PRIORITY: MAIL
From keeping it up to keeping it safe to just plain keeping it, e-mail now warrants an actual strategy.
By John McPartlin

As e-mail becomes the lifeblood of the modern company, what happens when the blood stops flowing? A 2003 study of 850 IT managers by research firm Dynamic Markets for Veritas Software found that one-third of respondents thought a week without e-mail was more stressful and traumatic than either a minor car accident or divorce. In addition, 68 percent said corporate employees would get irate if they lost e-mail access for as little as 30 minutes, and one-fifth said they would potentially lose their job if e-mail downtime lasted 24 hours.

That's a lot of pressure, and it offers further proof - as if any were needed - that e-mail is the killer app of the Information Age. While the actual mechanics whereby e-mail systems are kept up and running fall, in most cases, to midlevel IT staffers, e-mail poses a number of high-level management concerns that senior executives need to stay on top of. From disaster recovery to privacy to regulatory requirements and beyond, e-mail is no longer an electronic office supply, but a key - and complex - piece of corporate infrastructure.

down, and out?

Until recently, the most common way to respond to an e-mail outage, other than to spiff up your r?sum?, was to sign on for a replication service, which constantly syncs your company's primary e-mail server and an off-site backup server so you can switch from one to the other in the event of database corruption, virus attacks, or a power failure. The cost of such peace of mind can be high - US$100,000 and up for midsize organizations and much higher for larger companies.

But new options are emerging. MessageOne, for example, now offers a more reasonable solution called Emergency Messaging System, or EMS. With this approach, managers supply backup e-mail and text-messaging contact information for all employees, including mobile phones, pagers, BlackBerry devices, and alternative e-mail addresses. If disaster strikes, EMS can be activated either by calling MessageOne's emergency line or using a Web browser to access a secure page. Upon activation, the system sends alerts to all employees at their alternate addresses and automatically reroutes mail to a secure EMS hosted by SunGard and IBM. Employees are then able to receive and send their corporate e-mail via the web. Once the core e-mail system is restored, all traffic sent and received during the downtime is assimilated into the primary e-mail system.

When a severe rainstorm hit Texas in the spring of 2003, commercial offset and digital printer CC West completely lost its internet connection. For a company that does 80 percent of its business via e-mail, that was not a good thing - it stood to lose at least US$10,000 worth of business for every day e-mail was down. But the company had contracted with MessageOne just six months before, so it was able to reconnect with its largest customers, including Dell, within minutes.

"We immediately called in and activated [the system]," explains James Diorio, vice president of operations at CC West. "It notified our entire sales force, and we were able to send files and receive job orders and even 50-megabyte high-resolution PDF [portable document format] files in no time."

Many firms have been turning to commercial (that is, free) and in-house instant messaging systems as a temporary backup when their primary e-mail systems go down. However, security concerns and the inability to archive important messages often make IM a less-than-satisfactory fallback position. IM is so popular that many of the same disaster-recovery issues now being addressed for e-mail will probably be extended to these systems, but for now analysts caution companies against a default reliance on this technology.

Companies that provide outsourced e-mail services often promise 99.9 percent uptime and disaster-recovery capabilities, among other perks. While some very large companies have signed on, outsourcing of e-mail is generally an approach favored by midsize firms..

Beware the Trash Folder

As more and more business becomes documented in e-mail rather than memos and reports, document retention becomes a challenge on several levels. Whether it's compliance with the Sarbanes-Oxley Act of 2002, US Securities and Exchange Commission regulations, or laws governing the handling of patient data in the health-care industry, most companies are grappling with the questions of which e-mail messages to save, how to save them, how long to save them, and what will it all cost?

Ignorance of regulations - whether at the federal, state, or industry level - is not bliss: the risks of noncompliance can be severe. In March the SEC fined Banc of America Securities US$10 million for stalling on providing evidence in an investigation: the company had claimed it would take too much effort to produce the required archived e-mails. In December 2002, the commission fined Wall Street brokerage firms Deutsche Bank Securities, Goldman Sachs, Morgan Stanley, Salomon Smith Barney, and U.S. Bancorp Piper Jaffray more than US$8 million for failing to retain e-mails for the proper SEC-mandated retention period.

While some of these regulations are new, companies can't claim to be blindsided by the need to hang on to e-mail; as far back as 1998, Procter & Gamble was fined US$10,000 for not properly storing e-mail messages relevant to an ongoing court case.

According to a study last year by Osterman Research, fewer than 50 percent of companies keep critical e-mail-based data long enough. Most firms fall into one of three categories: those that delete all e-mail regularly (usually after 90 days), those that hang on to everything, and those that keep only e-mail that may be of legal import.

RW Smith & Associates, a brokerage firm based in the US, has taken the "catch everything in the net" approach to e-mail retention. "We don't really need to keep everything, but we chose to save everything by default," says Richard G Smith, director of IT. "Stuff that we deem disposable at a later date can be easily filtered out." Smith has also tweaked his company's e-mail-retention application so it can flag any message that violates the company's internal e-mail policies, including messages that could potentially violate sexual-harassment policies. "A copy of the [offending] mail is flagged automatically, and is moved to a folder that is searched and viewed by our compliance officer," he says. "Anything deemed inappropriate is dealt with accordingly."

Building a Bigger In-box

While brokerage firms may understandably want to err on the side of caution, some analysts (and even some vendors) think many companies are overreacting to e-mail compliance issues by trying to save every message that runs across their servers. "People don't know what to do with e-mail, so they just say, 'Archive everything and we'll figure it out later,'" says Alan Weintraub, senior director of solutions marketing for Hummingbird, an enterprise software company focusing on content and e-mail management. "Keeping everything is not a good thing. As you enter into discovery, [having everything archived] can really open up a can of worms."

That is, e-mail can furnish evidence of unrelated wrongdoing that is inadvertently stumbled upon during a discovery process. On the other hand, in some legal cases juries have actually been instructed that if a company has deleted documents relevant to the case, it would be safe to assume that those documents would have been damaging to that company's case.

Legal complexities aside, archiving all important e-mail messages for at least 90 days - and, for some, up to 30 years (or even indefinitely) - creates a storage-and-retrieval challenge as well. These messages must be arranged in such a way that when the call from a regulatory agency or the SEC comes in, the relevant e-mail paper trail can be found quickly.

The Radicati Group estimates that the average corporate e-mail user sends and receives about ten megabytes of data per day, and predicts that volume will rise nearly 60 percent by 2008. That in turn will trigger an even bigger rise in corporate spending on e-mail archiving equipment and services, which Radicati says will reach US$277 million this year and balloon to nearly US$2.5 billion by 2008.

Major vendors in this space include a mix of traditional data-storage companies and some specialty companies, including EMC's Legato Software, KVS, CommVault Systems, IXOS Software, and Hewlett-Packard's Persist Technologies. Other vendors, including Iron Mountain and Zantaz, offer to host a company's e-mail storage off-site, catering to the same customers that have traditionally used off-site locations for copies of paper documents.

At law firm Andrews Kurth, "e-mail is a tremendous part of our life," says CIO Lynn McGuire. "We need to ensure that mail continues to flow between our attorneys and our clients." To hang on to all of it, the firm takes a multitiered approach worthy of a Global 100 company, with redundant e-mail servers, a storage network with additional redundancies, and tape backups. The firm layers some new software on top of that sizable infrastructure, including Information Management Research's Alchemy MailStore, which helps it comply with SEC regulations. Every piece of e-mail coming in and out of the firm is snagged by MailStore and placed in a repository that is backed up to a combination of tape, disk, and optical drives. These e-mails are automatically categorized and are searchable by sender, subject, group, and keyword, all to make finding a given message relatively fast and simple.

But, depending on the volume of e-mail a company needs to retain, some of these full-scale storage approaches may be overkill. Increasingly, applications such as MailStore allow companies to do their backups using simple recordable DVDs. Since the DVDs are not rewriteable and are considered tamperproof, they fulfill regulatory requirements for a much smaller chunk of change. "Small companies with up to 100 mailboxes to archive often can get by with a US$250 DVD writer and still be compliant with SEC rules," says Dan Lucarini, vice president of marketing at Information Management Research.

The Human Fracture

E-mail problems take many forms, not all of them external. In fact, depending on the size of a company, it may have hundreds or thousands of vulnerabilities all around. They're called employees.

