The 2006 study drew from surveys of several hundred “decision makers” from different companies, almost 40 percent of which were in technical, professional, financial, or government fields, who answered questions about their companies’ outgoing email policies. It turns out that many companies actually hire employees to read or check outgoing email to see that it fits standard email protocol. In fact, in the U.S., 38 percent of companies have employees to do this job, and 46.9 percent perform regular audits on employee email content. Through these actions, they have estimated that over 20 percent of outgoing workplace emails contain confidential or other internal business information. Disturbingly, almost 35 percent of those surveyed claim their company was negatively affected by the wrong information leaving via employee email in the past year. Some companies have even had non-public financial information posted online by employees.

However, the companies are not the only ones that suffer from these breaches. The study shows that in the past year, over 50 percent of the employers surveyed disciplined employees for violating email policies. Additionally, 17.3 percent took corrective action over employee violation of blog or message board policy, and more than 7 percent actually fired an employee for their outbound messaging actions.

With more than half of the company representatives voicing concern over the reduction of security risks associated with lax outgoing email practices, Proofpoint suggests that companies create and implement policies dealing with the following issues:

1. An acceptable use policy for email, defining appropriate uses for company email systems
2. An acceptable use policy for blog and/or message board postings
3. An audit vulnerability scanning policy, which gives the company’s information security team the authority to conduct audits and risk assessments, investigate incidents, enforce security policies, and monitor activity
4. An acceptable encryption policy that defines types of encryption used within the organization
5. An automatically forwarded email policy that governs the automatic forwarding of email
6. An ethics policy, defining ethical and unethical business practices, including disclosure rules, conflict of interest rules, and communication guidelines
7. An information sensitivity policy or content classification policy, which reduces the risk of confidential information being leaked to outside parties
8. A risk assessment policy that defines requirements and provides authority for the information security team to identify, assess and take action on possibly risky information
9. An email retention policy that defines guidelines for retaining information in an email