When creating Email Policy – Include Guidelines for when Staff must use Encrypted Email

The importance of guidelines to ensure Efficient and Effective email Use

“Most companies are grappling with email overload,” says Monica Seely, an email management expert at Mesmo and author of Brilliant Email. “Companies are losing up to 20 days per person per year, dealing with email poorly.” Most of us would not disagree with these statements. But how many organizations have you encountered that have email guidelines in place – that are actually enforced?  The answer is likely none. Having no email charter (that is adhered to) is like having no HR policies for staff (that are adhered to).  Payroll expenses and the inefficient use of email are some of the most costly expenses in most professional services organizations.  Implementing guidelines around managing these resources are not nice-to-haves, but rather fundamental business rules - and applicable to any size organization.  Having these guidelines in writing is not good enough. In order for them to be effective, they must be enforced and become part of the operational culture and house rules and become as second nature as, well,… sending an email.  Sending a flaming email or an unwarranted ‘reply to all’ with the dreaded ”thanks!” should become as unacceptable and ‘yesterday’ as scotches for lunch and smoking at our desks. One can’t assume that staff ‘just know’ how to use email. Most individuals’ email training is simply non-existent and ends with opening their MS Outlook application and composing their first email.

Guidelines for when Secure Encrypted Email must be used

If you are on vacation and you want to send something generic to a friend such as “wish you were here”, you send a postcard. If the message or letter is more personal and you would prefer that only the intended recipent read it, you would send it in a sealed envelope.  The same principle applies in the business world.  Encrypted email is your sealed envelope (+). It can be more like a signature-required guaranteed delivered package, depending on the encryption service used. Rarely covered in an email policy is the inclusion of guidelines around sending sensitive or client-confidential information. The sending organization or the sender who is including sensitive business, client, or employee information in an email is unequivocably responsible for ensuring that the information is secure and only seen by intended recipients. If a sender does not use email encryption, all information sent over the internet can be intercepted – and leaves the organization open to high risks of data leaks and breach of privacy and other regulatory compliance. It’s like sending a postcard into cyberspace. Sample Encrypted Email Guidelines Here’s just a sample of general guidelines that can be included in your email charter to address the use of encryption to ensure that sensitive content is only seen by intented recipients. Encrypted email must be used:
  1. When sending or discussing confidential, strategic, non-public, or classified business information.
  2. For Board of Directors discussions.
  3. When sending or discussing any type of client confidential, priviledged, or private information. Clients could include students, patients, citizens, or customers.
  4. When emails include credit card numbers, social security numbers, passwords, logins or any recognizable format for sensitive information.  The use of data leak prevention tools here, is also key. Data leak prevention tools will recognize the format of email content, such as xxxx-xxxxx-xxxxx-xxxxx for credit cards, and prevent sending of the email or at least warn the sender to encrypt the email.
  5. When attaching any kind of sensitive document to an email. Encryption is much more secure than including a password to open the document, which can be hacked.
  6. By all legal and accounting staff working for the organization, or any staff who frequently deals with confidential information as part of their regular duties.  This may include IT, and Sales.
  7. When communicating outside the organization with firms dealing with sensitive information such as legal, accounting and IT firms. In many sectors, such as the healthcare industry or public sector, guidelines would include a long list of external or partner agencies.
  8. By HR staff when communicating sensitive employee information, AND when communicating with potential new hires and candidates – particularly when discussing or sending employment offers.
  9. As an aside, secure email guidelines should also include guidelines for the topic of email delegates. How to communicate which staff members have delegates, and alternative communication methods to reach staff with delegates when ultra-sensitve emails are exchanged.  Navigating the sensitivities of email delegates can be challenging if guidelines are not in place.
Once communicated, email rules or guidelines should be adhered to and enforced like any other organizational policy.  With minimal training and reminders, email can be a highly effective communication tool. There may be a lot of talk recently about  rogue companies abolishing email all together as a way of dealing with the ineffective use of email. But the reality is that email is not going anywhere for the unforeseeable future. It’s not the medium that’s the problem. It’s who uses it and how. Contact us here if you would like to receive a complete email policy or guidelines template. Ariane Laird works with Email2. Email2 provides straightforward secure email encryption and data leak prevention solutions for various sectors, and uses the same security technology as Internet banking. From your desktop to mobile, securely send, receive, control, track and automate delivery of confidential email and large attachments outside the organization. Brilliantly simple, anytime anywhere encryption – without requiring staff or recipients to change their existing email.