By Scott Lane, The Red Flag Group®
What does George Orwell have to do with compliance? you might ask. From the character in Orwell’s novel 1984 we have learnt the term ‘Big Brother’. Originally regarded as some form of omnipresent figure representing the oppressive control over individual lives exerted by an authoritarian government, the term has now become common language and is synonymous with the negative suggestion of someone watching over you. The challenge with compliance is watching over your staff and partners to ensure compliance while trying not to engage in the Big Brother tactics that garner undesirable connotations. There is a balance to monitoring behaviour while having the necessary degree of trust in your people.
Most companies monitor their employees’ activity daily. They have access to controls, logins, passcodes, and door and building access. They can segregate certain people from data or physical systems for a variety of reasons. The aim of this is partly to protect the information, but it is also to protect the people (they may, for example, not have specific knowledge about how to use certain equipment or data and therefore need to be kept separate from it).
Despite these daily controls placed on employees, the concept of someone having access to their email, laptop and private information on their IT devices conjures up the Big Brother argument. While company policies often state that the company does indeed have access to this information, and under local laws the company is perfectly within its rights, it is not that common for companies to proactively monitor it for compliance risks. In most companies, the potential backlash from accessing data and reviewing it is reason enough to not access it. When access is gained, it is usually done so as a reaction after an allegation of misconduct has been made – then, and only then, is the review of email and other documents actioned. As a result, most companies are not utilising email monitoring to its fullest extent.
In compliance, companies need to think reactively instead of proactively. Rather than fighting the effects of failed compliance, they must be proactive in avoiding the risks in the first place. One proactive method to avoid risk is monitoring the most commonly used communication vehicle in business: email.
Monitoring email protects the employee and protects the company. When a company has an email-monitoring policy there is an agreement in place between it and the employee that permits the monitoring; everyone understands that it is taking place.
The monitoring process
Many IT departments already have email archiving in place. Archiving is an excellent tool for forensically investigating incidents post-event and can provide some so-called near-time scanning capabilities; however, the emails must always be first placed inside the archive itself, which takes time. In effect, email archiving is an IT solution for companies that want to stay in reactive mode. It is not designed to be a proactive monitoring tool for compliance; it is designed to look for something after it has happened, and is typically activated as a crisis becomes apparent.
For companies that don’t use any email archiving, they might scan emails on individual PCs as some form of monitoring. Again, the problem here is that these solutions (classed generically as spyware) must be installed on every target PC throughout an organisation. They generally perform a variety of other functions, such as key logging, timekeeping and monitoring websites visited by the user. They are easy to detect by users of moderate sophistication and the cost of the software across a large organisation is often prohibitive. In these situations, it is at the desktop level that actions are monitored – something that could be easily configured or turned off by the user.
Companies should activate server-level scanning of their essential emails for all senior staff and staff that the compliance team have earmarked as ‘high risk’. Scanning emails centrally prior to delivery or prior to receipt is the best way to protect the company and the employee.
Most companies have a central email server that can peek into email messages and enclosed documents and then flag them, forward them or block them entirely, based on what it finds. The primary features of interest here are data loss prevention (DLP) and transport rules.
DLP helps identify and monitor sensitive information, such as private identification numbers, credit card numbers, or standard forms used in an organisation. DLP policies can be set up to notify users that they are sending sensitive information and/or block the transmission of sensitive information. DLP should be viewed as a first step for organisational compliance, implementation of standards and immediate protection of sensitive information that may simply be inadvertent and non-malicious in nature.
Transport rules can be utilised to inspect messages for certain content and, if the content is found, take actions such as blocking or bouncing a message, holding it for review by a manager or an administrator, or delivering a copy to another recipient. Transport rules provide far more scope to inspect message attachments, email subjects, contents based upon keywords, and myriad other choices.
All companies should configure their email servers to manage transport rules and proactively look for compliance issues before they happen. The content searched for will depend on the company and the sorts of issues that they are dealing with. Some of the issues that might be relevant include:
- release of certain confidential information, patent information, intellectual property or other key trade secrets
- agreement to pay certain third parties or people associated with government officials
- any discussions with named competitors
- shipping information or customers or companies that are sanctioned
- pricing information being sent to a competitor
- financial information being released prior to authorisation.
Of course, setting up the transport rules will be specific to certain groups across the company and must not be ‘generalised’ across a large company. For example, it is more likely that procurement, finance and sales channels will have different opportunities to break certain rules. Those should be identified up front and certain transport rules established to target those specific risks.
