The hidden dangers of email

THERE can be little argument that electronic mail is a mission-critical and indispensible business tool upon which most enterprises are partially or totally dependent.

However, as is often the case with technologies offering significant advantages to business, email has been embraced and elevated to its contemporary level of importance with only limited regard to the wide range of problems it brings with it. In this article, the first of a two-part series examining the dangers of email, we look at various forms of email abuse that pose serious threats to business enterprises both locally and worldwide.

Although most business managers and IT support staff are aware of high-profile email-related problems, such as its use as a means of computer virus transmission, other abuses of equal or greater threat, committed both internally and externally, require equal consideration.

The misuse of email systems by company employees is a common internal form of email abuse. This often involves the use of company email facilities for personal matters and the transmission of inappropriate, immoral or legally compromising content.

A recent survey undertaken by London-based law firm Klegal, in conjunction with Personnel Magazine, found that excessive use of company and Internet and email systems, the sending of pornographic emails and the accessing of pornographic web sites were the three main forms of online abuse committed by employees in UK companies. The study also revealed that disciplinary action taken against UK employees for email and Internet abuse exceeded that of all cases involving dishonesty, violence and health and safety breaches combined. Of these, 19 per cent involved excessive amounts of time using email for personal reasons and 14 per cent involved the sending of emails potentially damaging to the company’s reputation.

A similar trend exists within Australian companies as found by the 2002 Australian Computer Crime and Security Survey. It found that 98 per cent of Australian companies polled reported internal computer abuse that included employee abuse of Internet access or email.

At a minimum, such abuse imposes a twofold cost on employers in the form of lost employee productivity and bandwidth usage expenses. Potentially more damaging however are the financial penalties and loss of reputation companies are exposed to when facing litigation resulting from employee distribution of racist, defamatory or sexually explicit material via internal email systems.

So serious is the potential impact of such behaviour that many Australian organisations have taken a tough approach towards offenders. In 2000, for example, five NSW police officers were sacked when it was found they had been involved in the distribution of graphic pornography over the police email system. Also in 2000, staff from Toyota and Holden and Centrelink staff in Adelaide were suspended or sacked for distributing pornographic emails.

Behaviour of this kind is often the result of ignorance on the part of employees who fail to consider the consequences for themselves and the company when abusing email systems in this fashion. However, an organisation’s email system can also be used for the much more calculated and potentially ruinous act of industrial espionage.

Email represents an ideal means by which to spirit documents, and the sensitive information they contain, out of a company. Physical documents are often bulky, attract attention if being photocopied and present a heightened risk to offenders attempting to remove them from a place of business. In an electronic format, however, the same documents can be dispatched with an imperceptible click of a mouse button, often from an unwitting collegue’s unattended workstation. In seconds, especially if broadband is being used, the documents are gone, arriving soon after in the hands of a competitor.

In a high-profile 1993 case in the United States, a former vice-president of what was then Boorland International allegedly transferred sensitive Boorland information via the company’s email system to the CEO of software giant Symantec just hours before resigning from the company. The former Boorland VP was apparently disgruntled after a staff reshuffle in which he was not favourably considered. Civil and criminal suits were brought against both executives. The electronic messages sent were seized and used in a costly legal battle lasting four and a half years.

However, it is not only internal sources from which email-related problems originate. A particularly insidious form of email abuse, unsolicited email, has become the focus of anger and concern within the business community worldwide.

Unsolicited email, commonly referred to as ‘spam’, is the Internet version of junk mail and usually takes the form of advertising material, although it can also act as a distribution mechanism for extreme views and sexually explicit content such as pornography. In some cases, spam can even be used as a means of attack on an organisation’s networks, causing them to crash under a bombardment of useless messages.

The distributors of junk email, known as ‘spammers’, acquire company email addresses using a variety of methods, some of which are legal, many which are not. Often, spammers will bypass spam-wary staff and security systems by disguising the messages they send, making them appear to come from respected companies. This increases the likelihood that recipients will open and read the unsolicited message contents.

A recent survey commissioned by email security company SurfControl and conducted by the University of Western Sydney found that the quantity of objectionable email content (spam) making its way into Australian organisations was considerable. Most commonly reported were chain letters (89 per cent), credit offers (88 per cent), money making emails (87 per cent) and pornography (77 per cent).

Spam can negatively affect an organisation’s bottom line in a number of ways. These include employee time wasted in opening and dealing with the unwanted messages, the cluttering up of email boxes, and the diminishment of network performance.

In part two of our analysis of the dangers of email we will examine the measures and technologies organisations can take to protect against the negative consequences of email abuse by internal and external sources.