Novant Health started fighting spam almost by accident.
The company, which manages health care facilities in North Carolina, needed encryption tools to comply with new federal regulations regarding the handling of patient data. The Health Insurance Portability and Accountability Act requires companies to add layers of security to information architecture, so that prying eyes can't see patient information.
Central to Novant's encryption strategy was IronMail, an e-mail security appliance produced by Atlanta-based CipherTrust Inc. The product, which sits between a company's firewall and its servers, bundles content filtering, intrusion detection, Web mail protection, antivirus tools and encryption. The product also features tools for fighting spam.
"We didn't buy the product with the goal of tracking spam, but it turns out that was a huge bonus," says Chris Walter, Novant's information security officer.
Spam messages account for roughly half of Novant's 45,000 daily e-mail messages. The spam includes the usual pitches for Viagra, pornography and low-interest mortgage rates. IronMail diverts about 20,000 messages a day at Novant's e-mail gateway. The challenge is making sure that legitimate messages aren't inadvertently tossed out in the process.
Novant isn't alone in its antispam fight. Nearly one out of every two e-mail messages sent via the Internet is some form of spam, according to a recent report by MessageLabs Inc., an e-mail security company based in New York City. Additionally, San Francisco-based Ferris Research estimates that spam costs businesses more than $10 billion annually in lost productivity and spending on antispam products and services.
Spam is a problem for many reasons. It consumes server space and network bandwidth, not to mention man-hours, since workers have to spend time every day deleting spam. It also causes security problems, because it can carry worms and viruses.
"Spam is a form of electronic social engineering. Users are exposed to so much spam [that] they often let their guard down when actual malware comes in," says Kevin Beaver, president of IT consulting firm Principle Logic in Atlanta, and author of The Definitive Guide to Email Management and Security. "We're seeing more malicious spam messages contain Web bugs that actually glean information from computers and networks."
In an ideal world, companies would act swiftly to stem the threat that spam poses. Some say that's not happening because many enterprises are only beginning to evaluate spam's impact.
"Companies that have realized spam is a problem and done something about it are probably very well protected. [But] a lot of companies are just starting to realize the true impact of spam," says Paul Judge, head of research and development for CipherTrust and a past chairman of the Internet Research Task Force's antispam group.
United Fire & Casualty Group is one company that has acted. Dave Schoettmer, technical services manager for United Fire, an insurance company in Cedar Rapids, Iowa, recalls how spam grew from merely an annoyance to a drain on resources and productivity at his company.
"There were times when I was spending 20 to 30 minutes several times a day cleaning up my e-mail before I could get to the real work," he says.
Armed with similar complaints from some of United Fire's 750 employees, Schoettmer got management buy-in to address the problem through purchase of software in 2003. The company tried a couple of iterations before settling on MX Logic, a messaging and e-mail security provider in Denver, Colo. Since then, nearly 100 percent of spam reaching Windows Exchange servers is caught, says Schoettmer.
United Fire also decided to educate its employees. "We have a policy of [employees'] not opening up e-mail unless they know the person who sent it or are expecting it," says Schoettmer.
Indeed, although technology can help, enterprises should back it up with written policies on spam, Beaver says. It's especially important to educate users not to reply to spam or pass it along. Rather than deleting spam messages, Beaver says, users should forward it to spam-reporting agencies, like Spamcop or the Federal Trade Commission.
Spammers could face an uncertain future as vendors continue to improve antispam offerings. Spammers will likely need to send out more and more messages to get the same rate of return.
"That means spam just won't be as profitable as it once was," says Michael Osterman, head of Black Diamond, Wash.-based Osterman Research.
About the author: Garry Kranz is a freelance business and technology writer in Richmond, Va.
FOR MORE INFORMATION:
Dig Deeper on Email and Messaging Threats (spam, phishing, instant messaging)