Things to think about when introducing email monitoring
If you are going to use software for conducting monitoring, ensure that you do so at the server level, not the desktop level. It is best to use tools embedded in your email software to conduct the monitoring; that way, there is minimal chance of significant degradation in service due to the extra work being done by the software in monitoring the emails before they are sent out. Using live monitoring is far better than searching an archive, even if that archive is created immediately. With live monitoring you can stop a suspicious email before it is sent, which is far better than finding out about it afterwards.
In some situations there will be bandwidth issues because the server has to conduct scanning in addition to its normal tasks of sending emails, so you need to consider your server capacity and whether it will be sufficient.
Who will be reviewing the emails that are subject to red flags? You might need to have a dedicated person or engage a third party to conduct the initial review of the email for relevance and for any red flags. Reviewers will need 24/7 access to the material. Also think about the languages necessary in your review team. It is likely that many large companies will need to monitor emails of people located outside the United States whose primary language will not be English.
Remember that the review is being done in real time, so will need to be done quickly. The reviewers will need a simple mechanism to escalate ‘dirty’ emails and place clear emails back into the queue so that they can be sent as quickly as possible (within about an hour).
The search terms will depend on the risk areas that you have identified for the business. The main factor to keep in mind with the search terms is not to look for things that are obvious – words like ‘bribery’ and ‘corruption’ are unlikely to yield many valuable results. You will need the skills to think locally and use the language that might be used in a more colloquial fashion when people are genuinely trying to avoid being caught by such systems. However, at the same time, you need to get the message across. In some cultures, a bribe might have a special set of words (e.g. ‘tea money’ in India). You will need to give a great deal of thought and build monitoring search terms based on both local-language words (i.e. not English) and also the sort of words that would be used locally. You can also consider broader words like ‘make payment to my account’, ‘I prefer cash’, or other words that attempt to mask the real transaction. On other risk areas, for example competitive practices, it might be enough that one of your people is actually communicating with a named competitor. The search terms you use should remain confidential.
Using automated software to monitor emails can lead to a high rate of false positives and lots of wild goose chasing. This in turn can dilute the trust you have placed in your monitoring system. Beating the false positives problem is therefore key to not holding up the business. With software systems often identifying malicious behaviour based on previous customer experiences, better tuning of the software system is a useful first step to investigating the cause of the false positives. For example, a tightening of the rules can help in reducing the number of notifications. And adding additional context can help the system to prioritise risks – the key to this is ensuring that business executives engage with your IT department. Finally, constantly monitoring your monitoring system to ensure it remains in good health can also help decrease the number of false positives generated.
The risk areas will very much depend on your company. Having a risk roundtable with key stakeholders in the company to think about the risk areas and how to set search terms is advisable. For some companies, the focus will be on anti-competitive conduct (i.e. price fixing); in others it might be counterfeit products, export controls, the release of trade secrets or simply corrupt practices. It will depend on your company, and potentially the country you are in. The risk areas should also remain confidential.
The existence of email monitoring must not be kept a secret. It must be identified in company policies and employees reminded of it from time to time. There should be no surprise to any employee that monitoring is turned on across the company and that all emails will be subject to review and action. A splash screen on the email login is an example of how that reminder system can be turned on.
Despite the fact there is a policy and an agreement by each employee (i.e. informed consent), there is also a legal question in some countries about whether monitoring is permitted or to what extent it is allowed. Always check that it can legally be conducted locally and whether it needs some union or workgroup approval.
Every large company should monitor employee emails. Best practice is for the monitoring to take place in a live environment and be proactive (i.e. not in a reactive archive setting). The process of setting up the rules is both a technical one (identifying the software that you use and the functions in the software to turn on such monitoring) and a compliance one. This means that you have to think about what the rules are, and which rules can be activated for which people. The focus should be to monitor a small amount of highly-relevant search terms across a small and highly-relevant group.
Employees must be informed and educated about the email-monitoring process. If you are open about it and they know that it is protecting them as much as it is protecting the company, they are less likely to associate email monitoring with Big Brother. To put the process in perspective for employees, you might choose to contrast your company’s email-monitoring process against when governments review emails remotely, secretively and without acknowledgment.
If you want to implement a proactive email monitoring system, remember these four basic points:
- Software – the software you choose should monitor in real time (not be an archive solution)
- People – limit the people being monitored based on their roles and risks
- Terms – your search terms should be highly relevant and focused to the group concerned
- Follow up – after an email is flagged it must be cleared quickly and acted upon effectively by the right people; emails cannot go into a ‘black hole’.