Protecting Business Critical Services - E-Mail


Published on

This Whitepaper looks at the challenges of managing email for businesses, and the options that are available to organizations looking to deploy solutions to protect their email. The author concludes that a Cloud-based Email Security, Continuity, and Archive solution is the best option currently available.

Published in: Technology, Business
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Protecting Business Critical Services - E-Mail

  1. 1. Protecting BusinessCritical Services - Email by Richard Tubb
  2. 2. About the authorRichard Tubb has worked in the IT industry for over 15 years, workingat large corporations such as Ernst & Young and the NHS, as well asbeing the owner of two award winning Managed Service Providers(MSPs) providing outsourced IT solutions to Small and Medium-Sized Businesses..A popular speaker at events within the global IT community, Richard’s blog “Tubblog – The Ramblings ofan IT Consultant” ( has twice been nominated for the Computer Weekly Blog Awardsin the “IT Consultant” category, and he was nominated by his peers for inclusion on both the “MSP Mentor250” and “SMB Nation Magazine 150” 2010 lists.Richard now works as an Independent Consultant, helping IT companies to feel more in control andgrow their businesses. You can find him on Twitter at or email himat GFI White Paper: Protecting Business Critical Services - Email | Page 2
  3. 3. SynopsisThis Whitepaper looks at the challenges of managing email forbusinesses, and the options that are available to organizationslooking to deploy solutions to protect their email.The author concludes that a Cloud-based Email Security, Continuity, and Archive solution is the best optioncurrently available.ContentsIntroduction 41.0 How important is email? 52.0 How much is email used? 53.0 How much storage does email require? 54.0 Why is there a need for email security? 65.0 Why is there a need to archive and backup email? 66.0 What happens when email is unavailable? 77.0 Understanding how to protect your business email 88.0 Potential Solutions 9Conclusion GFI White Paper: Protecting Business Critical Services - Email | Page 3
  4. 4. IntroductionEmail is the single most important service to businesses today. Theaverage user spends an hour and 47 minutes per day using email[American Management Association].With the advent of mobile devices, email is no longer tied to the office but is read, responded to and senteverywhere, all the time. As well as constantly checking email at work, most people check email whilst athome, whilst travelling, and even whilst on holiday.As many as 1/3rd of people aged 18-34 now check their email when they first wake-up, even before theyvisit the bathroom [Facebook Survey].Ask most people which business service they couldn’t live without, and they’ll answer email.The rise of social networking has added to the number of emails sent and received, and with largeamounts of multimedia content becoming the norm, the size of email messages has dramaticallyincreased.From a security perspective, the threat of spam, viruses and malware is here to stay. Companies thataren’t protected against these threats run a serious gauntlet of issues, not least of which being thedanger of an uncaught virus wreaking havoc on a network. Additionally, if a company’s email system iscompromised and used to send outbound spam or viruses, the organization can find itself “blacklisted”and unable to send legitimate email to partners, suppliers and clients.Government and industry regulations now require many companies to retain their electroniccommunications in a verifiable manner. And organizations that have been involved in litigation areonly too aware of the burden of electronic discovery, and the importance of being able to conclusivelydemonstrate the content of historical email communications.Additionally, due to the importance of email, many organizations and people now actively seek to retaintheir email messages indefinitely. With the huge growth in storage capacity on computers and corporatenetworks, people are less likely to delete email that might contain valuable information, and more likelyto retain messages for future reference.Together, these factors have led to new challenges for businesses managing email. Security threatsare ever-present. Users are spending more time searching for information stored within old emails.Continuous access to emails is required, all the time. Even short outages of email services can leave usersunproductive, and with no external email communication, business opportunities may be lost.As a result, organizations are increasingly looking to protect themselves by making sure email is online,archived and fully protected 24 hours a day, 7 days a GFI White Paper: Protecting Business Critical Services - Email | Page 4
