Spam whittles away at ROI, report claims

A survey of 76 US companies has revealed that employees spend up to 90 minutes a day managing spam, and that the cost of spam per...

A survey of 76 US companies has revealed that employees spend up to 90 minutes a day managing spam, and that the cost of spam per employee is a staggering $874 a year.

Nucleus Research conducted in-depth interviews with 117 employees at the companies, and interviewed 28 IT administrators responsible for managing e-mail and other corporate applications, to understand the impact of spam on IT infrastructure and resources.

The study found that the average employee receives 13.3 spam messages a day, spending anything from one minute to 90 minutes managing that spam, the average time being 6.5 minutes per day.

Lost productivity per employee per year was estimated at 1.4%.

Some employees had such severe spam problems that they were forced to invest in desktop filters, but even with the filters adjusted to their personal profiles and preferences, these individuals still spent an average of 12.5 minutes a day - nearly twice the average - screening and managing incoming mail, at a cost of $1,625 per year in lost productivity.

This figure is a leading indicator of the potential cost of spam as volumes grow. So even for highly trained users with sophisticated personalised filtering devices, spam has a dramatic negative effect on productivity.

If companies lose an average of 1.4% of each employee's productivity each year because of spam, then for every 72 employees a company has, it loses the equivalent of at least one employee's services to spam for the year.

Organisations can reduce the impact of spam on their employees by deploying companywide spam filters. Filter technology is by no means perfect, but it reduced the average amount of time employees spend managing spam to five minutes a day, cutting the average annual cost per employee 26% to $650.

However, administrators have found a number of challenges with filters:

Spam sophistication. Spammers use punctuation, spaces and other methods to avoid the rules filters use to block spam.

Ineffective technology. Many administrators found that aggressive filters delayed or aborted delivery of business messages or were ineffective in filtering out spam unless it met specific guidelines.

Employee adoption. While many companies had filters in place, employee use of the filters varied, and additional employee education efforts were needed.

Effective policies and management. Although many companies had e-mail policies, they did not have a consistent corporate strategy for educating employees about spam, resulting in ad hoc employee education instead of widespread understanding.

IT staff on average spent around half a day dealing with spam. As well as managing filters and deleting messages, they are responding to help desk requests, ensuring that employees who have received offensive e-mails feel they have an appropriate response to their problem, and educating users about spam and how they can limit their exposure.

Some companies are spending nearly a quarter of an IT employee's time managing spam issues. Companies should assume that, on a per-mailbox basis, administrators will spend an average of 0.7 minutes per employee per week on spam-related issues.

In theory, that means that for every 690 employees, one full-time IT staff person will be needed to manage spam. In reality, it probably means that the existing IT employees just become more overworked or have to put out spam fires instead of doing more profitable activities.

Many companies worry that, even with filters, unsolicited e-mail sent to employees may provoke legal action. According to one IT administrator, "One of the reasons we got into spam filtering is the offensive-content lawsuits that could arise."

Employee training, filters and California's new antispam law are a good start, but they will not make the problem disappear altogether. Recent activity by Microsoft and others in pursuing legal action against spammers suggests another approach.

In June, Microsoft filed 15 lawsuits against spammers; followed in August with lawsuits against 11 internet advertisers, which Amazon accused of spoofing its e-mail address to send spam.

Given the cost of spam, large companies may want to consider similar legal action, which is, potentially, more cost effective than  investing in a filter that will only reduce, not eliminate, spam's impact.

Ian Campbell is president and chief executive officer of Nucleus Research. Rebecca Wettemann is vice president.

Management tips

Educate users about spam avoidance (such as not replying to spam).

Create an internal web page that explains the employer's efforts to fight spam, including a frequently asked questions section. This may reduce calls to the help desk.

Take "fair and reasonable" efforts to control spam, as a defence against lawsuits charging a hostile work environment.

Update the company e-mail and communications policy to inform users that the company installed a spam filter but cannot guarantee that all spam will be filtered. Ban employees from initiating spam or forwarding spam.

Recognise that spam is becoming a security problem, with the emergence of worms that use spammer techniques for propagation, as well as spammers' use of worm variants to get their messages through.

Remember that spam filtering should vary by industry or department. In the healthcare industry, for example, legitimate messages may have the names of certain drugs or body parts. And e-mail from complaining customers may have words that filters interpret as spam.

Source: Gartner, September 2003

Read more on Antivirus, firewall and IDS products