The bank uses SecureWave's Sanctuary software to monitor e-mail and Web traffic, as well as block instant messaging completely. When a user violates a policy set in the software, the employee's manager is notified and talks privately with any first-time offenders. The company tells the staff at large about the incident (without naming names) to reinforce the need for self-vigilance. Also, employees often tell other employees of their mistakes, to help others not make them, Rickels notes. If the behavior continues, the bank does name names, as well as begin disciplinary or termination actions.

Similarly, at the Texans, Ignatiev uses the Sanctuary tool to identify potentially dangerous behavior, such as employees entering clients' or personal credit card numbers at e-commerce sites. He uses Palisade Systems' technology to identify behavior like sending e-mails containing scouting reports to unauthorized recipients. Security staff notify managers, who then talk to the employee to explain why the behavior was risky, Ignatiev says.

Telling employees that you're monitoring their communications—and why—helps reinforce desired behavior, Kocher says: "People tend to behave much better if they think they're going to be observed."

Block Judiciously
Like many CIOs, Flynn and Ignatiev are approaching automatic blocking of e-mail, instant messaging and other outbound communications cautiously. The concern: False positives could block legitimate communications and hurt customer service. Flynn, for example, would not want automatic blocking of, say, messages containing credit card numbers to cause a stranded airline customer to miss out on a quick rebooking.

Some industries, such as banking, may decide it's better to block false positives than risk the fines and publicity for releasing customer information. "A lot depends on the risk to your business," says First National's Rickels.

Another risk: "Blocking can breed lack of trust," says Mark Rizzo, vice president of operations and platform engineering at game developer Perpetual Entertainment. "I would quarantine rather than block, but then you need a large staff to look at the messages so the delay is not noticeable," he says.

As companies get a better handle on what is actually occurring in outbound communications, some do foresee blocking some communication automatically. Perpetual's Rizzo expects to use Tablus's Content Alarm NW software to block outbound communications containing business secrets, namely the code for software games that Perpetual produces. Developers job-hop frequently, sometimes taking the code they developed by sending it out before they leave, Rizzo notes.

Understand Tool Limits
With outbound content management tools, "you can build very sophisticated concept filters," says Cliff Shnier, vice president for the financial advisory and litigation practice at Aon Consulting. Typically, the tools come with templates for types of data that most enterprises want to filter, and they can analyze contents of servers and databases to derive filters for company-specific information, he says. (Consultancies can improve these filters using linguists and subject matter experts.)