IREC in Wall Street Journal article about email monitoring

Quoted as “The Corporate Executive Board”, we supplied some commentary and data for an article in the European edition of the Wall Street Journal.  The article is not available online, but it appeared on page 31 of the November 24 issue. (It is similar to the article “Some Courts Raise Bar on Reading Employee Email” from the US edition, but focuses on EU/UK issues.) We’d like to take advantage of the extra space available here to clarify our main points and provide additional data to those cited in the article.

Our Main Point

We feel that the most important part of our commentary was that when considering data leakage or brand damage concerns, concentrating on monitoring corporate employee email activity is ignoring the reality of the modern world.

This is because there are so many other channels to consider that corporate email is starting to look pretty insignificant. Many of the channels cannot be monitored, hence the best protection is improving employee engagement (to avoid malicious behavior) and improving employee “awareness” (to avoid mistakes; see below for awareness data).

Brand damage can occur through employee activity at work or at home through:

  • social media sites
  • personal email

Data leakage can occur through those same channels, or:

  • USB drives / CDs etc.
  • cell phone cameras
  • hard copy printouts
  • smartphone email access

So, with all these channels, corporate email is a pretty small piece of the puzzle.

More Employee Awareness and Behavior Data

The article cites some results from our survey of over 120,000 end users’ behavior and attitudes toward information security issues. Here we would like to clarify and expand on the information presented in the article.  (The data will not match the article exactly as here we have limited the analysis to the 62,026 employees surveyed at 94 organizations over the last year (about half our total data set).)

Geographic Distribution:

These data come from the US (61%), 32 countries in Europe (15%, does not include Russia or Turkey), and 102 other countries (24%).

Email Policy Knowledge:

52% of employees worldwide know their organizations’ policies around emailing of sensitive information. In Europe the fraction is 63%.  (This is probably a more useful metric than reported in the article, which was the fraction that believed they had a policy, regardless of the correctness of that belief.)

Perception of Risk of Emailing Sensitive Information:

Here the article was misleading in the meaning of the 1% figure–this was not about knowledge of policy. Because the actual risk of this behavior varies across organizations, we compare employees’ risk opinions to that of their CISO. We report where employees are significantly less concerned (believe the risk is lower), since these are the folks most in need of better risk awareness. 19% of employees worldwide are in this category, with the same value for those in Europe.

Policy Violation:

As stated in the article, 14% of employees worldwide regularly violate their organization’s email policy–typically in order to get their job done and not for nefarious purposes.  Across Europe the compliance is actually worse, with almost 17% violating policy. Here are violation rates from some of the countries where we have large amounts of data:

Rate:   Country:
12%     US
16%     UK
15%     Germany
29%     France
23%     Italy
13%     Canada
10%     India

The two WSJ articles are about monitoring of employee email in the US and in Europe–it looks like the monitoring and/or the awareness that goes on in the US and not so much in Europe makes a difference in behavior.

Note: The WSJ also has a related article on the legal issues of monitoring employee email in the US.

Some Courts Raise Bar on Reading Employee Email

Explore posts in the same categories: Awareness

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: