It was revealed that the Health and Human Services Secretary Kathleen Sebelius has several e-mail addresses besides her official one, at least one of which has been characterized as “secret.”  There are at present several other political appointees using secret e-mail accounts in their conduct of official business.  This is a practice that complicates any agency’s responsibilities and fulfillment of legal obligations upon public records requests and congressional inquiries.

I don’t know if Ms. Sebelius has a nefarious reason for multiple accounts, outside of her official government one, but I do harbor some sympathy:  she said she receives 27-28,000 e-mails to a public account, and 400 to the private account.  It seems reasonable to have a discretionary address for Government business and another for Public communication.

However, in another case, the EPA Administrator, Lisa Jackson, had an undisclosed account for official communications with an alias – “Richard Windsor” – thus discretionizing that account from Freedom of Information (FOI) survey.  That’s a problem.

It also begs the question for organizations:  What are your employees potentially doing outside the official sanction and channel of your organization’s e-mail system (with org data and org-specific communications)?

When speaking about a weave of business and technology, the weave doesn’t get much tighter than the conduct of daily business communications and e-mail.  There are other things that are just as tight, and even more timely (Tweets, chat windows, etc.), but e-mail’s capacity for both communication and transfer of large attachments (whether docs, presentations, videos, etc.), e-mail and business conduct go hand-in-hand.

Large enterprises are wise in having very lucid policies concerning use of e-mail.  First and foremost (if you have a fairly conventional and comprehensive policy) is the understanding that anything created, residing, and transported into and by your e-mail system is owned by the organization.  Thus, policy is that the organization can look at anything within the system at any time.  Human Resources can utilize, and disciplinary activity can be based upon, e-mails in the disposition of cases involving inappropriate behavior and communications, for example.

It is very important to make this part of your e-mail policy (which is part of your overall content and acceptable use policies), known to the organization:  New hires should be apprised during New Employee Orientation, and regular staff get reminded/updated during periodic refreshers, which can be annual, semi-annual, ad hoc, or any schedule the organization deems necessary.  A very important feature of comprehensive Content Management/Acceptable Use policies is that the organization’s information, data, business intelligence, is truly contained by the organization (hence “content”).  Now, this doesn’t mean it has to reside inside the four walls of a building, or various collateral buildings at whatever locations the organization inhabits; rather, this means the organization has some kind of system of management and reporting for electronic data, wherever it resides (same for hardcopy).

Increasingly, however, employees are creating gmail, Facebook, and other accounts at work, on work time, and with work resources (devices, systems, bandwidth, time).  These accounts are not only being used for personal “business,” there are cases where work-related correspondence and content is being shared through, and residing on, these personal means.

I’m aware of a very large, sophisticated, organization that discovered a romantic relationship between one of their employees, and an employee at a client.  The relationship blended romance, official company-client communications, share of content, and quite a bit of inappropriate gossip about colleagues.  This org is now conducting meetings and surveys to discover just how widespread a problem it may be, and is re-working all of their HR, business, and IT policies.

Beyond specific “secret” accounts for conducting business communications, there is of course the inappropriate exposure of all kinds of things to inappropriate forums, such as disclosure of corporate secrets to Facebook accounts and audiences, for example.  Once anything is put in any forum, it is harbored and dispersed as content – and is outside the control of the organization for dissemination, disposition and destruction.

Be absolutely certain you prohibit the concept of secret e-mail addresses, or if you prefer, “outside” or “alternate” e-mail addresses and the loosening of content to various forums – unless your organization sanctions it for some reason.  I can think of orgs that may want various personnel to have addresses that are specific to various outside domains for marketing purposes – but tightly control that, and document that use in policies.

But put everything into policy.

   What of that earliest electronic potential of a timewaster?  E-mail.

A recent study and news release by the University of California, Irvine, has provided some interesting info.  Employees who took a break from e-mail found that after 5 days, their stress went down, their productivity went up, and they had increased focus. 

The study also found that in an environment lacking e-mail, workers switched windows less frequently – 18 times per hour, vs. 37 when e-mail was present.

The study made no mention if other “temptations” remained in the environment, such as those things mentioned in the first paragraph.  (For those, you can consider limiting social networking, etc. to breaks and lunch, for example – unless those types of accounts are indigenous to your marketing efforts, and so forth.  But get a handle on personal use of these things).

No matter how distracting e-mail might be, it ain’t goin’ nowhere.  There are a few helpful suggestions, though.  Productivity experts recommend against checking e-mail first thing in the morning.  Rather, concentrate on priorities as listed in a To Do list.  Some organizations are also having “e-mail vacations” – some specified time and measure during the day where workers are directed to stay out of e-mail, and to focus on work.

Of course, not everyone has the luxury of ignoring e-mail first think in their morning, nor can they do it during the day, either.  Co-workers, clients, customers, etc., expect timely responses to e-mails.  “We were having a vacation” isn’t going to sound too professional during the workday, now is it?

