March 08, 2006
Hope is Not Enough When It Comes To Compliance
Page 1 of 2
There is no "how-to" book that tells businesses exactly what they have to do to achieve compliant status whether we’re talking about Sarbanes-Oxley, HIPAA, GLBA, or a myriad of other regulations.
Regulatory language is largely ambiguous, using terminology such as "reasonable assurance" to define steps for compliance, leaving businesses somewhat confused regarding what is expected of them. As the CEO of a leading e-mail security company, I’ve had the opportunity to talk with hundreds of businesses about compliance measures they have put in place or plan to implement, and I continue to be shocked by what I hear. "Hope" seems to be the operative word these days when it comes to the current state of meeting regulatory compliance – everyone is hoping it’s the other guy that gets nailed first.
E-mail Must Be Considered In Risk Assessment
The lack of clarity regarding what constitutes official compliant status is clearly driving some of the "hope" attitude since most seem to think they are compliant according to the vague guidance of the law. After all, businesses are tasking IT staff with insuring compliance and beginning to devote IT security budgets toward enforcing compliance measures – both regulatory and corporate policy measures.
At the same time, the general consensus of industry experts is that businesses must establish reasonable steps to illustrate they are compliant. However, as is often the case, "reasonable" steps unfortunately does not always include e-mail monitoring - which can have a devastating effect on a business if email is not included as part of a compliance strategy.
The current regulatory environment mandates improved protection of corporate data and provides a solid foundation for the management of sensitive data including e-mail. Business must choose a platform that provides them the flexibility needed to be compliant with the rules and regulations relevant to their company, as well as enforcement of internal corporate governance. It is imperative that companies immediately take action, using a pragmatic approach to compliance. E-mail monitoring and remediation must be included in any risk assessment.
According to the Enterprise Strategy Group, more than 70 percent of a company's critical information can be found in its messaging system. Considering that e-mail is the number one vehicle for business communication and the exchange of information, businesses must employ outbound e-mail security solutions to monitor and enforce their corporate governance processes.
According to the 2005 annual CSI/FBI Computer Crime and Security Survey, 80 percent of respondents reported security incidents involving insider abuse in 2004. The exposure of sensitive corporate data can cripple a company financially and competitively. There is a huge risk to companies who ignore e-mail, not only by potentially failing to comply with regulations, but also by leaking sensitive information outside of the organization that could be used for ill-intent.
Unfortunately, less than 15 percent of corporations have deployed an automated solution to enforce messaging policies, according to Osterman Research.
Because the risks associated with outbound e-mail may pose a greater threat to a company's long-term growth, businesses cannot afford to overlook outbound e-mail monitoring and enforcement in their quest to reach compliant status. IDC forecasts worldwide revenue for the outbound content compliance market to grow from $254 million in 2004 to $1.9 billion in 2009, representing a 49 percent annual growth rate. While businesses are planning significant investment here in the next several years, today is the time for immediate action.