  5. 5. 1.0 How important is email?One of the earliest services available on the Internet, electronicmail (email) was originally conceived for sending text basedmessages between users.Over time, email became the “killer app” of the Internet – with the ability for users of any technical ability toeasily send messages with any contents and any manner of file attachments.Most users view their email client software - most commonly Microsoft Outlook but with many otheralternatives also available - not only as a tool for sending and receiving email, but also as their “trustedsource” for keeping track of documents, presentations and spreadsheets, and requests for appointments.Email client software is also frequently used for managing to-do lists and tasks, for keeping informationabout contacts, and for making notes. For many people, no other software is used as frequently.Outside of general correspondence, messages from customer relationship management (CRM) systems,telephone voicemail systems, external supply-chain systems, transaction processing, e-commerce andother business critical systems all rely on email for notifications.The explosion in popularity of social networking has created yet another reason for email communications,since people now receive frequent updates from both friends and business contacts through email.In summary, email has become the de-facto standard for communication within virtually all organizationsand is widely relied on.2.0 How much is email used?Email is the single most used application for the business user. Inresearch, 26% of an individual’s time was spent checking, readingand sending emails [Radicati Group].That’s well over 2 hours a day – more time than is spent on the telephone or using social networkingcombined.15% of Americans claim to be addicted to email [AOL Survey]. Certainly, research shows that 62% of peopleadmit to regularly checking work email over the weekend whilst at home, and 50% of people confess tochecking email whilst on holiday, 78% of this checking being through mobile devices (AOL Survey).The number of emails sent worldwide is 294 billion messages per day, and some 90 trillion email messagesper year. The typical business user sends 43 emails per day, and receives 130 [Radicati Group].Disturbingly, 90% of these billions of emails sent are spam and viruses [Nucleus Research]. For companiesnot protecting themselves against these threats, there is a very high chance they’ll suffer damage in oneway or another.3.0 How much storage does email require?The average size of an email is now 75KB []. Whilst the majority of email messages are stillshort and text based in nature, many messages contain images and formatting information in additionto mere text. Newsletters and other marketing emails typically contain both text and HTML versions oftheir contents, along with inline images, increasing the size of the average email message as they grow inprevalence.People also frequently use email to send a wide variety of file types. Even though more efficient and moresecure alternative methods are available to transfer files, the convenience of simply attaching files toan email message has made email the most popular method for sending large documents. With emailattachments reaching as much as 10 or 20 MB in size, significant capacity is required to both transmit GFI White Paper: Protecting Business Critical Services - Email | Page 5
  6. 6. store the associated messages.These figures relate to legitimate emails and do not consider the 90% of emails that are spam and viruses,further adding to the amount of processing power and storage capacity required to manage emailcommunications.4.0 Why is there a need for email security?While most individuals consider spam emails a nuisance, for businesses it is a much greater concern.With 90% of all emails being spam and viruses, research shows that without any protection in place, lostemployee productivity from dealing with spam will cost businesses a minimum of £538 per worker per year[Nucleus Research].There is the added risk that if a virus is received by email, and infects an employee’s computer, then it maycause loss of data and at least loss of productivity. Further, the virus will try to replicate itself – often sendingmessages to the contents of a user’s address book, or by trying to connect to other devices on the network.Frequently a virus or other malware on an infected workstation will be used to send out spam from anorganization’s network without their being aware of the activity.Quite apart from the damage done to an organization’s reputation when suppliers, clients and prospectiveclients receive spam messages from a business in this way, the business itself can end up being “blacklisted”.This occurs when an email server is identified as a source of spam messages (including those generated bya virus-infected PC), with the effect that other email servers will subsequently reject legitimate messagesfrom that server and that organization. The process of getting removed from an email blacklist is extremelytime consuming and difficult; often the reputation of that mail server or domain will be harmed for a longtime.Many organizations now deploy spam and virus filtering on their email servers. Whilst this has the benefitof reducing the levels of junk mail that end users see in their inboxes, the email message is still being sentthrough the company’s network, received by the email server, and processed as any other message beforeit is classified as spam. This may have the effect of slowing down the processing of legitimate email, andthat spam message is typically also stored on the company’s email server along with legitimate email. If acompany is retaining emails for legal or regulatory compliance, this can add massive overhead to storagerequirements.5.0 Why is there a need to archive and backup email?Many countries now place legal or regulatory requirements on email. Organizations that are heavilyregulated, such as those in the financial or legal industry, must archive all inbound and outbound emails.Quite apart from the requirements to archive email for legal or regulatory compliance, the majority of usersnow use email as a storage system - deleting few messages, and instead attempting to keep their emailsfor potential future reference.Given the growing quantity of emails received each day and the increasing size of an average