BugWatch: The threat from within

This week, Pete Simpson, manager of Baltimore Technologies' MIMEsweeper ThreatLab, looks at the cost of internal threats.

Do you know how many non-work related files are entering and circulating within your company: spam, hoaxes, malware, porn images, scams and jokes?

Some 6,000 pieces of spam hit billg@microsoft.com every day (Sunday Times 10 June 2001). In a study commissioned by the European Commission (February 2001), it was revealed that unsolicited commercial emails cost global businesses $9.4bn each year in connection costs alone.

While uninvited email may only seem like a few messages per person per day, there are costs associated with:

• Time spent reading the message
• The bandwidth consumed during the delivery
• Data storage on the file server
• Spoofs and racially/sexually harassing emails.

Further costs may follow from loss of confidentiality, possible litigation and impact on business reputation. Whilst one can't possibly provide a quantitative model for an individual organisation's costs without making assumptions with regard to technological options and working practices, some of the formulae presented below indicate the nature of costs that maybe incurred.

Time spent reading non-work related email message

Average time (as a fraction of the working day) spent reading non work related email (i.e. spam) x average wage per day for one employee x number of employees x number of working days per year = annual loss of productivity for the company.

The following statistics reflect the scale of the problem:
Average time spent by employees managing email per day = 49 minutes (source: Gartner 2001)
Average percentage of email consisting of spam = 39 (source: BusinessWire, April 2000)
Average daily wage = $192 (source: CAUSE).

According to Ferris Research, in 2003 the average individual will waste 15 hours deleting email, compared to 2.2 hours in 2001, at a cost of $400 per in-box.

Gartner (May 2001) also estimated that in 2002 only five per cent of enterprises will successfully block 90 per cent of malicious spam. In the same report it was found that 34 per cent of internal business email is occupational spam, i.e. email that's unnecessary for business.

The report concluded that a company would experience a 30 per cent saving in the time employees spent managing email if it rid itself of occupational spam by implementing an email usage policy.

Although from a reputable source, the figures above may reflect geographical variations in terms of corporate practices, policies and salaries. You can put in your own figures to the equation. The point is that, by combining these factors, the cumulative effect of non-work related email on productivity is significant.

Bandwidth consumed during the delivery

Average number of non work related email received per day per person x average size of file e.g video x number of employees = 'opportunity cost' of bandwidth consumption per day by spam.

The equation above amounts to a metaphor as opposed to a quantitative formula, but intends to highlight the threat to a business when bandwidth is unavailable to support a business-critical activity.

For example, corporate users may be either blissfully unaware, or completely ignorant, of the network bandwidth consumption associated with downloading large graphics files, playing online games or accessing streaming audio/video. The large file transfers can degrade network performance for all users.

As people use graphics and multimedia more for documents and presentations, the size of the average email will increase. An average three to five minute MP3 track is around 3Mb to 5Mb, while a single movie clip in MPEG format would start at around 20Mb to 30Mb.

Consider a company of 100 people, with every employee having downloaded and stored just one of each - a MP3 or MPEG file - during the period of one year.

When these large messages are sent internally or externally, they will consume precious bandwidth. It may be sensible to set up and enforce a policy so that large messages are sent at more appropriate times when there is more network capacity, otherwise the legitimate business users will suffer poor performance or even server failure.

Research has found that users are 20 per cent less productive when the messaging server is down than when the system is running (Creative Networks).

Content Security's manageability and reporting capabilities allow the corporate IT department to easily explain poor network performance by identifying employees that abuse corporate internet privileges with MP3 downloads, streaming video, stock trading, shopping, online gaming and other activities.

It enables corporate policies to be set up to provide groups of users with varying allotments of personal internet time and bandwidth. Therefore, a policy can be set to monitor overuse only. Also, the internal charge back for network costs can be fairly allocated to specific cost centres.

Data storage on the file server (own or outsourced)

During March last year, email traffic in the UK rose to six gigabits per second (an equivalent of 360 messages every second). Although email traffic is no longer rising at an exponential rate, it is still continuing to rise at a steady pace.

All of these emails require storage space and many of them are spam. Companies must prevent spam from entering the company network and reduce inappropriate internal emails in order to reduce email storage costs and increase network performance.

Cost of inappropriate email content

Another potential cost of internal occupational spam is litigation. Companies are liable for the content of emails, and racially/sexually harassing emails can lead to substantial lawsuits. The alarming thought is that it only takes one email to offend an employee and the cost could run into six figures.

In an article in the Journal of Biolaw & Business, Schreiber points out that Citibank, Morgan Stanley and R.R. Donnelly & Sons have all been sued by employees over email messages that they said contained racists jokes (source: Industry Standard March 2000).

In another case against a major brokerage house, a racist email that became the subject of office jokes led to a lawsuit by two employees seeking $5m in compensatory damages and $25m in punitive damages per plaintiff. The lawsuit was later settled for an undisclosed amount (source: The Journal Record Dolan Media, March 2000).

Furthermore, companies are liable for defamation of competitors. Norwich Union Insurance was forced into an out of court settlement of $700,000 for alleged defamation by email against a competitor, Western Provident Association (source: Australian Financial Review, April 2000).