38% of large US companies have full-time email monitoring staff
Dept of snooping and personnel
Nearly four in ten companies have staff whose main job is to monitor the outgoing email of colleagues, according to US data security research. More than a third of the companies surveyed hired staff to perform only that monitoring function.
Email security company Proofpoint interviewed email chiefs at 220 companies which employed more than 1,000 people. It found that companies were so worried about employees leaking information via email that 38 per cent of them paid other employees to monitor communications.
"An increasing number say they employ staff to read or otherwise analyze the contents of outbound email (38 per cent, up from 29 per cent in 2008)," said a Proofpoint statement. "The pain of data leakage has become so acute in 2009 that more US companies report they employ staff whose primary or exclusive job is to monitor the content of outbound email (33 percent, up from 15 percent in 2008)."
The survey suggested that companies have reason to be careful. Proofpoint said that 43 per cent of the companies told it that they had investigated email leaks of confidential information in the past year. "Nearly a third [of companies], 31 percent, terminated an employee for violating email policies in the same period (up from 26 per cent in 2008)," said Proofpoint's statement.
Blogs are also increasingly a source of concern for companies. The survey found that 18 per cent of the companies it spoke to had conducted an investigation into employees' use or blogs or message boards and 17 per cent had disciplined an employee for breaking company rules on their use. Workers had been fired over blog and message board use at 9 per cent of the companies interviewed.
The research also uncovered the dissemination of sensitive or valuable company information through social networks such as LinkedIn, Facebook or MySpace. It found that 17 per cent of companies had had information exposed through those channels, and that 8 per cent had fired employees because of it.
Proofpoint said some data leaks being experienced by companies are related to the economic downturn. It found that 18 per cent of companies believed a leak was related to an employee who was leaving the company, and that 42 per cent of firms believed that increasing layoffs at their firm created an increased risk of data leakage.
Morag Hutchison, an employment law expert at Pinsent Masons, the law firm behind OUT-LAW.COM, said that if companies in the UK want to take action against individuals relating to their email or internet use then they have to have clearly spelled out at the outset what is and is not allowed.
"We advise employers to ensure that they have a email and internet use policy setting out what, if any, personal use of the internet and email is allowed at work," said Hutchison. She said that any policy had to be actively communicated to have any effect.
"It is important that this policy is clearly communicated to all employees and that the employer monitors compliance of it and takes the appropriate enforcement action if they discover a breach. The internet policy should also cross reference the disciplinary policy that the employer is required to follow," she said. "It is also important that the policy is consistently applied, and not just applied to people the company wants to let go."
Copyright © 2009, OUT-LAW.com
OUT-LAW.COM is part of international law firm Pinsent Masons.
SSL won't fix it
If the company controls the egress points of the network and controls the systems on the internal network a simple proxy that breaks SSL (MITM) would fix that.
It would terminate the SSL connection on itself, read the contents, re-encrypt the traffic, and send it on its merry way.
Any company that has to deal with US Banking Regulations would be foolish *not* to do this. They have to account for every single communication with every single customer, regardless of medium. This means recording all phone calls, all emails, and all web traffic.
I also doubt a person manually sifts through all the data. That would require an Herculean effort. I imagine a combination of data-loss prevention software, proxy servers, and intrusion prevention would do most of the heavy listing.
It's been happening for years. Now it's just easier for businesses that have paranoia as the reason instead of regulation to afford it.
Land of the free home of the *CENSORED*
I like to send e-mails with subjects such as "Re: Stolen Documents" or "Re: Confidential Company Accounts". People give blood pressure a bad name but without it you'd be dead.
This is as anal as it gets. Somebody needs to worry about making a profit and not preventing a loss. If anyone wants to know why companies have lost their way. This should be a guidepost.
Watch the movie!
It really must take a special kind of dunce to transmit stolen data through the networks of the very entity from which it has just been stolen.
Such an act would be like helping yourself to the hardware and then making your escape in a vehicle from the company motor pool!