The last few years has seen the Internet’s killer application evolve from a simple and convenient method of online communication to a serious management headache, not just for IT managers, but for their counterparts in human resources.
Consider the following issues that can arise with corporate e-mail usage: the leakage of company confidential data; legal issues regarding an employee’s mail usage; offensive, inappropriate and time wasting e-mails; advertisement and junk mail (SPAM); viruses and corrupt attachments; the costs of space and storage for e-mail; backup and recovery of e-mail and the cost of bandwidth utilisation for large and time wasting mail.
It’s enough to make you not want to get up in the morning, but how can such a simple application create so many problems? The answer is, of course, e-mail was never intended to be the tool that it is now, handling just about everything from quick queries to large documents, to PowerPoint presentations and video clips, whereas three to five years ago it just handled mostly text-only files.
And everybody is at it. According to research firm Gartner, 11bn e-mails were sent per day worldwide in 2001. That number is expected to more than triple to 36bn per day by 2005 (and IDC reports even higher estimates of 31bn e-mails per day in 2002 and up to 60bn per day by 2006).
The management of e-mail has been complicated much further by the huge problem of unsolicited e-mail (or SPAM). This problem hasn’t gone unnoticed at the highest levels, as new EU legislation, called the Privacy and Electronic Communications Directive, is due to be incorporated into Irish law shortly that will make it an offence to send unsolicited e-mails to new recipients without first having obtained their prior ‘opt-in’ consent.
However, many in the Internet business community are openly sceptical about how much of a dent this law will make on the problem of SPAM, particularly as the vast majority of it comes from the US and will not obviously be affected by the regulations.
E-mail storage is another ballooning problem with people getting more e-mails and deleting less. This problem especially applies to Irish firms with a US office and who are mandated by US data retention and corporate governance laws to preserve e-mails for a specified period. Should you save that e-mail from Bob in New York forever in case the SEC (Securities and Exchange Commission) comes knocking?
Then, of course, there’s the obvious problem of e-mail-specific viruses and worms, such as SoBig, the impact of which has been given an almost overbearing amount of attention in the media.
What policy?
Yet despite all the potential issues that have arisen with this explosion in e-mail usage, few companies have a written e-mail management policy in place, according to various research surveys.
For instance, 46 per cent of companies in the UK are not familiar with the legal and contractual requirements surrounding the use and storage of e-mail, according to a survey by VNU on behalf of Legato Systems. Furthermore, nearly one third (32 per cent) of companies do not currently have a formal e-mail usage policy, although over one third (36 per cent) of organisations have sought legal advice on e-mail compliance issues.
Regardless of what kind of an e-mail system you have, whether it’s accessed via an ISP through a dial-up connection or directly from an SMTP (simple mail transfer protocol) server, an e-mail management policy is a good starting point for any organisation wishing to regain control of their e-mail.
One effect of the media attention given to recent e-mail viruses is that many users assume that e-mail management is primarily a network security issue. They assume that it is dealt with by IT managers implementing anti-virus systems and restricting attachment sizes so as not to clog up network bandwidth and storage space.
Conall Lavery of Entropy, a reseller of security software including e-mail monitoring and management systems from Clearswift, Trend Micro and Checkpoint, maintains a more reasoned outlook. He says that e-mail policy administrators should allocate limits according to the different needs of each department in a company. For instance, graphic designers will require access to data-heavy images and files, while accountants will not.
‘I do think that common sense comes into it,’ says Lavery. ‘Common sense in terms of finding out what people’s jobs are and deciding what they need as far as e-mail and bandwidth is concerned, rather than adopt a blanket policy for everyone.’
This sort of control is more difficult to achieve for small organisations not large enough to justify the expense of an internal e-mail server, says Hugh Marron of IPOptions. Some might provide a control box through a POP3 e-mail service, but ISPs will often impose their own limits. In any case, he says, its not the size of e-mail attachments that causes the biggest problem, but the sheer number of e-mails that can clog up an inbox, including SPAM and viruses such as SoBig.
Don’t rely on ISPs
Relying on an ISP as your front line against e-mail viruses and malicious content is probably not a good idea, says Ciaran Byrne of System Options. ‘The longer you’re online downloading all that rubbish, the more these ISP’s make in telephone help charges. Now that might sound a bit unfair, but, the reality is, these worms are a cash cow for those ISP’s too busy checking their balance accounts to send up something like an “early warning” flag.’
Even if an ISP did implement virus control software across its network, it would have limited value because the Internet, by design, is a multi-provider network. The answer, he says, is to set up your own virus control or firewall system.
Virus and content filters are only one part of an e-mail management strategy. Another vital part is user education on acceptable e-mail usage from day one, says Marron. There are the ethical and legal issues in sending or forwarding e-mails containing libellous, defamatory, offensive, racist or obscene remarks. Now that e-mails are considered legal documents in a court situation, there have already been a number of high profile cases brought against the purveyors of such e-mails and cases where e-mails have been presented as key evidence. Aside from the legal implications, sending or forwarding e-mails with prejudicial content is likely to reflect badly on a company’s reputation, regardless of whether the sender is identified.
‘There are so many ways which information sent by e-mail can come about circle,’ says Marron. ‘E-mail can grow a life of its own as it travels between companies.’
