page 3
By Gary Bolles | Posted 11-01-2003Technology: Spam
The Fact Sheet is available in Adobe Acrobat PDF format. To download the free Adobe Acrobat Reader plug-in, click here.
To download the accompanying fact sheet on Spam,
Sure, spam is all over the news. But what does it really mean to your organization?
CIOs have two recurring e-mail nightmares. In the first, the CEO receives an unwanted message, usually containing something rated NC-17. "That's when senior management says, 'I've seen the last body part in my e-mail I ever want to see. Fix it!,' " says Gartner Inc. research director Maurene Caplan Grey. In the second, the CEO doesn't receive a critical message he's been waiting for all week. Either event can be career-threatening for the CIO. There's no question that most executives want e-mail to be the strategic communications backbone of their business. But that's increasingly difficult as spam inundates in-boxes. CIOs don't need much more detail on the damage being inflicted on users, e-mail systems and storage space by the rising tide of unsolicited e-mail, because they're living it. "Spam creeps up on you, like shocks going bad on your car, and all of a sudden you realize how bad the ride is," says David Jordan, the chief information security officer for Arlington County, Va.
Yet spam's already mind-numbing numbers just keep growing and growing and growing. Paul Judge, CTO of antispam vendor CipherTrust Inc., says spam comprises up to 61 percent of all in-bound corporate e-mail. Antispam service provider Brightmail Inc. claims that out of the 70 billion messages it processes every month for the 300 million users in its worldwide network, over 50 percent are spam. The country's biggest e-mail provider, America Online, claims it stops an average of more than 1.5 billion spam messages a day, spiking at times to more than 2.5 billion. Says Michelle Boggess, electronic data security coordinator for Pensacola, Fla.-based Baptist Health Care, a $743 million not-for-profit: "Some of our users were getting spammed so heavily that they were spending large amounts of their own time picking through e-mail." The deluge creates a huge drain on worker productivity.
But spam is in the eye of the beholder. There are any number of generally accepted industry, organizational and personal definitions of spam, all of which may be in conflict. Brightmail CEO Enrique Salem defines spam as all unsolicited bulk e-mail. Jeff Ready, CEO of spam-filter vendor Corvigo, suggests three categories for spam: the messages you want, the messages you don't want—usually bulk marketing e-mail—and "other." That third category typically includes e-mail newsletters and opt-in messages that users may or may not want on a given day, but can't be bothered to unsubscribe to, making it especially difficult for corporations to screen out every questionable message.
In many companies, though, the biggest risk isn't letting through unwanted messages. It's the danger of blocking the ones people need. One so-called "false positive" that deletes a critical e-mail or relegates it to some little-used, out-of-the way folder could severely affect the success of your company's business. To avoid this and other risks of poor spam management, it's the CIO's job to get educated. "I don't think ignorance is an excuse for not being accountable," says Cynthia Luman, vice president of computer operations at CSX Technology Inc., a subsidiary of CSX Corp., a transportation and logistics service provider.
Tell Your Users:
Ask Your E-Mail Administrator:
Ask Your CEO:
page 2
The first step has little to do with technology. It's a people problem.
At its most basic, e-mail is simply a communication between a sender and a receiver.
If the IT department has any hope of fixing the spam problem, it has to focus
first on the receiver. Your company's e-mail use policies need to be crystal
clear, defining the kinds of communications allowed for every position in the
organization. If you don't want administrative assistants to be e-mailing their
mothers all the time, or salespeople to forward every dumb joke they receive
to all 500 of their pals in the company, then make sure they know it's against
the rules.
Your corporate culture will determine how far those policies can go in strictly
mandating e-mail use. Financial-services organizations often have locked-down
standards that give users little wiggle room, while universities are constrained
by very specific—and very liberal— notions on the part of users about
how broadly their rights are defined.
Train users in what's acceptable in terms of internal and external communications.
Some companies' workers regularly copy everyone on every e-mail they send, creating
dozens of long message threads that qualify in some recipients' minds as "unsolicited
bulk e-mail." Employees should also learn to reduce the frequency with which
they provide their e-mail addresses to unfamiliar Web sites, a habit that virtually
guarantees their inclusion on spam lists.
Your Webmasters should also be involved. Brightmail CTO Ken Schneider says e-mail
addresses listed on HTML pages such as your company's "contact us" page are
the single largest source of target addresses for spammers. Marketers can simply
point a software "spider" to look for e-mail addresses on your site, then drop
them into spam lists. Remove text e-mail addresses wherever possible, and consider
using digital GIF images to confuse the spiders.
Ultimately, well-designed and managed e-mail policies can significantly reduce
the amount of spam targeting your users, as well as increase overall productivity
by promoting more effective internal communications—whether users initially
want to help or not. "You have to protect them from themselves as best you can,"
says Julian Field, teaching systems manager in electronics and computer science
at the University of Southampton in Southampton, England.
