How to Tame the E-Mail Beast

1. Create a reasonable and enforceable policy.

2. Spell out privacy expectations clearly.

3. Require that each employee sign the policy. Issue frequent policy reminders.

4. When the policy is broken, consult the legal department and have an immediate conversation with the employee, accompa- nied by a human resources representative.

5. Don't limit employee training to policy issues. Also include etiquette, proper use of group mailing lists, and information about recognising scams and urban legends.

6. Limit employee mailboxes to an appropriate size (CIOs inter- viewed for this article recommended a range from 15MB to 150MB depending on the type of work).

7. Consider your potential legal liability in determining how long to store messages.

8. Consider filtering tools, but be aware of the limitations.

9. Install two different antivirus software packages (one for servers, one for desktops).

10. Teach users to distrust all attachments, particularly unexpected ones.

Page Break

Training employees on e-mail policies is standard procedure for many companies, but training that stops there is inadequate. Employees also need instruction in e-mail etiquette, including how to recognise spam, scams and urban legends.

A common occurrence: one person sends out a message to everyone in the corporate address book offering free concert tickets - and then someone replies to everyone on the list. Odson has seen this carried to absurd lengths. "Someone will send a message to the network: ?Don't open this file'. Then someone replies to the whole group: ?You're right, don't open that file'. I have seen it get to that point." Odson recommends that employees "BCC" the recipients when sending messages to the whole company. That way, recipients cannot reply back to the entire group.

Some of the most commonly forwarded e-mails are hoaxes. Employees sometimes flood corporate networks with forwarded messages in an effort to help sick children or win free vacations, despite the fact that the majority of those messages are already well-known urban legends. Directing employees to check such missives against a reputable site such as can help reduce such distractions.

At Odson's firm, every new hire undergoes a half-day of training devoted to e-mail. The managers can't get enough e-mail training for their direct reports, Odson says, because they have seen the bloodbaths that can result from inappropriate use of e-mail.

Page Break

Your first line of defence against e-mail troubles is a solid e-mail usage policy, regularly communicated and consistently enforced. Unfortunately, no single e-mail policy works for all companies. Each CIO must sort through corporate culture and arrive at a policy that is within bounds and workable. The undertaking is usually done in conjunction with the general counsel (or other legal adviser) and the human resources department. Once it is set, the e-mail usage policy should become part of the company's HR policies, right there in the employee handbook for all to see.

At Paul, Hastings, Janofsky Walker, a law firm headquartered in Los Angeles with more than 1900 employees, staffers must sign a technology usage agreement upon joining the firm. CIO Mary Odson also circulates an update or review of the agreement every six months.

The cornerstone of the e-mail usage policy is the definition of proper e-mail use. By now it should be clear that most employees do not have an expectation of privacy in their company e-mail accounts (though it does not hurt to spell that out prominently in the policy). The question that remains is whether employees may use the e-mail system to send personal messages. Allegiance Telecom's policy is restrictive: employees must confine their e-mail to business purposes only. "They should not e-mail their mother," Naramore says. He adds that IT staff do not police employees' e-mail messages unless they see a vast increase in messages or other curious activity. "This doesn't come up unless there's a productivity issue," he says.

Other companies are more lenient. "They're welcome to e-mail or surf the Web during lunch or while taking a break," says Mike Foster, CEO of Foster Institute, a technology training company in Dallas. Still others do not restrict their employees' e-mail or Internet usage, believing that free use is a perk to be enjoyed by all salaried employees in good standing who get their work done.

Ray Everett-Church, senior privacy strategist for the Pennsylvania-based consultancy ePrivacy Group, believes that the most restrictive policies treat employees as children, leading to poor morale, low productivity and an atmosphere of distrust. As a privacy advocate, he strongly advises CIOs not to have a policy of reading employees' e-mail. On the other hand, he says employees should be notified that the network is a company resource and that particular practices (such as downloading MP3 files or sending messages with sexual or discriminatory content) are forbidden. "Reserve the right to access e-mail, but at the same time make it clear the employees are valued and trusted," Everett-Church says.

Executives interviewed for this article echo a key fact of life: policy violations will still happen. The best usage policy in the world will not prevent all misuse. After all, as Foster says, "If it weren't for people, this stuff would be easy." When a breach has occurred - and they will happen - the most important thing you can do is take action. Whether the offence involved defamation, sexual harassment or disclosure of corporate secrets, you must consult with legal counsel and then meet with the offender. Don't get into the meeting without a rep from HR.

"You must confront the employee and deal with it," says Feliu, who once ran the e-mail system for the United States Postal Service's 200,000 employees in the northeastern United States. If it's a first offence and the person shows remorse, a warning might be enough. If the actions continue after that, dismissal may be necessary. Failing to deal with the issue head-on could ultimately be construed as the corporation tolerating the behaviour - and that could mean big bucks in court in addition to workplace disruption.

Page Break

E-mail usage just keeps going up. At big companies, the sheer volume of daily messaging can become daunting. At $US5.8 billion printing giant RR Donnelley Sons, for example, more than 7 million messages flow through the system each month, according to Gary Sutula, senior vice president and CIO. And even at smaller companies, CIOs must consider not only the cost of network usage and physical storage created by the messaging flood but also some possible legal ramifications surrounding stored e-mail.

