In response to the Sony hack, in which not only valuable intellectual property, such as movies, was stolen, but also (previously) confidential emails, a number of experts have recommended increasing the usage of email retention policies. They go something like this:
- Email is confidential
- People put things in corporate email that they do not want seen outside the company
- Companies get hacked
- Therefore, we should limit the damage by forcibly deleting all emails older than some time period, say, 30 days
The Wall Street Journal also had an article discussing the debate about email retention policies.
The heart of the argument for email retention policies is: the negative expectation of breach (damage from exposed emails * probability of being hacked) is greater than the positive expectation of retention (value of having the emails).
So should you have these email retention policies to mitigate breach damage?
The argument is flawed for one very simple reason: no one will abide by it.
Sure, companies will impose policies. Some not only will require users to delete their emails, but actually forcibly delete them from servers. But many more will be unable to for 2 reasons:
- Compliance: many industries have a regulatory requirement to retain all communications for many years: health-care and financial are the most prominent, but there are many others. Add in any company that is involved in any legal action, and the list becomes quite long.
- Value: No matter how much information security consultants may declaim that it is the best policy to delete, the individuals in the companies are the ones who decide the value of the information stored in the emails. If they don’t want their emails deleted, it is because they see value… and they are the ones who determine that value.
The latter is a key point. Most information security experts and consultants often forget that the purpose of the business is not to be secure; it is to do business! Yes, they want to be secure, but a perfectly secure business that does no revenue is not secure; it is bankrupt. Personally, I know of only one or two first-class information security consultants who “get it”.
Even in those companies that have powerful enough security departments to enforce these rules, employees will find ways to retain the information they need, at higher cost to the company: copying emails to local disk or shares; carving out exceptions by department; maintaining separate email systems; using alternate channels like chat and Salesforce that are outside of the 30-day retention policy; etc.
The crux, then, is to accept that people will retain information, in email or another format, whether you want them to or not. Companies need data protection policies that work within the reality of the business.
So what should you do if you are worried about emails leaking? Two possibilities include:
- Encrypt your email data “at rest”, to reduce the danger of stolen emails from servers.
- Use end-to-end email encryption of email, to reduce the danger of any stolen emails, even in transit
But the most important policy you can have for protection is not implemented by any fancy technology – such as firewalls, intrusion detection systems, or email encryption – which are, in the end, just tools in the hands of people.
If you don’t want to be embarrassed by leaked emails… don’t put embarrassing information in email in the first place.
Of course, you cannot mandate that policy, nor can you enforce it with the latest technology. If you truly want to avoid embarrassing leaks, follow a simple three-step plan:
- Hire responsible adults. If someone seems like they could be immature and irresponsible in email, they probably will be. Every single employee, no matter their role, is an ambassador of your firm. Be sure to hire only people who you would be proud to appoint as an ambassador.
- Act as a personal example. A combination of never putting inappropriate information in email (or any other written or even spoken channel), combined with zero tolerance for others doing so, will set a clear culture of responsible behaviour.
- Hire great security people. When your people see that you invest in security, they will understand the level of importance you attach to the issue. Conversely, if do not invest, your staff quickly will understand how important it really is, no matter what you say to them.
- You are only as good as the people you hire.
- Your people, no matter how good, will follow the examples you set in your own leadership, hiring and investment.
- Your policy, even with the best of people, will be ignored or bypassed if it goes against human nature or their ability to get the job done.
Now, how exposed are you? Ask us.