Naramore is CIO of Allegiance Telecom, a competitive local exchange carrier in Dallas. In fact, Allegiance has a relatively stringent approach to enforcing its corporate e-mail usage policy: employees must agree to the policy’s terms and conditions each and every time they log on to the e-mail system. The policy includes a prominent directive: Don’t open unexpected attachments. But that wasn’t enough to stop several of the $285 million company’s employees from opening the attachment with the Love Bug virus in May 2000. The virus slipped through Allegiance’s virus-defense systems. Fortunately, an alert network administrator noted the virus-prompted surge of messages and froze all incoming mail, allowing the company to contain the virus within an hour.
Naramore’s company got only a superficial bite from the Love Bug (which cost U.S. businesses an estimated total of $10 billion), but viruses are just the beginning of a laundry list of woes that accompany the blessings of e-mail communication. The popularity of e-mail creates bandwidth challenges—Allegiance’s system traffic, for example, jumped from 200,000 messages per month last year to 500,000 per month this year. Archiving those missives creates storage issues. And mixed in with all the business-related e-mail is the usual flood of spam, scams, dancing animated babies, sexist jokes and even pornographic images. Some companies have discovered the hard way that those messages are financial, ethical and legal land mines. Chevron, for example, paid $2.2 million to settle a suit brought by a female employee protesting an e-mail circulated in the company that listed 25 reasons why beer is better than a woman.
“It’s absolutely astonishing, the things people will put in e-mail,” says Joe Feliu, CIO and vice president of operations for Mountain View, Calif.-based Visto, a software and services vendor for remote access to messaging systems.
E-mail is a seemingly mundane issue but one that demands careful attention from the CIO. The key realization is that e-mail management is principally about people management. In this article, CIOs share their tips for keeping e-mail under control.
Start with the Policy
Your first line of defense against e-mail troubles is a solid e-mail usage policy, regularly communicated and consistently enforced. Unfortunately, no single e-mail policy works for all companies. Each CIO must sort through corporate culture and arrive at a policy that is within bounds and workable. The undertaking is usually done in conjunction with the general counsel (or other legal adviser) and the human resources department. (For sample policies, go to www.cio.com/printlinks.) Once it is set, the e-mail usage policy should become part of the company’s HR policies, right there in the employee handbook for all to see.
At Paul, Hastings, Janofsky & Walker, a law firm headquartered in Los Angeles with more than 1,900 employees, staffers must sign a technology usage agreement upon joining the firm. CIO Mary Odson also circulates an update or review of the agreement every six months.
The cornerstone of the e-mail usage policy is the definition of proper e-mail use. By now it should be clear that employees in the United States do not have an expectation of privacy in their company e-mail accounts (though it does not hurt to spell that out prominently in the policy). The question that remains is whether employees may use the e-mail system to send personal messages. Allegiance Telecom’s policy is restrictive: Employees must confine their e-mail to business purposes only. “They should not e-mail their mother,” Naramore says. He adds that IT staff do not police employees’ e-mail messages unless they see a vast increase in messages or other curious activity. “This doesn’t come up unless there’s a productivity issue,” he says.
Other companies are more lenient. “They’re welcome to e-mail or surf the Web during lunch or while taking a break,” says Mike Foster, CEO of Foster Institute, a technology training company in Dallas. Still others do not restrict their employees’ e-mail or Internet usage, believing that free use is a perk to be enjoyed by all salaried employees in good standing who get their work done.
Ray Everett-Church, senior privacy strategist for consultancy ePrivacy Group in Malvern, Pa., believes that the most restrictive policies treat employees as children, leading to poor morale, low productivity and an atmosphere of distrust. As a privacy advocate, he strongly advises CIOs not to have a policy of reading employees’ e-mail. On the other hand, he says employees should be notified that the network is a company resource and that particular practices (such as downloading MP3 files or sending messages with sexual or discriminatory content) are forbidden. “Reserve the right to access e-mail, but at the same time make it clear the employees are valued and trusted,” Everett-Church says.