emailmessage, this requirement to retain old emails can put a significant strain on storage systems. For manybusinesses, the storage requirement for email backup no longer grows annually, but quarterly. Whilst thecost of storage space has fallen considerably, the continuous need to backup systems, and to monitor andregularly verify the backup procedure, is an on-going load for the IT department.Additionally, there is a significant distinction between backup and archive. A backup provides a point intime snapshot of the data on the customer’s mail server. If there is a problem with an organization’s mailserver, the email data may be recovered from the backup. However, if a user wants to retrieve a messagethat was deleted, or if an organization is trying to locate messages that are no longer part of their messagestore, a backup will not help. Furthermore, a backup is not verifiable evidence of email communications inthe event of litigation or other disputes - only an archive solution that provides verifiable evidence of thedate and contents of a given message will satisfy those GFI White Paper: Protecting Business Critical Services - Email | Page 6
  7. 7. Last but not least, a backup does not facilitate a search for historical messages. Nor do most mail serversinclude this functionality. Technologies enabling swift searching of large amounts of data are ever improving,but without this technology in place specifically for an email system, individuals and organizations are leftspending considerable time searching for old emails.In cases where the IT department does not offer a comprehensive solution to email archiving and backupto their users, the users themselves often make their own arrangements. This might be by way of storingemails locally on their computers or laptops, in an uncoordinated fashion completely separate from anycentralized email system. These methods of backup are unreliable and insecure, with the number of laptopsreported stolen or lost growing daily, including many high-profile cases reported in the press. Furthermore,for legal or regulatory compliance, these individual backups scattered throughout an organization create alogistical nightmare. Without a centralized repository for the message storage, it can be extremely difficultto find relevant messages, particularly when a local backup is lost or an employee leaves a company.In short, organizations need both a backup solution that can help to restore data after the failure of amail server, and an archive solution that provides a verifiable record of email communications as wellas a centralized and reliable means to access and search historical messages, including those that weresubsequently deleted from the mail store.6.0 What happens when email is unavailable?Modern email systems are considered reliable, although 26% of Small and Medium Sized Businesses stillsuffer almost 30 minutes of unplanned downtime each month, and half of those organizations reportedunplanned downtime of 2 hours+ each month. [Osterman Research Group]This is quite apart from planned downtime - where email services are unavailable due to necessaryupgrades, patches and security fixes.With 26% of a typical worker’s day being spent working on email, any unplanned downtime can have asignificant impact on productivity. Workers suffer with being unable to find the information they requirereadily; find lack of email a significant roadblock to external communication with suppliers and clients; andindicate that they spend as much time catching up on email when service is restored as passed during theoutage itself.The effect of any email outages on an internal IT department can be considerable. Due to the critical natureof email systems, staff in the IT department will be compelled to drop what they are doing and work on theemergency at hand. Other work is delayed, and IT staff may spend whole days absorbed by responding tothe after-effects of an outage, even after email services are restored.Where email is unavailable for extended periods, the costs are multiplied. It is not uncommon to see a100% loss in productivity if a department or entire organization is sent home due to unplanned emaildowntime. Such is the reliance upon email systems in modern business.Mobile workers are also significantly impacted by even short periods of email downtime. With emailreplacing telephone as the primary means of communication, mobile workers can be severely disruptedwhen email is not available. This can particularly affect people who work during short windows ofopportunity for communication, such as in between meetings.The impact of downtime on a business’s reputation can be significant. The most common worry forbusinesses during an email outage is that the downtime may impact communications with prospects orpending orders. When suppliers or clients receive a “bounced” email message as a result of an email outage,it undermines confidence in a business. When a prospective client receives the same “bounced” response,they often won’t re-send the email at all. Even if no bounce messages created, a delay in receiving animportant email can result in lost business.When email is unavailable, many workers look to alternative methods of communication. This can includesending faxes, and using personal web-mail systems such as Hotmail and Gmail. Sensitive information sentoutside the corporate email system via these mediums can be insecure. In October 2009, 21 million peopleand businesses using the Hotmail service were warned their data was potentially at risk after passwords tothe system were acquired illegally. Faxes can very easily be read by unintended recipients, making it a verypoor system for sending sensitive GFI White Paper: Protecting Business Critical Services - Email | Page 7
