Enlist users in fight against spam

Spam has become more than a nuisance for many organisations. With the proliferation of viruses piggybacking on unwanted e-mails,...

Spam has become more than a nuisance for many organisations. With the proliferation of viruses piggybacking on unwanted e-mails, it is a serious business management issue, especially with regard to end-users.

A recent workshop on spam hosted by user group the Corporate IT Forum, Tif, attended by senior IT managers, heard that simplicity is the key to approaching the problem, with one major corporate reporting success with an internal campaign to get end-users to "think before they click".

Although the amount of spam varied widely among their organisations - from more than 50% of e-mails to less than 10% - all the attendees have policies and processes in place. The challenge to both business and IT is to make them work.

For Tif members, spam is not considered unmanageable, but all agree it is a nuisance. The meeting came up with some practical ideas for tackling spam.

Those who can, should treat spam holistically, in the context of general security and messaging management. Using this approach, some have outsourced the problem effectively.

Overall there is very little measurement of spam in terms of time and cost of resources needed to deal with it, and the importance of creating a good business case to tackle it, backed up by real numbers, was stressed.

The next step is to do a pilot study, measure it closely, and publicise the results - you need to remind decision makers that you are fixing a problem.

At all times you should involve the end-users, for example, in drawing up a white list of those e-mail addresses that the organisation accepts mail from - this can take two to three months.

The post-pilot phase is labour-intensive too, and IT managers should be careful about the language used with end-users. For example, they should talk in terms of blocking e-mails, not deleting e-mails.

There was confusion among Tif members about data protection and freedom of information type issues. One perception was that it was fine for the server to electronically attach a header warning a user about a suspect e-mail, but you could fall foul of the law if this was done manually.

No clear reason emerged as to why some companies are more badly hit by spam than others, but in general those with less obvious e-mail addresses, or where middle initials were included, were less severely affected. Also, companies that do not have a high-profile global presence are hit less badly, as are those with a ban on personal e-mails.

The overriding consensus was that spam, although a nuisance, is not unmanageable.

Think before you click campaign   

The Corporate IT Forum has advised its members to embark on an urgent end-user education programme to combat virus-laden spam, focusing on four key recommendations for them: 

  • Ensure anti-virus software is up to date 
  • Think before you click - don't click on what you don't know, and don't get duped duped by great e-mail offers 
  • Never reply to spam e-mails 
  • Think twice before forwarding an e-mail to a friend.  "If you open up a link in a spam e-mail it may be days or weeks before you know you have a virus," said Tif chief executive David Roberts. "You are not going to get flashing lights telling you what you have done.


Read more on IT risk management