Why Business and Personal Email Are Not the Same
We all carry certain expectations about email from our private lives into a corporate setting. Some of those expectations are met, but in other ways business email is very different from consumer email. These differences can be confusing at best and, at worst, lead to major problems for organizations.
The Inside and the Outside
To begin with, business email is nearly always operated by or for the business, as a dedicated domain with a clearly defined “inside” and “outside,” bounded by a gateway. Inside the boundary, the business has rights and expectations of control over the information, while anything can happen outside. Consumer email may be viewed as “always outside” in this formulation. Business email that traverses the gateway, in either direction, may be subject to a variety of checks, restrictions, and other processing.
Conceptually at least, a business has complete control over any information that traverses the gateway. In practice, however, such control is often incomplete, ineffective, or absent, usually due to a lack of resources devoted to administering the gateway. Among the likely jobs of a gateway are:
• Spam filtering. This is typically done in both directions—to prevent outside spam from getting in and to prevent internal machines (perhaps hijacked by a virus) from sending out spam and sullying the business’ reputation.
• Data Loss Prevention (DLP). Whether accidental or intentional, it is not uncommon for employees to send sensitive information outside the company. If a company can define the characteristics of sensitive information—which could be as simple as the words “Do Not Redistribute”—then the gateway can enforce restrictions against sending such information outside the company.
• Large file modification. Internet email has length limitations that seem small by today’s standards and, worse, vary from site to site. Email messages that total more than ten megabytes are highly likely to fail without being delivered. As an alternative, gateways can replace large file attachments with simple links and make the files available from a web server, with or without some kind of user authentication requirement.
But while the gateways are complicated, there are even more complexities of business email that exist completely inside the gateway, none of which are issues for consumer email.
• Security. Most computer security failures come from within the organization, most often because an employee has unwittingly allowed malware to infect their machine. This can happen even with the most secure gateway in the world, as users can be tricked into downloading the malware, most often via the web or a USB storage device. Once a machine is compromised, it can easily be used to subvert all communication-related security. While consumer email can also be compromised, the consumer depends on a service provider to deal with the problem, while a business needs to worry about it for its internal network.
• Privacy. Even though all corporate email typically belongs to the corporation, it is generally considered important to segregate the mail for each user, so that they can’t all read email to Human Resources or the CEO. This requires a certain amount of effort for account maintenance and administration.
Subtleties of Privacy
Compared to individuals, business email users have — or should have — a much more complex set of expectations regarding privacy. To begin with, the business typically owns the employees’ mail, and warns the employees that their email might be read under certain circumstances. In addition, the degree of privacy is liable to vary with regard to internal and external users, and internally by role and organizational level.
Legal and Regulatory Issues
Finally, most businesses operate under legal and regulatory constraints that are simply not relevant to consumers.
• Archiving. There is often a strong and highly specific business need for archiving. Some businesses want to keep all their information forever, while others want guarantees that it is completely purged after a certain amount of time. Both of these are tricky to do right; keeping information forever requires disaster-proof practices, while complete purging has to account for such pitfalls as backup tapes.
• Compliance. In many industries, legal or regulatory requirements place substantial burdens on corporate communication. Beyond archiving, which is often mandated, there are usually regulations regarding the handling of sensitive information, such as HIPAA in the United States. For an organization that is not in the communication or compliance business, it can be hard to know what regulations apply, let alone to comply with them all.
In short, business communication is vastly more complex than personal communication. Accordingly, while most individuals have long since outsourced their email to a large provider on the web, most businesses have kept it in house, because those providers simply don’t do everything that is necessary for business. That, however, is changing with the maturation of cloud computing.