A good day to dust off those email policies

By Laura Haight 

Maybe today is a good day to talk about email policies. No, not the government's or HIllary Clinton's. Your company's email policies. 

Clarity on this topic is elusive, but one thing does seem to stand out: We really don't know if we're doing the right thing and guidance (or even hard-and-fast rules) from our businesses aren't necessarily helpful. 

In many cases, as was the case in the State Department, companies rely on individuals to make judgment calls. Should I click on this but not on that? How many personal emails is too many? Is it safe to get my email at the airport, but not at Starbucks?  

In trying not to be too draconian, our policies leave wiggle room. Larger companies try to eliminate as much of the human factor as possible by controlling what you can and can't do by policy, forcing you to change passwords every 30 days, requiring two-factor authentication, limiting the size or type of files you can receive in your email, and more. 

But most companies don't have that level of technology and rely on employees 'doing the right thing'. That being the case, we need to make sure we're a lot more clear about what that means. 

And while we're talking about being draconian, remember that when you are using a work computer or a work-provided resource, you have no expectation of privacy. Even if you delete email, it still lives in backups stored offline. It may be a little bit of work to get to, but it's not impossible in most cases. 


  • Have a written policy. This policy should be re-evaluated annually to make sure it continues to reflect advances in technology or risk-assessments based on experience. For example, if you're still handing out a policy from 2004, it probably doesn't address the very real issue of work email on personal devices. In creating the policy, consider that you are not trying to "catch" people doing the wrong thing; you are giving them advice to help make the right decisions. 
  • It's impossible to tell employees never to use email for personal use. In this they must exercise judgment. But you can and should establish a policy that eliminates the sharing of inappropriate jokes, images, social media memes, etc., through corporate email. If someone sends you something inappropriate, don't forward it, don't save it, delete it.  
  • It's also impossible to tell employees never to click on malware or an attachment with a virus. Some large companies that do training and testing of employees have found that even with that effort, 20 percent will get hooked by a phishing email. But you should address this with an admonition to exercise extreme caution and a requirement to report any suspicious email to the company for review.  Part of your policy should be a designated individual to be notified of suspected malware or phishing emails. 
  • Make sure all employees not only have the policy, but have a review of the policy with a manager or HR rep. An annual review of the policy also provides an opportunity to ensure new employees are up to date. 


  • If you have never received an email policy or an employee manual, go ask for one. You will be held accountable for adhering to policies even if you didn't know about them.  
  • Even if you have the capability to add email addresses to your business email client (like Outlook), don't do it. It's one thing to get malware in an email to your work address, it's another if it comes from your mother to your personal email address and infects a work computer.  
  • If you are using personal devices at work - your own laptop, tablet or smartphone - make certain to keep them patched, to install virus and malware protection.
  • If you click on something you shouldn't have, get any unusual messages, or see other signs that things are not right on your system, you should immediately notify IT or your boss. Do not wait, do not assume it's nothing, and do not try to hide it. Clicking on the wrong things happens to all of us. The earlier we know, the quicker we can contain the problem. 

Email is the biggest vulnerability any organization has for opening a door to hackers and cybercriminals. Your employees are the only real line of defense. So train them, teach them, talk to them, thank them and make sure your policies and procedures are in place, publicized to all employees, and clearly understood.

All the money in the world spent on the latest tech cannot protect you from an authenticated employee who unintentionally opens the door.