Using business addresses for personal business is now regarded as a no-no, particularly as there is a greater risk of ending up on some spammer’s list. Some companies have instructed employees use web-based e-mail for personal use, but Marron points out that such services are likely to create a higher risk of virus intrusion, unless the prudent step is taken of banning the downloading of attachments from web mail onto a workplace PC.
Its not just excessive use of corporate e-mail or web mail that opens the door wider to virus or worm intrusions, says Dave Keating of Data Solutions. ‘You need to think of all the other ways that information can get in.’ This includes content from external sources that can penetrate the network through things like instant messaging and peer-to-peer (P2P) networks. P2P networks may not be that prevalent in Ireland, but instant messaging certainly is.
Obligations
In terms of obligations to retain e-mail documents and files, Niamh Carroll of CMS Peripherals says that the onus is primarily on legal and financial companies who are by their nature governed by international jurisdictions.
For indigenous companies and small businesses, there are no specific e-mail retention obligations just yet. Nonetheless, says Carroll, even if you are just serving the Irish market, the centrality of e-mail to a variety of business transactions is such that e-mail documents now constitute key business records and are admissible before a court of law. Directors and users can be held liable for failure to retain documents and records.
E-mail also has the potential to do damage when used for internal communication. ‘Part of the problem with e-mail is that we are becoming too reliant on it, sometimes using it as a political tool to embarrass others in the office,’ says Martino Corbelli, marketing director with content filtering firm SurfControl. ‘It’s so easy to use that people are tempted to hide behind it rather than use traditional forms of communication, like simply getting up and walking over to speak to the other person.’
The consequence of this, says Corbelli, is a greater risk of misunderstandings and because e-mails cannot convey tone of voice, humour and sarcasm etc, ‘it’s very easy for an e-mail argument to enflame out of all proportion’.
If not properly managed, e-mail usage has obvious implications for productivity. In the UK, a company called Phones4U hit the headlines when it decided to ban internal e-mail because it was hindering employee productivity. Such a decision has been widely criticised as a knee-jerk reaction which failed to consider that e-mail has to be used intelligently if it is to be of benefit to businesses.
Corbelli of SurfControl says that while e-mail use was clearly adversely affecting productivity in Phones4U, the decision showed that they had ‘no ability to manage how e-mail is used’. The banning of e-mail altogether is representative of a ‘slap on the wrist’, which is bound to annoy employees and make them feel like ‘naughty children’. They will only find other ways to bypass this, such as using the phone to call friends, or even instant messaging.
‘My message to them is “treat people like people and the way you would want to be treated yourself”. If you tell them why something is causing a problem, they will change their behaviour.’
Tech tools
A typical starting point for the creation of a corporate e-mail policy could be a filtering audit such as Total Filtering Audit, available online from SurfControl. Managers are asked to tick categories of e-mail content and attachments that his or her department does not require in order to carry out business functions.
There are various software applications that can help to support an e-mail management policy from vendors like Net IQ, Clearswift, M@ilmeter, Red Earth, Checkpoint, SurfControl, Legato and CA.
Some are specifically geared to dealing with SPAM. Net IQ’s Mail Marshall sends licensed users a daily list of SPAM warnings so that individual filters can be adapted accordingly. Mail Marshall is the sort of tool that empowers individual users and confers on them the responsibility to manage their own e-mail, thereby relieving the burden on the IT manager, says John Mooney of Renaissance Software.
‘The problem is that individuals don’t want to be patrolled,’ says Mooney, but that there should be a basic policy outlining agreed formats, prejudicial content, and so on. ‘In business you cannot really impose anything, everything has to be by agreement,’ he says.
E-mail content filtering applications that can be flexibly defined and tailored according to the differing needs of individuals and departments are especially useful for dealing with the complex issue that is SPAM. This is because for every IT manager who wants to block all SPAM, there is another who wants to receive unsolicited e-mail that is considered relevant to their job functions, whilst still blocking harmful and inappropriate SPAM, according to a UK survey by SurfControl.
In terms of minimising data storage demands generated by large e-mail attachments, Legato’s E-mailXtender has a facility that continuously backs up text mails, but stores attachments on an archive server. These attachments are backed up just once, thus saving storage space. Similarly, Sun Microsystems has a policy-based e-mail archiving system called SAM-FS that can archive data to tape, which can be quickly and easily recovered, but at a fraction of the cost. That five-year-old e-mail is no longer putting an unnecessary strain on the IT manager.
Another solution to the problem of multiple e-mail attachments is to be found in Microsoft’s forthcoming Office 2003. Although introduced in Windows XP, Document Workspace has been enhanced to enable internal corporate users to collaborate on a shared document instead of sending or receiving multiple attachments of the same document via e-mail..
Users should also consider transferring to instant messaging technologies for short messages. Clive Ryan of Microsoft’s client and information worker division says that market research for Office 2003 found that e-mail tended to be used a lot for multiple short, informal, ‘bursty’ messages that tended to clog up inboxes. Now that more and more people are online simultaneously, the burden on e-mail of this type of communication can be offloaded to IM, he said. Engines for IM can now be configured to record and archive IM conversations so that an audit trail can be produced if necessary.
The growth in e-mail management options and technology is clearly a recognition by growing numbers of companies that so much of their intellectual capital is bound up in e-mail. As a result, everyone who uses e-mail has a role to play in the management of it — and not just IT managers.
18/11/2003
Subscribers 0
Fans 0
Followers 0
Followers