To snoop or not to snoop: that is the question:
Whether 'tis nobler in your job to suffer
The slings and arrows of outrageous oversight
Or to take arms as noted by your union,
And by opposing end them?(Apologies to W. Shakespeare, Esq.)
A Sophos poll of more than 1,000 computer users at small- to
medium-sized businesses (SMBs), has revealed that over 50 percent
of employees felt that their employers should take preventative
action to help ensure that spam containing violent, pornographic
and other offensive content does not find its way to their inboxes.
Furthermore, only 13 percent of people thought that this should not
be the employer's responsibility.
These results, whilst hardly surprising, come at a time when
unions and privacy advocates in Australia are calling for clearer
and more restrictive guidelines concerning email surveillance by
employers.
"Employers are on the horns of a dilemma here," said Paul
Ducklin, Sophos's Head of Technology, Asia Pacific. "There is a
certain moral repugnance in the idea of employers reading all their
employees' email, even in those legal jurisdictions which offer no
expectation of privacy when employees use company equipment to
communicate. But there is a certain social irresponsibility in the
idea of employers not filtering their employees' mail to prevent
the flow of spam, phishing and viruses in and out of the
company."
As Ducklin explains, effective corporate anti-virus and
anti-spam filtration requires that all email - inwards, outwards
and internal - be examined in considerable detail, though by a
computer rather than a human. This includes character-by-character,
word-by-word and attachment-by-attachment analysis, and results in
an often very detailed characterisation of each email's
content.
Most unwanted email can be identified automatically in this way,
but suspicious emails (such as those containing unknown programs or
documents, which can carry viruses, backdoors and keyloggers) may
be quarantined for later review. Often this review is done by a
human - typically an IT staffer with the technical know-how to
asses the safety or suitability of the quarantined item.
Ducklin offers some suggestions for "responsible surveillance"
so that employers can balance privacy and security to help ensure
an email environment which is neither dangerous nor repressive:
- Make sure that employees are aware of what filtering you are
doing and what benefits this has for each individual. For example,
by blocking viruses and Trojans, you reduce the risk of damage to
business operations and of the loss of confidential data.
- Make sure that you manage your employees' expectations of the
filtering you are doing. No computerised filtration process can
achieve perfect results (Alan Turing proved this back in the
1930s). For example, by filtering spam, offensive email such as
pornography and hate mail will be drastically reduced, but you
cannot guarantee to eliminate it.
- Make sure that your company has a code of conduct for IT staff
who will administer the email filtering computers. Administrators
of these computers will typically have access to logs and
quarantined emails, which they must treat with the respect they
deserve.
- Consider using a quarantine system which allows employees to
review their own messages. For example, Sophos PureMessage includes a feature to send
users a regular summary of messages intercepted on their behalf.
They can then choose whether to release them automatically or to
request further analysis. Emails not requested are automatically
removed from the system after a short time.
- Take the advice of Bill Cheswick and Steve Bellovin,
long-standing internet security experts and authors of "Firewalls
and Internet Security": when implementing computer security
measures, always try to adhere to moral standards higher than those
strictly required by law.
Sophos has free guidelines for the effective management of
viruses and spam in corporate email:
Sophos's email filtering solutions, PureMessage and MailMonitor,
are available for free evaluation.
More than 100 million users in 150 countries rely on Sophos as the best protection against complex threats and data loss. Sophos is committed to providing security and data protection solutions that are simple to manage, deploy and use and that deliver the industry's lowest total cost of ownership. Sophos offers award-winning encryption, endpoint security, web, email, and network access control solutions backed by SophosLabs - a global network of threat intelligence centers. With more than two decades of experience, Sophos is regarded as a leader in security and data protection by top analyst firms and has received many industry awards.
Sophos is headquartered in Boston, US and Oxford, UK. More information is available at www.sophos.com.