How to tame the e-mail beast

From...

By Lauren Gibbons Paul

(IDG) -- "We tell our employees not to open unknown attachments," says Tim Naramore. "But they do it anyway."

Naramore is CIO of Allegiance Telecom, a competitive local exchange carrier in Dallas, Texas. In fact, Allegiance has a relatively stringent approach to enforcing its corporate e-mail usage policy -- employees must agree to the policy's terms and conditions each and every time they log on to the e-mail system. The policy includes a prominent directive: Don't open unexpected attachments.

But that wasn't enough to stop several of the $285 million company's employees from opening the attachment with the Love Bug virus in May 2000. The virus slipped through Allegiance's virus-defense systems. Fortunately, an alert network administrator noted the virus-prompted surge of messages and froze all incoming mail, allowing the company to contain the virus within an hour.

IDG.net INFOCENTER CIO's main page Pose questions to industry leaders at CIO's Ask the Expert Darwin Magazine Free daily newsletters Related IDG.net Stories Check your e-mail on anybody's computer SurfControl filters e-mail, Web with SuperScout Phone number to e-mail service raises privacy concerns Features PC World.com Product Finder Ask the expert: Hot and bothered How to keep your company out of the courtroom Visit an IDG site Choose a site: IDG.net CIO Computerworld Darwin Dummies.com GamePro.com The Industry Standard ITWorld.com InfoWorld.com JavaWorld LinuxWorld Macworld Online Network World Fusion PC World Publish.com UnixInsider IDG.net search

Naramore's company got only a superficial bite from the Love Bug (which cost United States businesses an estimated total of $10 billion), but viruses are just the beginning of a laundry list of woes that accompany the blessings of e-mail communication.

The popularity of e-mail creates bandwidth challenges -- Allegiance's system traffic, for example, jumped from 200,000 messages per month last year to 500,000 per month this year. Archiving those missives creates storage issues. And mixed in with all the business-related e-mail is the usual flood of spam, scams, dancing animated babies, sexist jokes and even pornographic images.

Some companies have discovered the hard way that those messages are financial, ethical and legal land mines. Chevron, for example, paid $2.2 million to settle a suit brought by a female employee protesting an e-mail circulated in the company that listed 25 reasons why beer is better than a woman.

"It's absolutely astonishing, the things people will put in e-mail," says Joe Feliu, CIO and vice president of operations for Mountain View, California-based Visto, a software and services vendor for remote access to messaging systems.

E-mail is a seemingly mundane issue but one that demands careful attention from the CIO. The key realization is that e-mail management is principally about people management. In this article, CIOs share their tips for keeping e-mail under control.

Start with the policy

Your first line of defense against e-mail troubles is a solid e-mail usage policy, regularly communicated and consistently enforced. Unfortunately, no single e-mail policy works for all companies. Each CIO must sort through corporate culture and arrive at a policy that is within bounds and workable. The undertaking is usually done in conjunction with the general counsel (or other legal adviser) and the human resources department. Once it's set, the e-mail usage policy should become part of the company's HR policies, right there in the employee handbook for all to see.

At Paul, Hastings, Janofsky & Walker, a law firm headquartered in Los Angeles with more than 1,900 employees, staffers must sign a technology usage agreement upon joining the firm. CIO Mary Odson also circulates an update or review of the agreement every six months.

The cornerstone of the e-mail usage policy is the definition of proper e-mail use. By now it should be clear that employees in the United States do not have an expectation of privacy in their company e-mail accounts (though it does not hurt to spell that out prominently in the policy). The question that remains is whether employees may use the e-mail system to send personal messages. Allegiance Telecom's policy is restrictive: Employees must confine their e-mail to business purposes only. "They should not e-mail their mother," Naramore says. He adds that IT staff do not police employees' e-mail messages unless they see a vast increase in messages or other curious activity. "This doesn't come up unless there's a productivity issue," he says.

Other companies are more lenient. "They're welcome to e-mail or surf the Web during lunch or while taking a break," says Mike Foster, CEO of Foster Institute, a technology training company in Dallas. Still others do not restrict their employees' e-mail or Internet usage, believing that free use is a perk to be enjoyed by all salaried employees in good standing who get their work done.

Ray Everett-Church, senior privacy strategist for consultancy ePrivacy Group in Malvern, Pennsylvania, says he believes that the most restrictive policies treat employees as children, leading to poor morale, low productivity and an atmosphere of distrust. As a privacy advocate, he strongly advises CIOs not to have a policy of reading employees' e-mail. On the other hand, he says employees should be notified that the network is a company resource and that particular practices (such as downloading MP3 files or sending messages with sexual or discriminatory content) are forbidden. "Reserve the right to access e-mail, but at the same time make it clear the employees are valued and trusted," Everett-Church says.

Executives interviewed for this article echo a key fact of life: Policy violations will still happen. The best usage policy in the world will not prevent all misuse. After all, as Foster says, "If it weren't for people, this stuff would be easy." When a breach has occurred -- and they will happen -- the most important thing you can do is take action. Whether the offense involved defamation, sexual harassment or disclosure of corporate secrets, you must consult with legal counsel and then meet with the offender. Don't get into the meeting without a rep from HR.

