Managers are jeopardising the security of company information by sending and exchanging unsecured confidential information in email sent to shared Inboxes. According to a survey released today, this results in 82% of personal assistants (PAs) reading confidential information in error
These startling findings come from new research examining email behaviour among 300 senior PAs of 250 companies. The survey underlines that there is now no so such thing as a confidential email and bosses are putting their Personal Assistants (PAs) at risk by exposing them to sensitive data.
Conducted during 2006 by Mesmo, European consultancy in email management and etiquette, the research examines who controls the email inbox in the PA/Manager relationship and how their managers behave as email users.
The results highlight that although many executives manage their own email (often by remote devices such as a Blackberry) most hand over their inboxes to their PA when they are out of the office or in meetings. Half (50%) of very IT savvy (Gold) managers leave the inbox entirely in the control of their PA, closely followed by 40% of IT confident (silver) users and a massive 75% of basic IT users (bronze).
Managing Partner and founder of Mesmo, Monica Seeley commenting on the survey at a recent email best practise workshop for FTSE PAs said; With proper guidelines and training, shared inboxes need not be a problem. But human error is creating real security breaches.
She explains that although these PAs have been given permission to manage their bosses inbox they are receiving confidential material as open documents rather than password protected attachments. Indeed only 15% of companies have a policy regarding confidentiality. Too many companies think that putting a confidentiality notice at the foot of an email protects them - by the time most people see the notice it has already been read. Similarly, putting confidential in the subject line will not keep the contents secure if the recipient has their reading preview pane open.
The survey shows that almost all senior executives jeopardise email security from time to time; but it is the silver users who are the worst offenders. These are confident IT users who share their inbox with their PA. They send or exchange confidential materials in emails without password protecting or encrypting them.
These Silver Level Executives also download company material often highly confidential and commercially sensitive information onto memory sticks, or iPods which are all too easily lost or copied. Results identified that even in companies with a policy, 9% of managers are still downloading material and even 13% of PAs admitted to downloading onto memory sticks to give confidential materials to their bosses or for them to work from home.
Although the survey showed that the majority of companies have Acceptable User (AU) Policies for the Internet; only a third provide proper email guidance. Even fewer keep them up to date or actively enforce them. Similarly, although (51%) of companies have a formal procedure in place regarding shared inboxes 82% of assistants admit to reading confidential information in error.
Mesmo is calling for companies to develop a new procedure for managing joint in-boxes safely both for the protection of the PA, the manager and the security of the company. Monica recommends that an email charter on confidentiality is not only agreed and communicated to all staff but that measures are taken to ensure that all staff comply with the charter.
Underlining the need for this approach, Mesmos, Monica Seeley said that a smaller piece of research she had just completed showed that over a quarter (28%) of the companies surveyed have had to defend themselves from litigation as a result of careless email. In the same sample, 29% of companies admit to having email policies of some sort but none of them had undertaken any national education or training of their workforce.
Confidential information sent in emails is now commonplace. Most organisations have policies to prevent general breaches of confidentiality but not enough is being done at the personal level. Whiles PAs may be guilty of reading confidential material, it is their managers and senior bosses who are the weakest link because they disseminate confidential material without adequate security protection.