Organizations need to spell out guidance and expectations in strong Acceptable Use, Security, and Business Practices policies.  For e-mail, just determine the general requirement for responses – if something isn’t marked “Urgent” or “High Importance,” then perhaps you can open it later – a quick perusal of Senders and Subjects in the morning will let you know if you can delay e-mail administration ‘till 10 or 11 a.m., and you can settle in with a cup of something, and tackle those reports, or even visit with someone in person to settle some nagging project questions.  Get up and stretch those legs – a little physical relief goes a long way to reducing stress, and a simple walk across the office, or to another floor, can be refreshing.

Try to create a little balance, in other words.  Remember that checking any account too frequently rather defeats the purpose of these enabling sorts of things – instead of being efficient, you’re wasting time and achieving a diminishing return.  Check perhaps once an hour, instead of the constant “flip” to e-mail, social networking, discussion groups, etc.  It’s tempting (I know), but not really necessary, unless you’re awaiting something urgent.

What are your thoughts?

Today, employee error and otherwise casual approaches to security is causing serious harm to a great many organizations – and to employees themselves.

Bad outcomes from abuse of systems and content abound.  Employees have been busted for surfing porn, for e-mailing clients with unflattering characterizations of inside-business, for divulging sensitive business secrets and details, for defaming co-workers, for wasting business time with all manner of personal business – the list goes on…

Recognize that whatever you do is basically captured for review by appropriate organizational authorities.  Further, the discipline of eDiscovery now mines data and coughs it up, splaying it for the world to see.  Deleting content is of little use:  Data is merely flagged as overwritable –disc space is marked as being open when needed for new content; but until it is overwritten, that data is retrievable with tools.

Further, even when data is eventually overwritten in this regard, it’s likely still available on backup media, yet gathered there before it was overwritten in the active environment, and now harbored for virtually an infinite review.

Browser histories are also available this way.  Don’t count on their deletion as being any kind of protection.  In the realm of data, and to be safe, assume everything is permanently available for review and use.

At many orgs, there’s no lack of training – and there’s no lack of associated policies:  Acceptable Use, Content Management, a general Security policy; all regarding protection of systems, data, e-mail guidance, internet access and allowable use, etc. 

There are warnings about use of systems for personal use, with thresholds of defined abuse.  In other words, and in an obvious example, no one begrudges someone receiving a modest amount of personal e-mail through the “work system,” with the occasioned print of something or other.  But too much use of work resources for the conduct of personal affairs is not at all prudent.

But whether quarterly, semi-annually, or annually, various training is often treated as an inconvenient interruption to business.  Many employees regard it as either a nuisance, or a goof-off day.

But the real objective as concerns security is not training in and of itself – nor any particular measure, or test, of employee adherence to goals and values at some pinpoint moment in time.  Rather, the objective is an ongoing, seamless, and active security awareness on the part of employees (as supported by regularized training and updates – nothing remains the same).  Awareness of what not to do, and what to do.

The only real way to maintain awareness and protection is to instill a valid eCulture at your place of business.  eCulture comprises many things, and we’ll examine more in coming posts, but a couple warnings and tenets apply:

-          In the realm of risk, unmanaged possibilities become probabilities

-          All activity in the truly modern organization is viewed through security’s prism

In fact, a useful way of embedding a modern security awareness, in support of eCulture principles, is to tell employees they must wear “security glasses” – these “glasses” force the preeminent consideration – security – for every action and activity undertaken by individual and organization alike. 

All sorts of useful examples and analogies can be created, but what’s worked for me, quite well, is to counsel organizations to put on their security glasses, with lens of security prisms. 

Employees quickly learn to view everything through that security prism:  Exercising safe and best practices. 

The “glasses” (with signage, reminders, etc.) force awareness.  It is simple…  and powerful.

On this day:  In 1893, the first Ferris wheel premiered at the Chicago Columbian Exposition

Many people get distracted at work.  No, seriously, they really do.  It was hard for me to believe at first, too.  Once I “get to it,” I’m hard at it, focused, and efficient.  Further, it’s hard for me to stop working…  I know you’re the same way.

But it seems that for many others, distractions are a recurring nuisance, and these folks are susceptible to them.  Huh.

According to software company harmon.ie (formerly Mainsoft) and uSamp (a polling company), a 1000 member firm wastes $10 million per year due to the distractions of social media, e-mail, and badly designed software applications.

This blinding news comes from a survey of 515 white collar workers.  It seems that more than half of them waste at least an hour a day:  60% of this waste is due to interruptions from electronic devices and e-mails (if these are work related, are they really “interruptions”?), and the remaining 40% is phone calls and talking to colleagues.  I dunno – I had an office back in my pre-consulting days – simply closed my door.  I dimly remember working in a cube or two way back when.  I also remember saying, “Sorry Fred, I’m really crunching on something just now.  Can we cycle past the front desk to see what Linda is wearing a little later?” 