  8. 8. And comparably few people have ready access to a fax machine.Additional, all messages sent by these methods will bypass the organization’s archive and retention policies,creating a compliance issue for companies subject to regulation.Clearly, an email outage can have far reaching effects – in lost productivity, harmed communications withcustomers and prospects, potential security ramifications, and in the risk of lost business.7.0 Understanding how to protect your business emailThe first step to protecting your organizations email services is to answer the following questions.7.1 What are email outages currently costing your business?The cost of an employee being unproductive during an email outage is a “soft” cost. That is to say,because the business is not actually writing a check for this cost, it is tempting to ignore it whencalculating costs. As we’ve discussed, there is a real and significant cost to a business of employees beingunable to access email.7.2 Do you have a Disaster Recovery plan?Some businesses have a Disaster Recovery (DR) plan that includes how the business will cope if struck bya natural disaster, fire, theft or loss of building. These plans should include IT systems such as email andhow a company will cope without these services.If you have a Disaster Recovery plan, consider how you would cope as a business without email, andincorporate contingency plans into your DR plan.If your business does not have a Disaster Recovery plan, creating a strategy for tackling email continuitycan be both the first and a significant step towards creating your own DR plan.7.3 What are the Regulatory and Legal Requirements?Seek more information of the regulatory and legal requirements that are placed upon your business,dependent upon its location and the nature of the business. Often, this will dictate the requirements andscope of any system that you need to implement for email retention.7.4 Do you need an agile Email solution?When considering an email security and continuity plan, consider “future proofing” it. If your businesswere to grow, could your email grow with it? Even replacing a single email server can be a timeconsuming migration, causing downtime and loss of services. Would an email continuity platform helpalleviate any of these migration pains?If your organization were to acquire or merge with another organization, could your email system quicklybe adapted to this purpose?7.5 Can you ensure the organizational knowledge in email is retained?60% of critical information within a company is contained within email [Radicati]. Yet many companiesdo not have the ability to easily search through this knowledge, particularly after employees have left GFI White Paper: Protecting Business Critical Services - Email | Page 8
  9. 9. Additionally, the time an active employee spends searching for information within email should beconsidered. How much more productive would an employee realistically be if they could find theinformation they wanted from email quickly and easily.When determining a Return-on-Investment (ROI) on any system or process that prevents email downtimeand provides archive solutions, it is prudent to include these costs.7.6 What is your solution for email security, and is it integrated with your solution forcontinuity and archive?Almost all companies have some form of spam and virus detection. However, such solutions are oftenhardware or software point solutions that are separate from any solutions for email continuity or emailarchive. Using different, non-integrated solutions for spam and virus protection, a backup system foremail continuity, and an email archive solution, can greatly increase the initial investment necessaryalong with the ongoing management time and costs compared to a single integrated solution. Thedifference is magnified when considering the learning curve, time and costs for employees of learning touse two or three different systems instead of one.8.0 Potential SolutionsGiven the factors discussed in this document, an email management solution for organizations shouldencompass three different elements: 1. Email security - to provide robust, comprehensive defense against email borne spam, viruses, and. other threats 2. Email continuity - to provide organizations with continued access to their email in the event that. their own infrastructure is off-line 3. Email archive - to provide organizations with reliable, secure storage of all of their historical .. communications, for subsequent search and retrievalThe options for meeting these goals can broadly be split into three categories.8.1 Software SolutionsTypically installed on the same server that is used for email services, or on another server that is locallyconnected to the main email server, a software solution can at first glance appear to be the least expensiveapproach, especially if older server hardware can be repurposed.This solution does suffer from the fact it is hosted inside the company’s premises, if not on the mail serveritself. This means that spam and virus emails will be downloaded to the server before being processed,potentially slowing down the process of legitimate email and adding storage overhead. It is also a singlepoint of failure, susceptible to any problems with the server running the anti-spam/antivirus software. FAsan archive solution, a software approach is also less than ideal, as the archived messages will typically bestored in the same datacenter or server closet as the primary