Executives interviewed for this article echo a key fact of life: Policy violations will still happen. The best usage policy in the world will not prevent all misuse. After all, as Foster says, “If it weren’t for people, this stuff would be easy.” When a breach has occurred—and they will happen—the most important thing you can do is take action. Whether the offense involved defamation, sexual harassment or disclosure of corporate secrets, you must consult with legal counsel and then meet with the offender. Don’t get into the meeting without a rep from HR.
“You must confront the employee and deal with it,” says Feliu, who once ran the e-mail system for the United States Postal Service’s 200,000 employees in the northeastern United States. If it’s a first offense and the person shows remorse, a warning might be enough. If the actions continue after that, dismissal may be necessary. Failing to deal with the issue head-on could ultimately be construed as the corporation tolerating the behavior—and that could mean big bucks in court in addition to workplace disruption.
Training, Training and More Training
Training employees on e-mail policies is standard procedure for many companies, but training that stops there is inadequate. Employees also need instruction in e-mail etiquette, including how to recognize spam, scams and urban legends.
A common occurrence: One person sends out a message to everyone in the corporate address book offering free Dodgers tickets—and then someone replies to everyone on the list. Odson has seen this carried to absurd lengths. “Someone will send a message to the network, ’Don’t open this file.’ Then someone replies to the whole group, ’You’re right, don’t open that file.’ I have seen it get to that point.” Odson recommends that employees “BCC” the recipients when sending messages to the whole company. That way, recipients cannot reply back to the entire group.
Some of the most commonly forwarded e-mails are hoaxes. Employees sometimes flood corporate networks with forwarded messages in an effort to help sick children or win free vacations, despite the fact that the majority of those messages are already well-known urban legends. Directing employees to check such missives against a reputable site such as www.scambusters.com can help reduce such distractions.
At Odson’s firm, every new hire undergoes a half day of training devoted to e-mail. The managers can’t get enough e-mail training for their direct reports, Odson says, because they have seen the bloodbaths that can result from inappropriate use of e-mail.
Controlling the Flood
E-mail usage just keeps going up. At big companies, the sheer volume of daily messaging can become daunting. At $5.8 billion printing giant R.R. Donnelley & Sons, for example, more than 7 million messages flow through the system each month, according to Gary Sutula, senior vice president and CIO. And even at smaller companies, CIOs must consider not only the cost of network usage and physical storage created by the messaging flood but also some possible legal ramifications surrounding stored e-mail.
At Allegiance Telecom, Naramore stores 90 days’ worth of e-mail for roughly 4,000 employees, which eats up 400 gigabytes of storage space. If your company is a startup or is relatively small, you might not have felt the need yet to limit the size of employee mailboxes—but you will. Most midsize and large companies limit individual inboxes to sizes between 15MB and a generous 150MB. A more radical possibility: cutting off employee access to some or (in extreme cases) all e-mail distribution lists. “You start out with no constraints, but they soon become necessary. Do you really want someone to be able to post software practice reminders to the whole company?” asks Feliu.
One trick that can help reduce the sheer volume of messages is to help employees balance between “push” and “pull” style communication. E-mail is a push mechanism—it goes out to everyone on the list, even those who might not be interested. Some information is better posted on the corporate intranet—as it would be with an old-fashioned physical bulletin board—where concerned employees can pull the information on an as-needed basis.
Most companies store e-mail messages on a central server, back them up on tape and save them for a certain amount of time. Allegiance Telecom retains its employees’ e-mail messages for 90 days as a matter of policy. “We looked at the business needs and weighed those against storage costs,” Naramore says. From the disaster-recovery standpoint, Naramore recommends using a mail server such as iPlanet that allows you to recover mailbox-by-mailbox. His e-mail system currently uses Microsoft Exchange, which does not have that capability. The one time he had to recover e-mail from the backup (because of a corrupt mail store), it took 18 hours, an “unacceptable” amount of time.