"You must confront the employee and deal with it," says Feliu, who once ran the e-mail system for the United States Postal Service's 200,000 employees in the northeastern United States. If it's a first offense and the person shows remorse, a warning might be enough. If the actions continue after that, dismissal may be necessary. Failing to deal with the issue head-on could ultimately be construed as the corporation tolerating the behavior -- and that could mean big bucks in court in addition to workplace disruption.

Training, training and more training

Training employees on e-mail policies is standard procedure for many companies, but training that stops there is inadequate. Employees also need instruction in e-mail etiquette, including how to recognize spam, scams and urban legends.

A common occurrence: One person sends out a message to everyone in the corporate address book offering free Dodgers tickets -- and then someone replies to everyone on the list. Odson has seen this carried to absurd lengths. "Someone will send a message to the network, 'Don't open this file.' Then someone replies to the whole group, 'You're right, don't open that file.' I have seen it get to that point." Odson recommends that employees "BCC" the recipients when sending messages to the whole company. That way, recipients cannot reply back to the entire group.

Some of the most commonly forwarded e-mails are hoaxes. Employees sometimes flood corporate networks with forwarded messages in an effort to help sick children or win free vacations, despite the fact that the majority of those messages are already well-known urban legends. Directing employees to check such missives against a reputable site such as www.scambusters.com can help reduce such distractions.

At Odson's firm, every new hire undergoes a half day of training devoted to e-mail. The managers can't get enough e-mail training for their direct reports, Odson says, because they have seen the bloodbaths that can result from inappropriate use of e-mail.

Controlling the flood

E-mail usage just keeps going up. At big companies, the sheer volume of daily messaging can become daunting. At $5.8 billion printing giant R.R. Donnelley & Sons, for example, more than 7 million messages flow through the system each month, according to Gary Sutula, senior vice president and CIO. And even at smaller companies, CIOs must consider not only the cost of network usage and physical storage created by the messaging flood but also some possible legal ramifications surrounding stored e-mail.

The problem here -- beyond the hassle of producing all the e-mail -- is that e-mail more often yields incriminating rather than exculpatory evidence. (The damning e-mail messages brought to light in the Microsoft antitrust trial are just such an example.) "E-mail preserves bad things more often than good things," Everett-Church says. "My advice is to keep as little information as possible for your business needs." You might reasonably retain messages for a month to three months. Much more than that and you'll face increasing storage costs -- not to mention greater legal risk.

Tools that Can Help

While people and policy issues are paramount, the good news is that software tools offer some help in managing e-mail. Filtering is the way to avoid a lot of the spam and viruses floating around in cyberspace. Tools such as MineSweeper and Brightmail filter out the executable file attachments that often contain viruses as well as potential spam, both by objectionable content (for example, "Work at home!") and by segregating messages from known "spam houses." Feliu of Visto uses Brightmail but prefers to err on the generous side: He filters known spam content into a specific folder where employees can view it if they have some reason to do so (such as if they are looking for a lost message). Says Feliu, "One person's spam is another person's gold."

Despite the fact that spam bedevils almost everyone in corporate America today, don't expect legislation (such as the current Unsolicited Commercial Electronic Mail Act of 2001, H.R. 95) barring it to be passed into law any time soon. The reasons for that are complex. Although every U.S. company (indeed every man, woman and child with an e-mail account) must spend precious time and computing resources dealing with these unwanted messages, spam is not exactly top-of-mind.

According to Everett-Church, who is a member of the Coalition Against Unsolicited Commercial E-Mail, anti-spam activists are sorely out-funded by the pro-spam lobby, which includes large financial-services companies and the Direct Marketing Association. Even though an estimated 30 percent of the 30 million messages coming through the AOL network every day are spam, AOL Time Warner is not backing anti-spam legislation because it wants to reserve the right to send its own commercial messages, according to Everett-Church. Most of the other large ISPs feel the same, he says.

Everett-Church points out that it costs next to nothing to set up shop online, justifying the estimated positive spam response rate of well under 1 percent. "All the spammer needs is one or two hit rates per spam run and he'll be happy. Sadly, there are at least one or two idiots per million people."

Executives of public companies don't like to talk about spam, he says, because they don't want the world to know just how much it costs them. "When part of your IT budget depends on whether Billy Bob in accounting signed up for a pyramid scheme, that's not something they like to talk about," Everett-Church says. "With spam, it's an ongoing guerrilla war."

Viruses can also be curtailed by filtering out .exe and .vbs file attachments, and using two different antivirus software packages on the server and the desktop. That's Naramore's approach. He uses Norton Anti-Virus on the desktop and Fsecure on the server. However, teaching users to distrust all attachments remains a best practice.

Naramore knows it's just a matter of time before the next incident crops up. "You train them, then it happens again. Luckily we haven't had any downtime from this stuff."