As to these interruptions:  Phone etiquette demanded the answer of calls.  E-mails were routine too.

Apparently, according to the study, two-thirds of people space out at meetings, reading voicemail and checking devices.  Here’s a simple solution:  Unless expecting something critical, instruct folks in the meeting to leave devices in their holsters.  (I don’t recommend turning them off, due to possible emergency notifications from family, etc.).  Make it a part of new employee orientation to mention respect for meetings, speakers, etc., and what the expectations for behavior are.

I work as a consultant now, but my office days are relatively recent, and of course I consult in offices similar to the ones I used to work in.  Everyone needs a mental break, and whether that’s sauntering down to the kitchen for coffee, soda or snack, and a little tete-a-tete with whomever else has to space out for a couple minutes, I’m not sure much has changed.

Hire solid employees, set expectations, explain work, distribute work fairly and evenly, and I think things are going to be just fine.

Stay sensible out there.    :^ )

NP:  Feeling Good, Gerry Mulligan,  Jazz24.org

Don’t Miss the Obvious:  Reason for care, training and awareness

According to Pingdom, internet users sent around 107 trillion e-mails last year.  I dunno about you, but that doesn’t mean a whole lot to me unless I can see some sort of visual representation of that…

For a handy example for what a trillion+ e-mails might represent, check this site:  PageTutor.com.  Here, they’re explaining what one trillion dollars in $100 bills would look like.  Simply substitute 100 e-mails for the $100 dollar bill in the example (while realizing that many e-mails are multiple pages, and frequently contain attachments, to boot!).  The volume is staggering.

Unsurprisingly, Pingdom reports that most of the e-mails were spam!  I think my Inbox/Junk Folder accounts for about 1.5 million of last year’s total. 

However, I do have to troll for timely subjects for the blog, and in the course of casting far and wide, I do tend to accrue a few things I don’t need to receive.

That said, check out these stats (Source for all stats:  Pingdom):

-        As of June, 2010, there were 1.97 billion internet users

o   825.1 million in Asia

o   475.1 million in Europe

o   266.2 million in North America

o   204.7 million in Latin America/Caribbean

o   110.9 million in Africa

o   63.2 million in the Middle East

o   21.3 million in Oceana and Australia

Given that there are about 2.9 billion e-mail accounts around the world, it’s not too surprising that out of 294 billion messages a day, roughly 89 % were spam.

Some other interesting facts:

-        About 152 million blogs worldwide

-        Total websites:  255 million – 21.4 million more than the previous year

-        Domain names?  Comprised of:

o   88.8 million .com

o   13.2 million .net

o   8.6 million .org

o   79.2 million “country code” names, such as .uk, .cn, .au, etc.

Twitter and Facebook:

-        Twitter:

o   100 million new accounts added by Twitter last year.

o   175 million accounts as of September

o   25 billion Tweets sent in 2010

-        Facebook:

o   250 million accounts added in 2010

o   600 million accounts at the end of the year

With all of this activity, quite naturally, organizations and employees must be very careful – particularly when conducting business via these means – to be mindful of security, best business practices, and appropriate styles for communication and tone.

For “business” – a simple reminder from the BTW:  Monitor what is being done in the name of your domain.  The simplest example:  Be certain that JohnQSmith@yourdomain.org is not sending mail or posting to blogs or articles anything that reflects poorly on business, clients, co-workers, supervision, etc.

Ensure employees are trained and refreshed about the perils for blending social networking and business.  Some small and medium businesses utilize social networking for advertising, networking, and communicating – and do it very effectively.  However, it is in these circumstances there is peril for a natural tendency to mix “friending” and “businessing.”  Be careful.

Larger enterprises flat-out ban the use of social networks at work, and thus for any business being conducted through them.  Be certain to know your organization’s Acceptable Use, Content Management and Security policies through and through.  If you are the driving authority for these policies, make certain they are spec’d for 2011 and beyond…

For Business:  Remember that any organization owns not only its technical enablements, such as the e-mail system and all supporting systems, but all content within those.  It is your content to monitor; prudent business does not need to read each and every e-mail (impossible), nor does it need to spot check mail (excepting of course when HR and allied business supervision suspects employee malfeasance).  Rather, your system should have alerts based upon words and phrases that can flag the appropriate organizational authorities so as to instigate  investigation when necessary.

Of course, any measure of manual oversight and spot-checking is fine.  That is up to each individual organization; based on need, size, volume of traffic, policing practices, and so on. 

But above all, be efficient:  Get some flags set, and train personnel and dispense policy – have each employee sign appropriate policies as having been read and understood and file them in their personnel folders.

NP:  Sarah Vaughan –  Sassy Swings the Tivoli.  Original 1963 LP (Live at the Tivoli in Copenhagen – Sarah; Kirk Stuart,piano; Charles Williams, double bass; George Hughes, drums).    Original Mercury LP.  Class – and world-class.