Email abuse – the hidden business threat

You also have to question why they are spending tens of thousands of pounds on content filtering and blocking tools, and spending time devising email usage policies, but are still unable to protect themselves against email abuse by their own employees.

The fact is, an email usage policy is useless if there is no means of enforcing it. What’s more, perimeter software such as filtering and blocking technology is insufficient because it only tracks email as it enters and leaves a company and even then it can miss content deliberately hidden when embedded in innocuous looking Word, PowerPoint and Excel documents. This leaves the company with no insight into the time employees spend on non-work related email.

We know that some staff, according to Ferris Research, can spend as many as four hours a day composing, sending and reading emails – that time having a direct resource and cost impact. The wider ramifications of email abuse highlight liabilities for both the company and its directors and additionally place a huge strain on IT resources, including network bottlenecks, and a resultant need for more desktop and server storage as well as network bandwidth.

However, it is the sheer drain on your people resources caused by email abuse that smacks loudest: if, for example, 70% of messages are not related to business, and each one takes three minutes to process, a 500-user site sending and receiving 10,000 messages a day is looking at a loss of 350 hours a day, or 42 minutes for every person.

Employees surfing non-work related web sites have always been easier to track – colleagues and managers can readily see what is on a user’s screen – but with email it’s nearly impossible to clearly see whether employees are frantically typing at the keyboard intent on their current business task, or if they are sending the latest joke to their colleague across the office or friends around the world.

The irony is that the vast majority of directors do not even realise they have a problem with email because they think that their email usage policy is protecting them. Research indicates that 57% of all UK businesses now have email policies, a figure rising to 83% for large companies (Information Security Breaches Survey 2002), yet over half of these companies have still had security incidents related to email in the last year.

Capturing the email transaction

But having rules in place is no guarantee they will be adhered to or that abuse can be tracked effectively. Clever users, for instance, know they can cover their tracks by deleting sent messages and then deleting them from their deleted items. That loophole vanishes, however, once a system is in place that captures the actual email transaction.

Until then, any perception that enforcement does not work, based on obvious infractions that go unpunished, soon becomes accepted practice, nurturing a culture among users that continually pushes the boundaries of acceptable behaviour.

This can reach epic proportions as users send increasing numbers of non-business messages both internally and outside the company, which often contain very large file attachments – from simple message wallpaper to mammoth images such as movie, picture and sound files – that further clog the system. Invariably, .jpg is the number one file attachment type being sent by employees within most organisations, well ahead of standard Office word processing, spreadsheet and presentation files.

Similarly, Hotmail often ranks as the number one communication partner to and from which email is sent, further highlighting the inability of companies to manage employee email usage. Is your number one business partner Hotmail? This also raises serious information security issues. For example, in one organisation, we discovered an employee was emailing highly confidential, proprietary patent documentation to a Hotmail account.

Elsewhere, the sheer volume of messages between in-house staff can have equally debilitating consequences, as users embrace email as a slower version of instant messaging for casual conversations. In one financial services company recently, we found that two people exchanged 195 messages in one day; in another three conversation pairs represented 60% of the internal email, and in one case 98 messages were exchanged between two staff in just 90 minutes.

Effective management

The case for effectively managing in-house email usage is overwhelming, but there is a problem in owning up to the fact and taking the issue further into the public domain. Like hacking, email abuse is seen at board level as a shameful admission of managerial impotence, and companies simply do not want to stand up in court and openly admit their shortcomings.

In addition, there is an unwillingness to take ownership of enforcing email usage policies and therefore a classic buck-passing exercise from IT to HR to the Board and back to IT ensues.

Assuming the buck-passing stops at one person, there remains the thorny issue of choosing the most appropriate means, always keeping in mind that the last thing any company wants is its workers accusing them of heavy-handed Big Brother infringements of their privacy and human rights.

Putting any privacy issues to one side, the scale of such a task would probably cost as much or more than any savings uncovered. What’s needed instead is a means of statistically managing usage on a regular basis in order to spot trends and bottlenecks that can be acted upon without any impact on users’ capabilities or rights.

A system of easily digestible reports

The key to such a system is an ability to number-crunch the tens of thousands of emails sent each day, week and month, based not on the actual content, but on the header summary information held centrally on the email servers. This approach also includes easily digestible reports highlighting a wide range of issues, from how well filtering tools are working, to costing email usage within a department, and to tracking attachments, domain names and network bandwidth requirements. In short, this approach does for email what business intelligence tools do for disparate financial and sales information: creating snapshots or more comprehensive views of otherwise vast and disparate stores of relatively simple data.

Email management at this level results in more than just the ability to create and enforce policies. It’s good for administrative house-keeping as well, since the reports are virtually guaranteed to show massive volumes of messages in the Sent and Deleted folders which are taking up valuable archiving space. It can also quickly show that in many organisations 60-70% of emails have nothing to do with business, which in a short time can halve that number through even a liberal enforcement of policies. This in turn will free up bandwidth, storage and server resources, and obviate unnecessary upgrades, without forgetting to mention the significant productivity gains.

The most effective and least obtrusive approach therefore is to manage usage on a regular basis and help educate the users in email best-practice. And by informing workers that such a system is in place, the volume of non-work related email invariably decreases dramatically.

Why are the same organisations that were quick to employ telephone reports to stop telephone abuse and then internet control software to stop surfing of smutty web-sites, now showing an unwillingness to act on what will probably show to be a higher cost to business than everything that’s gone before?

The technology to manage email usage is available now. Which means now is the time for employers to get tough and regain control of corporate email before they make the headlines for all the wrong reasons.

  • Brendan Nolan is CEO of Waterford Technologies.

Related reading

Life Belt with Computer Folders
HMRC banknotes