Managing information risk
Anyone who has an email account most certainly has had the unpleasant experience of receiving unsolicited email, commonly know as spam. Although many people simply consider spam an annoyance, the overall impacts are much greater. Consider the following statistics: According to a recent survey published by Commtouch, a spam protection software vendor, spam accounts for anywhere from 64 to 94 percent of all email on the Internet. Spam not only wastes employees time, but uses computer processing time and precious internet bandwidth, costing companies enormous sums of money every year. The California legislature, in 2007, found that spam cost American organizations over 13 billon dollars a year which includes lost productivity and additional equipment, software and manpower required to combat spam.
Unfortunately, there are currently no silver bullets to completely eliminate spam. There are however actions that can be taken by individuals and businesses alike to minimize the amount of spam received!
Where does spam come from?
Spam emails are usually sent out in millions at a time. In fact, a “spammer”, or person who sends out unsolicited emails, use enormous databases of email addresses to send out messages. Spammers send out these messages to promote products and gain revenue when recipients click on the links provided in the spam messages. Some spam messages also promote online scams or ideological messages. According to the same vendor survey mentioned earlier, 40 percent of spam messages are for the sale of pharmaceuticals. The unfortunate reality is that becoming a spammer is all too easy. All an individual requires is a desktop computer, an internet connection, a database of emails easily purchased on the Internet and a small amount of technical knowledge to get started.
What individuals can do
The individual’s role in spam prevention is by far the most important factor in minimising the amount of spam directed to an email address. The following four suggestions should help individuals minimise the amount of spam they receive. However, if a significant amount of spam is already being received, it’s unfortunately too late. Filters, as discussed in the next section will then be the main line of defence.
1- Never reply to a spam message: If you receive an unsolicited email that offers to “take you off their mailing list” by replying to the message, delete it! By replying, you are simply indicating to the spammer that your email is valid and that someone is actually reading the messages they are sending. Similarly, if there is a link to click on, do not be tempted. The best thing to do is to delete the message.
2- Modify your email address: If you need to post your email address on a website or other public online forum, consider altering it. For example, if your email is “firstname.lastname@example.org” enter your address as “joe (at) company (dot) com”. Many spammers use software called “crawlers” that comb through websites looking for emails in the email@example.com format. By altering the format, you minimize the risk of having your address collected by spammer tools and being added to a spam database.
4- Do not forward chain letters: Many individuals receive funny emails, videos and chain letters urging you “forward to all of your friends”. After being forwarded multiple times, these messages then contain numerous emails addresses including your own. Spammers collect these addresses and ad them to their spam database. As a rule of thumb, consider that if you forward a joke or video, your contacts will also forward it to their friends and your address will eventually be picked up by a spammer.
What organisations can do
First and foremost, organisations need to educate their users about the items discussed in the previous section; employees are the ones who send and receive emails and are the key to spam prevention. An effective way to convey the message is to include spam prevention measures in an IT security policy which is distributed periodically to all employees and to new staff members.
Also, security awareness campaigns such as presentations at staff meetings and articles in internal newsletters are good ways to inform personnel. However, spam is an Internet fact of life and no matter how much prevention and education is done, there will be spam! On the technical front, large organizations should have spam filtering software on their email gateway. Many efficient commercial packages are available.
For smaller organisations, internet service providers and other businesses offer third party email filtering services which can be more cost effective than having a full setup which will require staff and expertise to run and maintain. Organisations must be extremely careful, especially during the initial stages of rolling out spam software, with false positives. False positive spam messages mean that legitimate emails are getting caught in the spam filter and do not reach their intended recipient. However, if filtering is too weak, spam messages will get through and defeat the purpose of the filter. Ultimately, the best way to find the right balance is to increment filtering aggressiveness until all those involved are satisfied and no legitimate emails are caught. For large organisations, performing this task without expert advice is not recommended.
The bottom line for individuals and businesses alike is that spam is unfortunately not going away anytime soon. The key is to prevent spam from being an annoyance to end-users and a drain on productivity and IT resources; educate them, install or use appropriate systems to filter incoming messages and find the right balance of filtering to allow business to go on and thrive.
The views and opinions are those of the author and do not necessarily represent the views and opinions of KPMG. All information provided is of a general nature and is not intended to address the circumstances of any particular individual or entity.
© 2008 KPMG, a Cayman Islands partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved.
The information contained herein is of a general nature and is not intended to address the specific circumstances of any particular individual or entity.