At Allegiance Telecom, Naramore stores 90 days' worth of e-mail for roughly 4000 employees, which eats up 400 gigabytes of storage space. If your company is a start-up or is relatively small, you might not have felt the need yet to limit the size of employee mailboxes - but you will. Most midsize and large companies limit individual inboxes to sizes between 15MB and a generous 150MB. A more radical possibility: cutting off employee access to some or (in extreme cases) all e-mail distribution lists. "You start out with no constraints, but they soon become necessary. Do you really want someone to be able to post software practice reminders to the whole company?" asks Feliu.

One trick that can help reduce the sheer volume of messages is to help employees balance between "push" and "pull" style communication. E-mail is a push mechanism - it goes out to everyone on the list, even those who might not be interested. Some information is better posted on the corporate intranet - as it would be with an old-fashioned physical bulletin board - where concerned employees can pull the information on an as-needed basis.

Most companies store e-mail messages on a central server, back them up on tape and save them for a certain amount of time. Allegiance Telecom retains its employees' e-mail messages for 90 days as a matter of policy. "We looked at the business needs and weighed those against storage costs," Naramore says. From the disaster-recovery standpoint, Naramore recommends using a mail server such as iPlanet that allows you to recover mailbox-by-mailbox. His e-mail system currently uses Microsoft Exchange, which does not have that capability. The one time he had to recover e-mail from the backup (because of a corrupt mail store), it took 18 hours, an "unacceptable" amount of time.

How long you retain e-mail depends on what your business needs the information for, but there is another significant aspect in storage decisions: legal implications. The longer you store e-mail, the longer it may be subpoenaed by a court. If you back up messages forever, adding and adding to the mail archives or deleting only when you run out of room, you will be responsible for handing over all the stored messages in the case of litigation.

The problem here - beyond the hassle of producing all the e-mail - is that e-mail more often yields incriminating rather than exculpatory evidence. (The damning e-mail messages brought to light in the Microsoft antitrust trial are just such an example.) "E-mail preserves bad things more often than good things," Everett-Church says. "My advice is to keep as little information as possible for your business needs." You might reasonably retain messages for a month to three months. Much more than that and you'll face increasing storage costs - not to mention greater legal risk.

Page Break

While people and policy issues are paramount, the good news is that software tools offer some help in managing e-mail. Filtering is the de rigueur way to avoid a lot of the spam and viruses floating around in cyberspace. Tools such as MineSweeper and Brightmail filter out the executable file attachments that often contain viruses as well as potential spam, both by objectionable content (for example, "Work at home!") and by segregating messages from known "spam houses". Feliu of Visto uses Brightmail but prefers to err on the generous side: he filters known spam content into a specific folder where employees can view it if they have some reason to do so (such as if they are looking for a lost message). Says Feliu, "One person's spam is another person's gold."

Providian Financial uses Lotus Notes as its e-mail platform (as does RR Donnelley) for its 7000 employees who have corporate e-mail accounts. CIO Tanni Graichen believes that choice has helped her escape the majority of computer viruses, as hackers target mostly Microsoft-based systems. "Most of the viruses so far have been geared toward systems with directory structures such as Microsoft Exchange. Lotus Notes seems much more protected," she says.

Providian's e-mail servers handle between 120,000 and 150,000 internal messages on the average day, plus another 39,000 messages that come through the Internet. Graichen and her e-mail deputy, D'Arcy Tomlinson, have been able to reduce outside traffic significantly by using more than 30 spam filters.

Executives of public companies don't like to talk about spam, Everett-Church says, because they don't want the world to know just how much it costs them. "When part of your IT budget depends on whether Billy Bob in accounting signed up for a pyramid scheme, that's not something they like to talk about," he says. "With spam, it's an ongoing guerrilla war."

Everett-Church, who is a member of the Coalition Against Unsolicited Commercial E-Mail, says anti-spam activists are sorely out-funded by the pro-spam lobby, which includes large financial-services companies and the Direct Marketing Association. Even though an estimated 30 per cent of the 30 million messages coming through the AOL network every day are spam, AOL Time Warner is not backing anti-spam legislation because it wants to reserve the right to send its own commercial messages, according to Everett-Church. Most of the other large ISPs feel the same, he says.

Everett-Church points out that it costs next to nothing to set up shop online, justifying the estimated positive spam response rate of well under 1 per cent."All the spammer needs is one or two hit rates per spam run and he'll be happy. Sadly, there are at least one or two idiots per million people."

Viruses can also be curtailed by filtering out .exe and .vbs file attachments, and using two different antivirus software packages on the server and the desktop. That's Naramore's approach. He uses Norton Anti-Virus on the desktop and Fsecure on the server. However, teaching users to distrust all attachments remains a best practice.

Naramore knows it's just a matter of time before the next incident crops up."You train them, then it happens again. Luckily we haven't had any downtime from this stuff."

Page Break

E-mail management is principally a people issue, not a technical one.

Read tips from CIOs on how to get the message out to your employees.

"We tell our employees not to open unknown attachments," says Tim Naramore. "But they do it anyway."

1 2 Page 1
Page 1 of 2
6 digital transformation success stories