November 1, 2002

You have to question the sanity of law companies that are happy to become completely reliant on e-mail communications while exposing themselves to huge potential losses by having little control over their employees’ use of these systems. You also have to question why they are spending tens of thousands of pounds on content filtering and blocking tools, and spending time devising e-mail usage policies, but are still unable to protect themselves against e-mail abuse by their own employees.

The fact is that an e-mail usage policy is useless if there is no means of enforcing it. What’s more, perimeter software such as filtering and blocking technology is insufficient because it only tracks e-mail as it enters and leaves a company and even then it can miss content deliberately hidden when embedded in innocuous looking Word, PowerPoint and Excel documents. This leaves the company with no insight into the time employees spend on non-work-related e-mail.

We know that some staff, according to Ferris Research, can spend as many as four hours a day composing, sending and reading e-mails – that time inevitably has a direct resource and cost impact. The wider ramifications of e-mail abuse highlight liabilities for both the company and its directors and additionally place a huge strain on IT resources, including network bottlenecks, and a resultant need for more desktop and server storage as well as network bandwidth. However, it is the sheer drain on your people resources caused by e-mail abuse that smacks loudest: if, for example, 70% of messages are not related to business, and each one takes three minutes to process, a 500-user site sending and receiving 10,000 messages a day is looking at a loss of 350 hours a day, or 42 minutes for every person.

Employees surfing non-work-related Web sites have always been easier to track – colleagues and managers can readily see what is on a user’s screen – but with e-mail it’s nearly impossible to see whether employees are frantically typing at the keyboard intent on their current business task, or if they are sending the latest joke to their colleague across the office or friends around the world.

A prime example is the infamous “Yum Yum” message: London lawyer Bradley Chait forwarded to his colleagues a message from his girlfriend Claire Swire about a sex act she had performed on him. Within hours the message had reached millions of computer users worldwide.

The irony is that the vast majority of directors do not even realise they have a problem with e-mail because they think that their e-mail usage policy is protecting them. Research indicates that 57% of all UK businesses now have e-mail policies, a figure rising to 83% for large companies (Information Security Breaches Survey 2002), yet over half of these companies have still had security incidents related to e-mail in the last year. Having rules in place is no guarantee they will be adhered to or that abuse can be tracked effectively. Clever users, for instance, know they can cover their tracks by deleting sent messages and then deleting them from their deleted items. That loophole vanishes, however, once a system is in place that captures the actual e-mail transaction. Any perception that enforcement does not work, based on obvious infractions that go unpunished, soon leads to breaches becoming accepted practice, nurturing a culture among users that continually pushes the boundaries of acceptable behaviour.

This can reach epic proportions as users send increasing numbers of non-business messages both internally and outside the company, which often contain very large file attachments – from simple message wallpaper to mammoth images such as movie, picture and sound files – that further clog the system. Invariably, .jpg is the number one file attachment type being sent by employees within most organisations, well ahead of standard word processing, spreadsheet and presentation files.

Similarly, Hotmail often ranks as the number one communication partner to and from which e-mail is sent, further highlighting the inability of companies to manage employee e-mail usage. Is your number one business partner Hotmail? This also raises serious information security issues. For example, in one organisation, we discovered an employee was e-mailing highly confidential, proprietary patent documentation to a Hotmail account.

Elsewhere, the sheer volume of messages between in-house staff can have equally debilitating consequences, as users embrace e-mail as a slower version of instant messaging for casual conversations. In one company recently, we found that two people exchanged 195 messages in one day; in another three conversation pairs represented 60% of the internal e-mail, and in one case 98 messages were exchanged between two staff in just 90 minutes.

The case for effectively managing in-house e-mail usage is overwhelming, but there is a problem in owning up to the fact and taking the issue further into the public domain. Like hacking, e-mail abuse is seen at board level as a shameful admission of managerial impotence, and companies simply do not want to stand up in court and openly admit their shortcomings. In addition, there is an unwillingness to take ownership of enforcing e-mail usage policies and therefore a classic buck-passing exercise from IT to HR to the Board and back to IT ensues.

Assuming the buck-passing stops at one person, there remains the thorny issue of choosing the most appropriate means, always keeping in mind that the last thing any company wants is its workers accusing them of heavy-handed Big Brother infringements of their privacy and human rights. Putting any privacy issues to one side, the scale of such a monitoring task would probably cost as much or more as any savings uncovered. What’s needed instead is a means of statistically managing usage on a regular basis in order to spot trends and bottlenecks that can be acted upon without any impact on users’ capabilities or rights.

The key to such a system is an ability to number-crunch the tens of thousands of e-mails sent each day, week and month, based not on the actual content, but on the header summary information held centrally on the e-mail servers. This approach also includes easily digestible reports highlighting a wide range of issues, from how well filtering tools are working, to costing e-mail usage within a department, and to tracking attachments, domain names and network bandwidth requirements. In short, this approach does for e-mail what business intelligence tools do for disparate financial and sales information: creating snapshots or more comprehensive views of otherwise vast and disparate stores of relatively simple data.

E-mail management at this level results in more than just the ability to create and enforce policies. It’s good for administrative house-keeping as well, since the reports are virtually guaranteed to show massive volumes of messages in the Sent and Deleted folders which are taking up valuable archiving space. It can also quickly show that in many organisations 60-70% of e-mails have nothing to do with business, which in a short time can halve that number through even a liberal enforcement of policies. This in turn will free up bandwidth, storage and server resources, and obviate unnecessary upgrades, not to mention the significant productivity gains.

The most effective and least obtrusive approach therefore is to manage usage on a regular basis and help educate the users in e-mail best-practice. And by informing workers that such a system is in place, the volume of non-work related e-mail invariably decreases dramatically.

Why are the same organisations that were quick to employ telephone reports to stop telephone abuse, and then Internet control software to stop surfing of smutty Web sites, now showing an unwillingness to act on what will probably show to be a higher cost to business than everything that’s gone before? The technology to manage e-mail usage is available now. Which means now is the time for employers to get tough and regain control of corporate e-mail before they make the headlines for all the wrong reasons.

Brendan Nolan, CEO, Waterford Technologies