Ask Your Human Resources Department Chief:
Ask Your CTO:
Tell Your Users:
page 3
Is antispam software simply the cost of entry?
Increasingly, antispam software is being seen as a kind of tithe on the free
Internet, a necessary cost of access to an open peer network. In fact, Gartner's
Grey says that by the end of 2004, at least 80 percent of all corporations will
have "relatively complete" spam protection.
The charts are available in Adobe Acrobat PDF format. To download the free Adobe Acrobat Reader plug-in,click here.
To download full image,
But filtering through the broad range of antispam software options can be daunting.
Analysts and users say the best place to start is by building on what's already
in-house, as well as by looking at the products your Internet service provider
is using. "It's a better solution if it fits into the infrastructure that's
already there," says J.F. Sullivan, director of product marketing for antispam
vendor Sendmail Inc.
Some applications work as standalone products, separate from your messaging
and security infrastructures, though this approach can increase management costs.
Others, including those offered by security software providers, offer integrated
applications, but they may not cover all of your needs. Mark Shields, director
of IT for $1.2 billion Kyocera Wireless Corp., recommends looking at an outsourced
offering as a way to stop spam before it enters your network. But with close
to 120 antispam vendors today, according to Sendmail's Sullivan, there's likely
to be substantial consolidation just ahead, so choose vendors for their ability
to merge seamlessly with your existing infrastructure.
Remember that spam is an arms race, and spammers are developing increasingly
clever methods for evading traps. That means any single approach will always
let messages slip through. The best filtering processes include a multilayered
approach with coordination among your ISPs, the corporate messaging infrastructure
and desktop security. "Any single- layered type of approach is going to be subject
to defeat," says Chuck Egress, group product manager at Symantec Corp.
Ask Your Existing E-Mail and Security Vendors:
Ask Potential New Vendors:
Ask Your CTO:
page 4
Measure the value of your antispam efforts to be sure that you won't be second-guessed
on the cost involved.
How much is spam costing your company? Poll users for their spam-management
time estimates, then multiply by the average wage of your employees. Don't forget
to include the time spent by your mail administrator, and for spam-related help
desk calls.
Next, determine what your company's standard volume of unwanted e-mail looks
like. "That gives you a baseline so that now you can say to upper-level management,
'Here's where we were, and here's where we got to,'" after putting the antispam
plan into action, says Kyocera's Shields. Make sure you know the cost of processing
and storing messages at your current volume levels.
Symantec CTO Rob Clyde also suggests looking at how many IT projects have been
delayed or postponed because of security concerns such as spam and viruses.
Systems that monitor e-mail content can help avoid "hostile workplace" and related
lawsuits, says Kurt Williams, vice president and CIO of Summit Electric Supply
Corp. Inc., so factor the avoidance of such risk into your equations.
But the best ROI will come from looking at Internet risk management holistically,
including spam, viruses and security breaches such as distributed denial of
service campaigns. "On the network service side, spam doesn't feel a whole lot
different than DDoS attacks," says CSX Technology's Luman. She should know:
She says her company fends off 3.5 million such attacks every month.
Of course, letting through, say, a single nasty virus has vastly greater implications
than letting through one spam message. Still, the lines begin to blur when spam
reaches overwhelming volumes, and when marketers apparently use spam and virus
characteristics to send still more spam, as with the SoBig worm. "The way in
which companies think about e-mail has to fundamentally change," urges Gary
Steele, CEO of vendor Proofpoint Inc.
Once in place, however, users are generally positive about antispam efforts.
"Our system has already paid for itself in the eight months that I've had it,"
says Darryl Killingsworth, CIO for defense contractor Manufacturing Technology
Inc., based in Fort Walton Beach, Fla. "It's very rare in the IT arena where
you get praise from your end users for what you do." And it's especially gratifying
when the right messages continue to get through. "As far as we know, we have
not had a false positive," says Baptist Health Care's Boggess of the IronMail
server protection from CipherTrust. "Everything people needed to get, we have
received."
Just don't think the spam problem will go away tomorrow. "It's actually technology
itself that's driving the opportunity for more attacks, and more widespread
attacks," says Symantec's Clyde. "It has in it the seeds of tomorrow's problems.
As we continue to have more connectivity, the problems are going to increase.
That's just a fact of life." New technologies such as message-oriented Web services,
for example, will only increase the security risk if they aren't built carefully.
But antispam measures also will continue to improve, though nobody is suggesting
that spam can be completely stopped. Instead, the CIO's goal should be to reduce
the amount reaching users' desktops to a reasonable level, making it as manageable
as possible. "There's no silver bullet in spam, and I don't think anybody should
be thinking there is," says Arlington County's Jordan. "There's no cure."
Ask Your Hr Department:
Ask Your Finance Department:
Ask Your CTO:
