E-Mail Hell

The Greek gods who sentenced Sisyphus to an eternity of rollin’ that boulder up the mountain, watchin’ it roll back to earth and then startin’ all over again knew their Advanced Mental Torture 1.01. There are few things more poisonous than having to waste great slabs of time on profitless and ultimately ineffectual hard yakka.

So perhaps some god has taken a serious set against business and business people, because with more than half a million e-mails deluging inboxes every few seconds, managing information glut is rapidly becoming a Sisyphean task. Consider this statistic and you’ll know why: research firm IDC estimates more than 1.4 trillion e-mail messages were sent from North American businesses in 2001, up from 40 billion in 1995.

Recent studies show employees now spend anywhere from 49 minutes to four hours a day on e-mail, much of it jokes or junk, with the amount of time spent continuing to rise. Analysts variously reckon 33 per cent of e-mail is useless, that the average Aussie CEO gets at least 60 e-mails a day, that one-third of business e-mails are not answered within 24 hours, that 66 per cent of companies have an electronic junk mail — or spam — problem, and that 38 per cent of consumers view spam and privacy as a greater threat than viruses. We know this, because the analysts are so fond of e-mailing to tell us so.

And all those daily urgings to increase your penis size, make a fortune working from home, share multimillion dollar profits from Nigeria, get fantastic deals on toner cartridges and improve your spamming techniques are having an affect on productivity, corporate liability, morale and even users’ feelings about e-mail. These days, we get work done between e-mails. We’re all at risk of falling to what psychologist David Lewis calls “information fatigue syndrome”, with symptoms including exhaustion, anxiety, memory failure and shortened attention span. “Having too much information can be as dangerous as having too little,” Lewis says.

In 1998 Reuters Business Information surveyed 1313 business managers from the UK, the US, Australia, Hong Kong and Singapore, to find one in four were suffering ill-health related to the sheer volume of information received, with 62 per cent of Australian business managers reporting information overload was making them ill. Reuters found information overload makes managers work late and take work home, cancel social activities and suffer exhaustion and tension in the workplace. Managers felt forced to collect information simply to stay competitive or to justify their decisions, a pressure that was costing business lost time searching for information that frequently cost more than its value.

“All that sending and receiving, responding and deleting is taking an enormous toll on workplace productivity,” says Nancy Flynn, author of The ePolicy Handbook: Designing and Implementing Effective E-mail, Internet, and Software Policies and Writing Effective E-Mail, and executive director of The ePolicy Institute (www.epolicyinstitute.com).

“The real problem is that executives have singularly failed to understand the impact of document proliferation and management on what’s acknowledged to be the most valuable and scarcest of corporate resources — their time, and the time of managers and other key professionals,” says Peter Richardson, professor of Strategic Management Queen’s University School of Business, Ontario. “Information technology has not only failed to live up to the hollow promise of a paperless office, it has actually created a business world in which document diversity has become the curse of professional productivity.”

Other risks also abound, and are growing. Elron Software’s 1999 E-Mail Abuse Study showed 86 per cent of employees send and receive personal e-mail at work; 60 per cent of employees send or receive adult-oriented e-mail at work; and 55 per cent of employees send or receive politically incorrect or otherwise offensive e-mail at work. Such personal e-mail use in a business context exposes employers to a range of risks: from workplace lawsuits through to lost productivity to e-security breaches and e-sabotage.

And spam is growing, like some malign tumour on the business corpus. The Coalition Against Unsolicited Bulk E-mail (CAUBE.AU) says the amount of spam received increased sixfold between 2000 and 2001 and is doubling every four-and-a-half months. US anti-spam firm Brightmail estimated a year ago that spam constituted 10 per cent of all e-mail. That figure has jumped to 20 per cent.

Send in Anger, Repent Forever

Gartner says the one obvious way to survive what it calls the “e-maelstrom” is to apply greater discipline. E-mail senders, it says, have an obligation to make life easier for the recipients of their messages, while receivers must be rigorous in checking and processing incoming mail. And all must be aware of the potential for e-mail to come back and haunt you. “The IS organisation needs to lay down guidelines for the way e-mail is used throughout the enterprise and ensure that all staff members receive the necessary training,” advises Gartner. It points to future innovation from dominant mailers — such as Microsoft — that will better characterise e-mail and improve routing and handling.

While we wait, some analysts recommend employers take a three-step approach to reducing e-mail headaches to help turn e-mail from foe back to friend. It involves a written e-mail and Internet use policy, content filtering software and an ongoing employee education program to help keep online employees in line.

By using e-mail, companies face several threats, Flynn notes. These range from legal threats to network congestion, and embrace the potential for legal liability, confidentiality breaches, damage to reputation, lost productivity, network congestion and downtime and being forced to retrieve e-mails in response to a court order. Companies should reduce electronic liabilities by notifying employees in writing that the company will not tolerate the electronic sending, receiving or viewing of offensive material.

“No workplace ever can be 100 per cent safe from e-mail risks. But with a written e-policy, filtering software and employee education, employers take big strides toward reducing e-risks, increasing productivity and protecting corporate assets,” Flynn says. Employers should implement, disseminate and enforce e-mail and Internet use policies that are tailored to their specific business needs.

According to Flynn, the e-mail policy must explicitly describe both permitted and prohibited uses of the employer’s e-mail and Internet systems, and make clear that employees do not have an expectation of privacy in their e-mail and Internet use. It should spell out that employees’ business and personal e-mail or Internet communications can or will be accessed or monitored by the company. “Employers may need to review employee e-mail or Internet traffic during internal investigations or to prevent employee abuse of its systems. To accomplish these goals, employers need to familiarise themselves with the latest variations of e-mail and Internet filtering software, as well as stay abreast of the developing law in this area,” Flynn says.

Containing the Deluge

Dr Jay Burmeister, lecturer, Information Environments Program, School of Information Technology and Electrical Engineering at the University of Queensland, has conducted an interim study on the negative affects of e-mail on productivity. He says there are two sides to the e-mail equation. The behavioural side consists of those things people can do at an individual or organisational level to try to a) reduce the amount of useless information and b) cope with the information that comes in. The technical issues include designing better e-mail programs that support people in those behavioural endeavours, both at the individual and the organisational level. CIOs need to consider all four aspects in seeking to contain the negative affects, he says, and recognise the need to develop different techniques and strategies for the four different quadrants.

“As an example on the individual behavioural side of things there are a number of tips for personal things you can do, like turning off the beeper so as not to allow the e-mail to interrupt you,” says Burmeister. “You can also select three times a day to read it, so you feast rather than graze all day. That’s an individual work practice you can get a hold of to try and reduce the disruptive nature of e-mail.

“If you looked at the individual technical side, it’s things like learning to use your e-mail software, learning how to use the filter and setting it up. Then at the technical corporate level I’ve heard one company turns their e-mail server off between 11.00 and 1.00 every day, which means there’s a two-hour period where people are not going to be interrupted by e-mail.”

Other organisational technical initiatives include putting in virus and spam filters, he says, while at organisational behavioural level, people need to get together to agree on an appropriate strategy. For instance, too many people “cc” their boss on too many e-mails, seeking a pat on the back, or to cover their butt. The organisation should agree on the sort of things employees may and may not send to the boss.

“You can also put little things at the beginning of the header: things like ‘ACT’ which means an action is required immediately, or ‘FYI’, meaning you don’t need to read it now, you can read it later, which helps other people to know whether your message is urgent, whether it’s just for information and so on,” advises Burmeister.

The organisation should agree on protocols for how it will manage the flow of information. People need to be encouraged to think about the most appropriate way to broadcast information, which in some cases will mean putting messages on the post boards in the coffee room rather than sending an e-mail. The policy should also embrace personal use of e-mail, joke e-mails and so on, and sexism and racism. Depending on the management style of the organisation, the policy can be achieved either by consensus or dictum, or anywhere along the continuum.

Broadcast News – Not!

When senders put a summary at the beginning of every e-mail, recipients are relieved of some of the responsibility of filtering e-mail, Burmeister says.

“One of the problems with broadcasting [a message] in an organisation is you really don’t know who it’s appropriate to, so that’s why you broadcast on a particular e-mail list. That then puts the onus on the receivers to filter,” he says. “Senders can take responsibility by putting a précis at the top, saying this is what this e-mail is about, and then people can very quickly delete it if it’s not relevant to them. Also putting up there when you would like a reply by, helps people to manage their processing of information and make timely decisions about when it is appropriate to read it.”

When that does not happen recipients should take their own responsibility for filtering by carefully reading the headers, noting the sender and subject. Some golden rules for filtering include:

— Ignore reading junk mail. — Be selective when responding to messages. — Limit the time spent dealing with e-mail, for example by opening e-mail only at the beginning of the day or at the end of the day. — Be careful about giving out your e-mail address. — Prepare brief and readable e-mail to deter the need for multiple messages. — Avoid using e-mail when “problem solving” needs to occur.

Gartner notes that while e-mail systems were never designed to support records management, content management systems are increasingly looking for ways to include fax, recordings of live voice conversations, voice-mail, instant messages, digitised paper documents, e-mail messages and attachments in their database. “The ability to identify valuable e-mails requires content-aware classification technologies that are only now starting to appear for use with e-mail systems. Creating an e-mail archive is often the first step to including e-mail as part of a more integrated content management system,” according to Gartner.

“In my opinion,” says Queen’s University’s Richardson, “document management is probably the single largest productivity, revenue and cost improvement opportunity available today to many private sector firms, and certainly public sector organisations.”

SIDEBAR: The ePolicy Handbook

The ePolicy Handbook: Designing and Implementing Effective E-mail, Internet, and Software Policies, by Nancy Flynn, offers the tools, resources, and guidance to any company interested in managing its own e-risk. Published by AMACOM Books www.amacombooks.org

Chapter 4: Developing an Effective E-Risk Management Policy

In the age of electronic communication, there simply is no way to guarantee a completely risk-free workplace. Employers can, however, limit their liability by developing and implementing comprehensive e-risk management programs that address document creation and content, document retention and deletion, e-policy enforcement, and employee privacy expectations.

Give Your Employees Rules to Work By. To help reduce exposures and manage overall e-risks, responsible employers must establish and enforce policies governing employees’ electronic writing. Settle for nothing less than good, clean commentary running through your employees’ e-mail.

Good e-mail is businesslike and free of obscene, harassing, defamatory, or otherwise offensive language. Good e-mail is well-written and free from mechanical errors and structural problems. To ensure that your employees’ electronic communication is as effective as possible, institute and enforce an electronic writing policy as part of your comprehensive e-policy. To guarantee that your employees’ content is as appropriate as possible, be sure to incorporate cyberlanguage guidelines into your e-mail policy.

Sample Content Statement: Employees may not use ABC Corp’s e-mail system, network, or Internet/Intranet access for offensive or harassing statements or language, including disparagement of others based on their race, colour, religion, national origin, veteran status, ancestry, disability, age, sex, or sexual orientation.

Analysis: This content statement leaves nothing to chance. Employees will have no trouble understanding what they are and are not allowed to write.

Establish a Document Retention and Deletion Policy. While originally intended to be a quick and convenient way to communicate, e-mail is being used more formally today. Contracts and other documents can be “electronically signed” over the Internet. Many organisations use e-mail to record business communications for posterity. Coupled with all that professional use, however, is an enormous amount of recreational activity.

Back in the precomputer days, space limitations forced most companies to purge their paper files periodically. Today, electronic files can be, and often are, saved indefinitely. That’s a bad choice.

One of the most important components of a successful e-risk management program is an electronic document retention policy. If your company is like most, you probably don’t have a formal policy for naming, archiving, or purging electronic files. Now is the time to put into place a document retention policy that spells out for employees how to categorise files, where to store files, and when and how to destroy files.

There Is No Good Reason to Save E-Mail Files. Backing up e-mail is equivalent to tape recording telephone conversations. There is no good reason to do so. There is, however, a compelling reason not to do so. If you are sued for some sort of workplace violation, every e-mail message that is backed up, both formal and informal documents, could be subject to review.

Are you using e-mail to document or memorialise business decisions? If so, those messages probably are intermingled with less formal, potentially damaging e-mail that could cost you your case. The best advice? Some experts say you should retain nothing. After all what isn’t in there can’t hurt you.

If You Must Retain E-Mail, Be Smart About It. Many employers who historically had saved all company e-mail have been jolted into action by the Microsoft antitrust case, the American Home Products trial, and other high-profile lawsuits in which old e-mail messages have played a damaging role in court. As a result, employers are becoming more cautious about e-mail retention. If you want to reduce liability or are uncomfortable with the idea of deleting all your organisation’s e-mail messages, strive for middle ground.

Some organisations, for example, opt to destroy e-mail backup routinely after 30 days. A month-long retention period enables the employer to retrieve data in the event of a crash. But because only a small number of stored documents are in the system, awaiting review, exposure is limited.

What’s Your Excuse for Retaining E-Mail? Given the risks inherent in retained e-mail, why do so many companies insist on backing up all their electronic correspondence? Some executives really do want to maintain a formal record of all business discussions and decisions. Others remain unaware of the risks associated with retaining both formal and informal electronic messages. And at some companies, the information management professionals in charge of backing up data haven’t been educated about the legal exposures they are creating simply by doing their jobs.

Information management people typically are charged with ensuring that no matter what type of system crash or computer problem occurs, data is not lost and users can get back online quickly. Consequently, systems people tend to err on the side of overretention.

Employers who are sincere about reducing the risks of e-mail retention must educate their people, informing them fully of the e-risks facing the company. Once educated, technical personnel can help protect the company from risk, while still saving important data.

Sample Deletion Statement: All e-mail older than [thirty (30)] days will be automatically purged from mail queues and mail host backup. Users must explicitly save e-mail to user files when backup is required. E-mail should not be automatically saved, in order to reduce the need for system memory.

Analysis: This statement may be too technical for the average employee to understand. If you want to use a comprehensive deletion statement like this one, be sure to combine it with training that covers “mail queues”, “mail host backup”, “user file”, and other technical terms that may appear throughout your written e-policies.

As an alternative, you may elect to draft a basic deletion statement that all employees are likely to understand. For example: “The company automatically will delete all e-mail after thirty days. When backup is required, save documents to files. Do not save e-mail messages on your hard drive.”

Force Employees to Empty Their Mailboxes. Do you know what your employees are storing in their electronic mailboxes? You may be surprised to learn some employees are saving e-mail messages from years gone by.

The problem is not merely electronic clutter. It is more serious than that. In case of a lawsuit, a forensic investigator first would ask for all the messages in your employees’ active mailboxes. Next would come a request for backup tape. Finally, hard drives might be reviewed, if the forensic expert had reason to believe employees were storing information there.

An empty mailbox is a safe mailbox. Clean out overstuffed employee mailboxes with a combination of education and automation.

1. Reach out to your employees. Explain the organisation’s e-risks, and issue e-mail deletion guidelines individually. Tell employees you do not want them to hold onto old e-mail messages. Discourage employees from storing e-mail on their hard drives as an alternative to their mailboxes.

2. Explain to employees how the manual delete folder works. Many people do not realise that messages will sit in the delete folder forever unless the user takes steps to empty it.

3. Control whatever you can centrally and take advantage of new, more sophisticated management software as it becomes available. Assign limited e-mail space on your file server. Reduce the size of mailboxes; employees who tend to oversave mail will simply run out of room.

4. Install software that allows your e-mail systems administrator to empty employees’ delete folders automatically every 30 days.

5. Be alert to the fact that your employees may be storing information on their hard drives to side-step automatic deletion. Because no software exists to alert employers to the fact that employees are saving messages to the hard drive, education plays an important role. Make it clear to your employees that saving messages to the hard drive violates the organisation’s e-policy. Stress the fact that were the organisation to be sued, all the material on employees’ hard drives would be subject to legal review.

Limit Liability by Enforcing Risk Management Policies. Rely on your e-policy team to ensure the successful implementation of your e-risk management policy and your comprehensive e-mail, Internet, and software policies. In particular, the human resources manager and chief information officer should play active roles in the introduction of e-policies and ongoing employee education.

An effective e-risk management program should combine technological tools with people skills. Utilise all the e-risk management software at your disposal; then add a big dose of common sense to the mix.

Hush . . . Keep Your Password to Yourself. Would you buy an expensive luxury car, then leave it sitting unlocked in a public parking lot with the keys in the ignition? Doubtful. Do you go to sleep at night with all your doors and windows standing open and unlocked? Unlikely. Would you leave your purse or wallet sitting in plain view in a high-traffic, open-office environment? Surely not. Most of us go to great lengths to safeguard our personal property. Too bad we don’t give the same consideration to our business assets.

In many offices, computers are treated casually, making it relatively easy for the unscrupulous to break in and steal data or funds. Use your organisation’s password procedures to lock out e-intruders.

1. Establish a policy of changing all passwords quarterly, sooner if a problem employee is terminated or other e-trouble occurs.

2. Maintain an updated record of employee passwords. Prevent employees from locking you out of your own computer system.

3. Use your e-policy to notify staff that passwords are the property of the organisation, not the individual employee.

4. Instruct employees to store passwords in secure locations. It is not uncommon to find password lists taped to computer monitors or sitting in employees’ unlocked desk drawers. Common carelessness like this negates the purpose of security.

5. Prohibit the use of passwords that reflect personal information, such as an employee’s name, birth date, social security number, or child’s name. Instruct employees to create passwords that combine numbers, punctuation marks, and uppercase and lowercase letters.

Restrict Computer Access. While some organisations maintain tight physical security, controlling access to the building and monitoring movement throughout the facility, other companies exercise almost no control over visitors’ activity. Likewise, effective e-risk management calls for the establishment of a few basic security measures.

1. Because it is tempting for co-workers, visitors, and hackers to walk up and use an open, online computer, instruct employees to shut off their computers if they plan to be away from their desks for more than an hour. If you prefer to automate, you can establish a password system at the workstation or network level. After a certain period of time, employees would have to use passwords to re-enter unattended computers.

2. Authorise the chief information officer to establish policies that restrict remote access to your computers.

Investigate Unusual Behaviour. If you notice or suspect out-of-the-ordinary employee behaviour, have your information management people check it out. Systems professionals will know what you mean by “odd” behaviour, and they can do a search to see if the employee in question has been dialling into the network in the middle of the night, downloading a large number of files, or engaging otherwise in suspicious activity.

In addition to investigating isolated incidents, take steps to stifle employee urges to misbehave.

1. Conduct periodic reviews to ensure that employees are not attaching unauthorised storage devices to their computers.

2. Look for clues. If an employee brings a large, removable drive to work, find out what’s up. Oversized removable drives are used to download really large files. Ignore the obvious and you may facilitate the theft of valuable company data by an employee who is going into business or joining a competitor. Similarly, if you see an employee walking in with a new box of floppy disks or the like, there may be a problem looming. An employee who wants to remove a lot of information in a hurry likely would bring in a removable storage device or a big stack of floppy diskettes. These devices usually work faster than an Internet transfer.

3. Conduct routine audits. It is a good idea to conduct random audits of user e-mail on an annual basis, if not more frequently. If your random review uncovers a problem, such as inappropriate language or extensive personal use of the system, you have the option of developing and enforcing stricter e-mail and Internet policies for the entire organisation or dealing directly with the individual offender.

Use Monitoring Software to Catch Bad Electronic Behaviour. As an employer, you are obligated to create a harassment-free, discrimination-free work environment. You must control sexual harassment. You must prohibit the on-the-job collection and distribution of pornography. And you must prevent use of e-mail as a tool to create an intolerable work environment. Many employers find control is best achieved by monitoring employee e-mail and Internet transmissions.

Don’t leave e-risk management to chance. Install monitoring software to review and report on employee e-mail use. Software that flags key words, such as the names of supervisors, competitors, products, and trade secrets, will help you stay one step ahead of employees who may be preparing to grab sensitive information and run. When an “alert” word is used in an employee’s e-mail message, the document automatically will be transmitted to a supervisor.

Employers who want to know what employees are thinking as well as writing are turning to a new type of surveillance software that covertly monitors and records every keystroke an employee makes. Let’s say a disgruntled employee composed a nasty limerick about the boss, or a frustrated sales executive drafted a go-to-hell memo to a customer. Until now, employees could take comfort in knowing that once they regained composure and hit “delete”, their ugly messages would disappear. Employees working in offices with keystroke loggers no longer have that safety net.

With keystroke logger software, all employee keystrokes are stored on the company’s hard drive or sent via e-mail to a system administrator to retrieve as necessary. Every letter, every sentence, every comma, every typo, every revision is recorded. The employee’s thought process and rough drafts are as accessible to the company as the final product is.

Why would you want to monitor every draft, typos and all? As a deterrent. If employees know you really can read every word they write, they most likely will comply with your directives to use the company’s e-mail system strictly for business, and in compliance with your content and cyberlanguage guidelines.

Similarly, your employees probably would be less inclined to surf inappropriate Web sites if they knew their workstation computers were data magnets. If you want to know what your employees have been up to on the Internet, all you need to do is look at their hard drives. Review the most obvious spots first. Pull down the list of sites most recently visited and any favourite sites that have been bookmarked.

Most Internet browsers store a list of sites visited, and some even store actual screen images. Employees who think they are visiting adults-only Web sites secretly may be surprised to learn the boss has the ability to call up and view exact replicas of the naughty pictures the cyberslackers have been looking at on company time. On a network level, software is available to enable network administrators to keep tabs on employees’ online activity.

Chapter 4 Recap and E-Action Plan: Putting E-Risk Management to Work

1. Control e-risks by controlling e-content. Establish and enforce policies that govern the creation and content of e-mail and Internet documents.

2. Consult with your cyberlawyer to determine the best e-mail retention and deletion policy for your company; then implement it consistently. Include an empty mailbox policy for employees. Remember, though, it is illegal to begin a document destruction campaign if pending litigation would be affected by it. So put your retention and deletion policies into place before trouble strikes.

3. Educate your employees. Provide managers and staff with e-scenarios that could affect the well-being of the company and the security of employees’ jobs. Follow up with actions employees can take to help limit risks.

4. Keep your eyes open to unusual or suspicious behaviour on the part of employees and outsiders. The adage “better safe than sorry” is never more true than when applied to e-risks.

5. Don’t leave e-risk management to chance. Install monitoring and filtering software to control employees’ e-mail and Internet activity.

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
Follow our new CSO Australia LinkedIn
Follow our new social and we'll keep you in the loop for exclusive events and all things security!
Have an opinion on security? Want to have your articles published on CSO? Please contact CSO Content Manager for our guidelines.
Show Comments

Featured Whitepapers

Editor's Recommendations

Brand Page

Stories by Sue Bushell

Latest Videos

More videos

Blog Posts