As chief security officer at Textron Inc. in Providence, R.I., Greg Avesian deals with the dangers of e-mail every day. He can talk about the filters he uses to weed out spam and the software that he deploys at various levels to guard against viruses. But Avesian says the biggest part of his work involves educating employees rather than building technological defenses. “My challenge is 70% non-technical,” he says. “It’s getting individuals to change their behavior and making sure they’re aware of their role in protecting the company. Once you have made them aware of the risks, then [let them know] ‘Here’s what you can do to help us safeguard our company assets.’”
As e-mail-related problems mount, companies are realizing that employee awareness is one of the key lines of defense. Education may not sound as sexy as firewalls, but if employees don’t understand which practices can lead to problems and the limits the company places on e-mail use, then a company is vulnerable. A survey earlier this year of more than 1,100 U.S. employers by the American Management Association, Clearswift and the ePolicy Institute showed that while 75% of U.S. companies have written policies about e-mail, just 48% of companies educate their employees about those policies.