cfo.com

Print this article | Return to Article | Return to CFO.com

Get Rich Quick Fighting Spam?

Perhaps not. But the ROI from better managing junk E-mail sends a message every finance executive should heed.
Esther Shein, CFO.com | US
April 27, 2004

At faucet maker Moen Inc., a trickle had grown into a torrent, and security manager Rob Buchwald didn't like the sound of it. Every day, he heard complaints from employees at the North Olmsted, Ohio-based company — the largest manufacturer of faucets and plumbing accessories in North America — on the flow of junk E-mail that wouldn't stop. Slimmer hips. Cheaper mortgages. Better sex. Exciting get-rich opportunities (just send your banking information).

Like many hands-on types, Buchwald faced the usual question: Do it himself, or call in a professional? Buchwald quickly recognized that fulfilling Moen's business initiatives was a priority for the IT staff, but that "antispam is one of those things that doesn't directly affect how we ship product." He'd also seen — in his own inbox — how quickly spammers adjusted to the "cat-and-mouse game" and modified the tricks and techniques that help their messages avoid filters, rules, and signature lists. Rather than spend days and nights fending off crafty spammers, Buchwald turned to MessageLabs Inc. of New York.

"Antispam is now a must-have for a large enterprise" just like firewalls and antivirus software, says Phebe Waterfield, an analyst at Boston-based research firm Yankee Group. By some estimates, between 50 percent and 75 percent of all corporate E-mail is spam — not a big surprise when it costs virtually the same to send a hundred messages, or a million. For the spammer, every junk E-mail is another money-making opportunity.

For the company on the receiving end, however, every junk message that an employee deals with personally cuts into company productivity. In the aggregate, spam clogs network bandwidth, indirectly lowering company revenue by slowing down legitimate applications.

As for the do-it-yourselfers, Waterfield notes that many companies once tried to manage spam internally because they were concerned about entrusting their E-mail to an outside company. "That's considered a little paranoid these days," she says, now that the aggressive and ubiquitous nature of spam has led to a change in mindset.

Using an external service is only a little more expensive than handling spam internally, adds Waterfield. Managed service providers usually charge a subscription price plus per-user fees, and any additional hardware and software costs are more stable. In addition, says Waterfield, "a service provider might offer you some sort of business continuity" — if your internal servers go down, they may store messages so nothing gets lost, and offer remote access to E-mail until things are back to normal.

Turning Down the Volume
It was less the lure of fringe benefits and more out of sheer frustration that led Edward Kamp to search for a spam solution on behalf of Harman International Industries Inc. "We had users who got anywhere from 10 on the low end to 100s of spam E-mails every day," says Kamp, director of global networking at the stereo equipment manufacturer. "We definitively had a productivity issue."

Kamp considered bringing software and hardware in-house, but he realized that meant hiring additional IT personnel. Harman has almost 8,000 users, and although the company is headquartered in Washington, D.C., the company has facilities throughout North America, as well as in Europe, Asia, and Africa. "Because of the complexity of the environment and the time differences and everything else that comes with being geographically diverse," he says, "the outsourcing decision was an easy one to make." Adds Kamp: "There was a definite pressure to outsource this functionality, because it's not a value-add or strategic direction for this company. It was more of a nuisance… and we didn't want to commit staff to the project."

The company chose Redwood City, California-based Postini Inc. as its managed service provider. Harman reroutes all incoming E-mail to Postini's servers, where it is scanned for viruses and filtered, using keywords, for spam. All acceptable E-mail is then delivered to Harman's servers; recipients read those messages just as they always have. Unacceptable E-mail stays in a Postini web-based server, where employees can check their individual message centers to safely view E-mails — even virus-infected E-mails, if they wish.

Employees can also examine their message centers for "false positives" that were inadvertently filtered, and forward these E-mails to their regular inboxes. In addition, each employee can adjust his or her own E-mail-filtering thresholds, if Postini seems to be letting through too much spam or holding back legitimate messages. Kamp isn't certain about Postini's false-positive rate, but he says that Harman has experienced only "extremely rare" cases where a good E-mail has been filtered out as bad.