A 2003 study of workers at UK companies by Taylor Nelson Sofres found that two-thirds of them were not aware of even the most basic antivirus techniques. One-third said they were too busy to check through their e-mails and avoid potentially infected files. And even if a virus did get through because of their negligence, 95 percent of the respondents said they wouldn't care. In fact, according to Radicati, 85 percent of viruses are spread by employees opening infected e-mail or attachments without a second thought - despite endless news coverage and constant reminders from corporate IT departments to avoid the practice.

When employees aren't opening up their company's networks to virus attacks, they may be intentionally or unintentionally forwarding proprietary company information to someone who is not on the need-to-know list. "Studies show that up to 50 percent of your company's intellectual property may be floating around in e-mail at any given time," says Ray Villareal, CEO of corporate e-mail security company Omniva. "A lot of times people end up handling e-mail in ways they regret, like forwarding a confidential e-mail on to their brother-in-law."

Rather than preach about policy, many companies are deciding that this is one area in which a little employee disempowerment makes sense. Server-based software can address many e-mail problems despite employee indifference, and a wide range of antivirus products now make sure that employees never get the chance to open lethal attachments.

Meanwhile, with the help of applications from companies like Omniva, sensitive e-mail messages can be restricted so they cannot be forwarded to anyone outside the company or even outside of a small group of people within that company. If a worker attempts to forward or even print a restricted message using Omniva, he or she will receive a warning, and the action will be automatically blocked.

Many industries also have unique needs that can be addressed at the server level. Within law or engineering firms, for example, e-mail policy software can automatically convert legal documents or engineering blueprints into read-only Adobe PDF files before they are sent outside the network, to ensure against inadvertent changes or deletions on the client side.

Such measures go a long way toward preventing mistakes, but deliberate attempts at sabotage and subterfuge are another matter. Experts say that technology alone won't obviate the need for a strict written e-mail policy that lays down ground rules and creates the justification for fireable offenses. According to analysts, a comprehensive corporate e-mail policy should include clear explanations of e-mail etiquette, acceptable personal usage, prohibited content, e-mail monitoring techniques, e-mail retention, the handling of confidential information, and a disclaimer to be added to all sent messages.

A Meaty Issue

Finally, no discussion of e-mail woes is complete without at least a cursory nod to spam. When Congress passed the cleverly named Controlling the Assault of Non-Solicited Pornography and Marketing (also known as CAN-SPAM) Act late last year, you would have been forgiven for believing it was the beginning of the end for illegal spam marketers. But things seem to be getting worse, not better. Antispam-software vendor Brightmail estimates that more than 63 percent of total Internet e-mail is now spam, an increase of 17 percent since just April of last year.

"In the five years I have been with the firm, e-mail has just exploded in volume," says Andrews Kurth's McGuire. "When I started, we would receive about 10,000 e-mail messages a day. Today, we block 100,000 spam messages a day."

US­based Ferris Research says that all this junk e-mail costs American companies more than US$10 billion a year, or US$14 per user. This flood of spam has brought with it a flood of antispam-software companies - perhaps 100 or more. The good news is these antispam-software packages are now better than ever and can catch the majority of the spam coming through. The bad news is the spam just keeps coming. "It's basically an arms race between the spammers and the antispam people," says Richi Jennings, lead analyst for Ferris's spam and boundary services practice. "Spammers invent new techniques to confuse spam filters, and then the vendors engineer new techniques to filter out that spam." Once good antispam defenses are deployed for enough mailboxes, Jennings says, the financial incentive to spam will disappear.

Vendors are also developing an authentication process through which spam with forged sender information would automatically be rejected by mail servers. Microsoft has proposed a combination of caller ID for e-mail - which would eliminate domain forgery - and some kind of e-mail stamp system in which there would be a small fee for sending e-mail, probably mere pennies per message, that would be of little concern to individuals but would act as a serious deterrent to spammers. Both Yahoo and America Online have competing proposals. Most likely, future spam filters will support one or all of these systems at the same time.

Will this arms race end in mutually assured destruction, or will one side finally collapse from the sheer cost of doing business? Most analysts think the combination of spam filters, legislation, marketing industry self-policing, and some kind of authentication system will make the spam business an increasingly unattractive and costly one to be in. However, no one is willing to put a date on when we will likely be footloose and spam-free.

John McPartlin is a US–based writer and former editor of NetGuide.