How long you retain e-mail depends on what your business needs the information for, but there is another significant aspect in storage decisions: legal implications. The longer you store e-mail, the longer it may be subpoenaed by a court. If you back up messages forever, adding and adding to the mail archives or deleting only when you run out of room, you will be responsible for handing over all the stored messages in the case of litigation.
The problem here—beyond the hassle of producing all the e-mail—is that e-mail more often yields incriminating rather than exculpatory evidence. (The damning e-mail messages brought to light in the Microsoft antitrust trial are just such an example.) “E-mail preserves bad things more often than good things,” Everett-Church says. “My advice is to keep as little information as possible for your business needs.” You might reasonably retain messages for a month to three months. Much more than that and you’ll face increasing storage costs—not to mention greater legal risk.
While people and policy issues are paramount, the good news is that software tools offer some help in managing e-mail. Filtering is the de rigueur way to avoid a lot of the spam and viruses floating around in cyberspace. Tools such as MineSweeper and Brightmail filter out the executable file attachments that often contain viruses as well as potential spam, both by objectionable content (for example, “Work at home!”) and by segregating messages from known “spam houses.” Feliu of Visto uses Brightmail but prefers to err on the generous side: He filters known spam content into a specific folder where employees can view it if they have some reason to do so (such as if they are looking for a lost message). Says Feliu, “One person’s spam is another person’s gold.”
Providian Financial uses Lotus Notes as its e-mail platform (as does R.R. Donnelley) for its 7,000 employees who have corporate e-mail accounts. CIO Tanni Graichen believes that choice has helped her escape the majority of computer viruses, as hackers target mostly Microsoft-based systems. “Most of the viruses so far have been geared toward systems with directory structures such as Microsoft Exchange. Lotus Notes seems much more protected,” she says.
Providian’s e-mail servers handle between 120,000 and 150,000 internal messages on the average day, plus another 39,000 messages that come through the Internet. Graichen and her e-mail deputy, D’Arcy Tomlinson, have been able to reduce outside traffic significantly by using more than 30 spam filters.
Despite the fact that spam bedevils almost everyone in corporate America today, don’t expect legislation (such as the current Unsolicited Commercial Electronic Mail Act of 2001, H.R. 95) barring it to be passed into law any time soon. The reasons for that are complex. Although every U.S. company (indeed every man, woman and child with an e-mail account) must spend precious time and computing resources dealing with these unwanted messages, spam is not exactly top-of-mind.
According to Everett-Church, who is a member of the Coalition Against Unsolicited Commercial E-Mail, anti-spam activists are sorely out-funded by the pro-spam lobby, which includes large financial-services companies and the Direct Marketing Association. Even though an estimated 30 percent of the 30 million messages coming through the AOL network every day are spam, AOL Time Warner is not backing anti-spam legislation because it wants to reserve the right to send its own commercial messages, according to Everett-Church. Most of the other large ISPs feel the same, he says.
Everett-Church points out that it costs next to nothing to set up shop online, justifying the estimated positive spam response rate of well under 1 percent. “All the spammer needs is one or two hit rates per spam run and he’ll be happy. Sadly, there are at least one or two idiots per million people.”
Executives of public companies don’t like to talk about spam, he says, because they don’t want the world to know just how much it costs them. “When part of your IT budget depends on whether Billy Bob in accounting signed up for a pyramid scheme, that’s not something they like to talk about,” Everett-Church says. “With spam, it’s an ongoing guerilla war.”
Viruses can also be curtailed by filtering out .exe and .vbs file attachments, and using two different antivirus software packages on the server and the desktop. That’s Naramore’s approach. He uses Norton Anti-Virus on the desktop and Fsecure on the server. However, teaching users to distrust all attachments remains a best practice.
Naramore knows it’s just a matter of time before the next incident crops up. “You train them, then it happens again. Luckily we haven’t had any downtime from this stuff.”