An added benefit of outsourcing the antispam effort, says Kamp, is that far less spam is clogging Harman's Internet connections. "All that bandwidth we used to get junk isn't wasted any more," he adds, "and all that bad mail stays out there on the Internet." The outsourced model is "very flexible, efficient, and the cost is not too bad."

And the ROI? Kamp maintains that Harman has seen a phenomenal saving in productivity, if one calculates the time that users once needed to delete bad E-mail, multiplies by the number of Harman's worldwide employees, and factors in an average salary. Using that formula, Kamp estimates that Harman is saving hundreds of thousands of dollars annually.


A Healthy Improvement to Productivity
Likewise, at Dallas-based Odyssey Health Care Inc., managing client-side software was never a consideration. The costs of training and administrative overhead simply wouldn't have been worthwhile, maintains vice president of information technology Henson Rogers.

The healthcare provider already had 20 people supporting more than 100 servers, 1,200 desktops, and 50 notebooks. "Between the up-front cost of an internal filtering system, and personnel costs to run it, outsourcing — at a favorable price point — made the most sense," says Rogers. To raise productivity and "protect our workforce from obscene and offensive material," he adds, last year Odyssey, like Moen, decided to outsource its antispam efforts to MessageLabs Inc.

Odyssey redirects incoming E-mail to "control tower" servers on the MessageLabs network, where the messages are scanned for spam and viruses, using multiple detection techniques. Odyssey, like other customers, can decides how MessageLabs handles its spam: block and delete, append and let through, or quarantine to a separate folder and send a "quarantine digest" to employees, who can then click and release the messages they choose.

By Rogers's calculations, if half of Odyssey's 1,000 employees spent just five minutes a day dealing with spam — conservative figures, he reckons — then the loss in productivity cost the company approximately $260,000 a year. "Looked at another way," adds Rogers, that quarter-million dollars equals "our entire budget for replacement desktop equipment this year."

Flying Solo
Outsourcing spam isn't for everyone. Thomas Knauseder, manager of IT security for Austria's Salzburg Airport W.A. Mozart, says that while the facility's 250 employees were "distressed with the content" of spam on their network, they never considered going outside for help.

"We don't see it as an alternative. What could the provider do better than we?" says Knauseder. "We also wanted to be able to monitor the system" internally, he adds. Another factor, as you might expect, is that the Salzburg Airport has just a single facility.

Last November, the airport installed Proventia Mail Filter from Internet Security Systems of Atlanta. Initially, says Knauseder, they blocked about 80 percent of all incoming spam. Some end users might say that 80 percent seems low, but the airport chose to minimize the percentage of E-mails being blocked. Why? A key consideration in choosing the Proventia filter was that the software would not have to be monitored, explains Knauseder — otherwise the administration costs would rise.

Employees at the airport receive a total of about 700 to 800 E-mail messages a day, of which about 250 to 300 are blocked by the Proventia system. Knauseder says he has to find a balance between blocking messages and letting them through, and "with 80 percent we have a good compromise." Now his IT staff is fine-tuning the software so it will block 90 percent of spam, and Knauseder says they're just about there.

By contrast, the main consideration at Moen was the amount of effort that would be required to respond to continual changes in spam methodology. "We didn't want our IT staff to become antispam experts," says Buchwald, the security manager. "That's not where our IT strengths lie."

Buchwald says that MessageLabs is 99 percent effective at stopping legitimate spam. And based on Moen's internal scorekeeping, only 2 out of every 10,000 blocked E-mail messages were false positives. That's a risk with any antispam technology, internal or external, he adds.

MessageLabs is "extremely aggressive and proactive" about updating and making changes to their system whenever something new begins spreading," says Buchwald. For the security manager, however, the real value is that his staff doesn't get overloaded dealing with spam. "By the time E-mail enters Moen, we trust that it's not spam, it's not viral, and it has a legitimate purpose," says Buchwald. "That definitely makes my job easier."

Esther Shein, based in Framingham, Massachusetts, writes often about business technology.




CFO Publishing Corporation 2009. All rights reserved.