Educating employees about the risks posed by e-mail is "something you have to constantly stay on top of," says M. Richard Diaz, CIO and vice president at Burlington Resources Inc., an oil and gas company in Houston, Texas. "You're never done with that. People forget; you get new employees."

Diaz says Burlington's IT group has gone to all the company's sites and employee meetings to talk about security. The IT group also tries to remind Burlington employees that information they send in e-mails is not confidential, he says. "If they need to exchange confidential information outside the company, then we need to do something special to make sure it's encrypted. We don't routinely encrypt our e-mail, but we can."

Aaron Latto, e-commerce underwriting director at the St. Paul Companies, says written policies about e-mail are one of the first things that insurers look for when they're evaluating a company's cyberrisks. He cites employees' lack of awareness about those policies as one of the biggest shortcomings he sees among most companies.

What should company policies cover? Latto lists acceptable uses of e-mail, retention and deletion of e-mails, using strong passwords and changing them periodically and securing employee workstations. It's also important that companies "require employees to review and accept the policy and create documentation on their review and acceptance," he says. There's no single policy that is suitable for all companies, though, he says. Policies will vary depending on the company's size, its sophistication and the role that e-mail plays in its business.

Textron's e-mail policy makes it clear that Textron's computer hardware and software should be used for business purposes only, Avesian says. But the policy doesn't list a lot of specific dos and don'ts because it's designed to give some flexibility to Textron's business units. "There may be some things that they need to do at Bell Helicopter that people at our E-Z-GO golf [cart] unit don't need to do," he says.

Burlington blocks employees' use of outside e-mail accounts because when they use those accounts, the only protection they have against viruses is that at the PC level. "It's just a much higher level of risk," Diaz says, adding that while the PC protection may be able to fend off a problem, "it's not going to be as robust as the server or the firewall protection." He says Burlington is also trying to keep employees from using instant messaging unless they have a business need to do so because "it really circumvents a lot of the [protective] systems that we have."

Some technology safeguards are almost universal at this point.

The Computer Security Institute's latest survey on computer crime and security, released in June, showed that 99% of companies use anti-virus software and 98% had firewalls. But companies are just beginning to address other areas of risk, like that of retention. "It's almost standard practice now that in doing discovery in the litigation process, people will seek to discover a company's e-mails," Latto says. "Messages that were it not for the litigation would have been harmless can really come back to haunt a company down the road."

Retention issue 'cuts both ways' The American Management Association survey showed that 14% of companies had been ordered to produce employee e-mail by a court or regulator and 5% had been involved in a lawsuit caused by employee e-mail. Only 34% of companies have policies about retaining and deleting e-mail.

Robert Richardson, editorial director of the Computer Security Institute, an organization of IT security professionals, says that the issue of retention "cuts both ways." Hanging onto e-mails too long can expose companies to litigation risk, but it can also be a problem if e-mails containing critical business information are deleted, he says. But the current state of technology makes it hard because there aren't effective ways to tag which e-mails need to be saved and for how long, and which should be deleted.

More generally, Richardson says, people don't seem to be as cautious about what they say in e-mails. "I think people are more careful with written documents and what they say and what the potential liability of what they say is, than they are with electronic stuff, which they incorrectly perceive as fleeting."