices need to change. The kinds of changes that organizations are making vary. The good news is that a majority of organizations (68%) see the creation of new policies as the most important change they can make to address the realities of their operating and business environment. Also, a majority (64%) has taken action (or plan to) to make their email systems more secure. Beyond that, there seems to be some confusion amongst 2003 AIIM International and Kahn Consulting, Inc. 7

organizations as to where their email management problems exactly lie. For example, while some say they need to retain more email messages (25%), an even greater number believe they need to retain fewer email messages (31%). Similarly, while some believe the path forward is to retain email for longer periods. Clearly, training should play a big role during transition periods like this. A majority of organizations believe that training will help their organizations, and 46% of organizations have offered training on policy issues during the last year which reflects the majority belief that employees could benefit from more mail retention and storage training (67%). Despite Problems, Email Still Viewed Positively Despite some concerns about security, email volume, and spam, the vast majority of organizations still view email in a positive light. In fact, 74% view email as a productivity tool with clear benefits to their organization. Less than 1% of organizations viewed email as a tool that wastes time and causes more harm that good. This is true even though users are spending a significant portion of their day dealing with email. Sixty-five percent of email users spend at least a quarter of their working day on writing, reading, or otherwise dealing with email, and 25% of users spend more than half. It s little wonder users are spending so much of their day on email, as 83% receive at least 20 email message per day, with 26% receiving 60 or more. This is not to say that email use is totally problem free. Email users are fed up with spam (and the tools used to deal with it in some cases), with over 15% of respondents commenting on unwanted email messages. One respondent noted our spam filtering hinders as much as it helps, and another that spamming is such a productivity eater. Conclusion Email ranks up there as one of the most significant technologies that has transformed the way we work, play, and structure our day. Ubiquity in use, however, does not mean we are managing email and other communications technologies in the best ways possible. Email, like all sorts of other communication technologies, burst into use in business and grew almost unfettered until we realized that harnessing the technology meant serious management of a wide variety of new issues. With use came comfort with the new technology. With comfort came new, more significant uses of the technology. Today real business of all types is routinely done in email. But, organizations have not evolved far enough, fast enough in they way they control and manage email use. 8 2003 AIIM International and Kahn Consulting, Inc.

About The Authors Randolph Kahn is the coauthor of the recently published book E-mail Rules and an internationally recognized authority on the legal, compliance, and policy issues of information technology and information management, and trusted advisor and consultant to Fortune 500 companies, governmental agencies, and court systems. As founder and principal of Kahn Consulting, Inc., (www.kahnconsultinginc.com), Mr. Kahn leads a team of information management, regulatory, compliance, technology, and policy professionals who serve as consultants and advisors to major institutions around the globe. Mr. Kahn, conducts numerous seminars and training programs for thousands of participants at corporate and government institutions and member organizations each year. He teaches Legal Issues in Records and Information Management at George Washington University and has authored dozens of published works. Barclay T. Blair leads the Technology Consulting operations for Kahn Consulting. Mr. Blair has a broad information technology background, with extensive expertise in the technology and policy considerations of information management, information security, public key infrastructure, XML, online transactions, and related topics. He is a Rapporteur within the Information Security Committee of the American Bar Association (ABA), and an editor of the ABA s PKI Assessment Guidelines, published in 2003 after more than five years of drafting. Mr. Blair has authored and edited dozens of publication and has spoken internationally about information technology and security matters. About AIIM International AIIM International is the global authority on enterprise content management (ECM). ECM technologies, tools and methods used to capture, manage, store, preserve, and deliver information to support business processes. AIIM promotes the understanding, adoption, and use of ECM technologies through education, networking, marketing, research, standards, and advocacy programs. As a neutral and unbiased source of information, AIIM is uniquely positioned as a 501(c) 6 non-profit association dedicated to growing the Enterprise Content Management Industry through its: Market Education: Expand the global market for ECM solutions. Provide educational programs and information services that help users make informed and effective technology decisions and help suppliers better understand user needs and requirements. Networking: Through chapters, programs, and the Web, create opportunities that expand the global base of users seeking ECM solutions and allow our user, supplier, and channel members to engage and connect with one another. Industry Advocacy: Through our own efforts and strategic partnerships, become the global voice of the ECM industry in key standards organizations, with the media, and with government decision-makers. The AIIM community has a variety of opportunities for you. Visit us on our Web site at www.aiim.org. 2003 AIIM International and Kahn Consulting, Inc. 9

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information