ePolicy Institute survey: Companies are dropping the ball on e-mail and IM

The ePolicy Institute's 2004 Workplace E-mail and Instant Messaging Survey shows that many companies are putting themselves at risk because of their e-mail and instant messaging policies, or lack thereof.

The ePolicy Institute has released an interesting and somewhat scary survey of just how serious a problem e-mail management and instant messaging have become for businesses. We're going to look at what the ePolicy Institute's Workplace E-mail and Instant Messaging Survey revealed.

Compare their results to what's happening in your company, and pay special attention to the growing use and threat from mishandling Instant Messaging.

Download the survey

There is a nine-page summary of the survey results that includes the actual questions asked and the answers that form the basis of the general conclusions.


For those who really understand business costs, the scariest part of the ePolicy Institute's 2004 survey is the fact that fully one-fifth of companies have been dragged into court by subpoenas demanding to see e-mail and IM records. Whether this is due to a regulatory action at the state or federal level, or as part of a civil suit, the costs involved in responding to any sort of legal action—especially the costs of battling to protect confidential business information—can really add up.

And that number doesn't even include suits actually related to malicious, pornographic, or harassing e-mails. Combine the two and you see that in any year about one-third of big companies can expect to see court papers requiring them to produce e-mail and/or IM records.

Just how prepared are you to respond to such actions? Do you have a good, well-enforced policy of retaining important instant messages?

According to the survey, if your company is like most, then the answer is probably a resounding "no." More than half of companies surveyed (and these are businesses that have periodic contacts with the ePolicy Institute) either don't retain records as required or don't know if they are doing it correctly. E-mail has been around long enough that companies and lawyers are up to speed on how important it is. However, IM is newer and only about 20 percent have IM use and retention policies in place. Since only 11 percent are filtering IM, the lack of a policy could potentially be extremely risky behavior.

If you happen to be in a regulated industry that includes financial institutions, but might also be construed to include any company with publicly traded stock, failure to keep proper e-mail and IM records could actually be a criminal offense.

Another serious policy matter turned up by the survey is the report that, while most companies monitor the content of external e-mail, only about 30 percent actually monitor internal e-mail between employees—the kinds of messages that can give rise to discrimination or harassment suits.

If you need a bit of leverage to help convince employees to take e-mail and IM policies seriously, remind them that a lot of people have been fired for policy violations—even something as innocent-seeming as exchanging jokes can get you canned in some cases. The survey showed that one-quarter of the responding companies had already fired someone for e-mail policy violations.

When creating new policies, it is important for administrators to remember that before implementing new policies they should always review those policies with upper management and the legal department.

Final word

The ePolicy Institute may be somewhat biased on this subject; after all, they offer training and other products in this area, but from my experience working with small and large companies, the numbers in its survey look pretty accurate. There certainly weren't any big surprises for me, so I recommend that you read this survey and take it very seriously.

Following the old legal truism that what lands you in jail is often your secretary's meticulously kept records, some companies have policies of never storing any e-mail or IM, but that is short-sighted. Not only could that be construed as obstruction of justice in some jurisdictions, but if your company is doing everything right with regard to workplace harassment and such, then your record of all e-mail and IM messages may actually be your strongest defense.

Many people tend to view IM as much less formal than business e-mail, akin to phone conversations, but while some states make it illegal to record telephone chats, there is no such law regarding either e-mail or IM—in fact, some companies are legally required to keep some records of computer-based communications.

It's also important to recognize the fact that IM can be incredibly useful in a business environment, if only because it eliminates the need to deal with spam in regular e-mail. IM is likely to gain popularity in business settings in the future and it is important that your organization be prepared to handle it.

Also watch for…

  • The RBOT-GR Worm isn't spreading very fast but it has a nasty payload—it hijacks any Web cam you are running. It can also steal information from your hard drive.
  • The Winamp MP3 and media player has a serious vulnerability for which exploit code is already in circulation. The only real fix is to delete Winamp, which probably shouldn't be on business machines anyway. Check out the original report and exploit at Secunia reports this threat as extremely critical since it allows a remote takeover of the vulnerability system. Nullsoft has released a patch.

Editor's Picks

Free Newsletters, In your Inbox