mail server - meaning that a fire, earthquake,flood, or other local issue could impact the archive along with the primary mail server.A software solution can also be the most expensive solution to manage on a longer-term basis, as IT staffin-house need to maintain and monitor the underlying hardware as well as make ongoing configurationchanges to the software itself.Last but not least, a software solution cannot provide continuity in the event that primary mail server is off-line. And a software solution for spam and virus protection will typically not be integrated with a solutionfor email archiving.8.2 Appliance SolutionsAn appliance solution typically consists of a pre-built set of hardware running specialized software,specifically for the purposes of filtering and/or archiving email GFI White Paper: Protecting Business Critical Services - Email | Page 9
  10. 10. Appliances can be deployed to a wide variety of sites, as they are not directly tied to a mail server oroperating system. They may also be easier to manage than a software solution.An appliance solution can be an expensive option, requiring an initial capital investment to cover both thesoftware and hardware inherent in an appliance. Additionally, an appliance will need to be replaced everyfew years, requiring time and expertise, as well as periodic additional capital investments.An appliance, like a software solution, will also have limited capacity and may not grow with the needsof an organization’s storage requirements. Also similar to a software solution, the appliance represents asingle point of failure.Appliances may also suffer from being stored on the same site as the businesses primary email service. Inthe event of a disaster involving fire, theft or loss of building – the appliance may suffer the same fate asthe email server.Appliance solutions also may provide email security but not continuity or archive capabilities. Indeed, anappliance has limited capabilities as a continuity solution, as it will be susceptible to the same networkissues as the mail server itself.8.3 Cloud-Based ServicesCloud-based services, also known as Software-As-A-Service (SAAS) solutions, are hosted in the Internet(or “Cloud”). They benefit from being easy to deploy, and can be easily accessed from any location. Goodsolutions are engineered to have multiple points of redundancy so that they will be always available on a24x7x365 basis.A SAAS email security solution filters email for spam and viruses in the cloud, and delivers only legitimateemails to a business’s email server. This reduces an organization’s bandwidth requirements as well as theprocessing requirements of its mail server.Cloud-based email security solutions can provide integrated continuity. In the event of an issue with anorganization’s email server, users can be re-directed to the Cloud-based service where they can from anylocation continue to send and receive email. This reduces the urgency to restore the on-premise solution,and makes migrations or changes that require downtime much more manageable.Cloud-based solutions also benefit from being a secure and trusted environment for sending outboundemails. By delivering outbound messages through the cloud service, an organization can avoid beingblacklisted, as outgoing emails are checked for spam and viruses, and would not be permitted past the 3rdparty host – which stakes its reputation, and those of all its clients, on maintaining a healthy environment.As an archive solution, a cloud-based solution offers geographic redundancy for the message storage,providing greater reliability compared to an on-site hardware or software solution.A cloud-based solution also automatically scales to meet a customer’s requirements, whether that is toprovide additional protection in the event of a large spam run or denial of service attack, or to provideadditional storage space for a growing email archive.Generally, cloud solutions are the easiest and fastest solution to deploy – with minimal training required,no hardware or software to install or configure, and a 3rd party providing the infrastructure and assistingwith deployment.Cloud-based services also benefit from being an Operating Expenditure (OPEX) as opposed to a CapitalExpenditure (CAPEX), meaning little or no up-front investment and predictable on-going costs with no riskof obsolescence.Last but not least, a cloud-based solution can provide a single integrated answer for email security, emailcontinuity, and email archive - saving money and time for both administrators and end users.Longer term, cloud-based solutions may appear more expensive than on-premise solutions, due to theirongoing monthly costs. However, those costs include all the infrastructure necessary to provide reliableand seamlessly scalable services, which has the result of reducing other expenses for the business - namelythose for network bandwidth, IT staff time, hardware and software costs, and of course the on-goingperiodic costs in maintaining and upgrading on-premise hardware and software over GFI White Paper: Protecting Business Critical Services - Email | Page 10
  11. 11. ConclusionThe author of this White Paper concludes that a Cloud-based, integrated email security, continuity, andarchive solution is the best solution for the majority of businesses. A Cloudbased solution is ultimately thefastest and easiest to deploy, provides the most effective continuity options, offers the potential to growwith the business, and reduces both the time and cost of on-going maintenance GFI White Paper: Protecting Business Critical Services - Email | Page 11
  12. 12. WP/0005/v1.0/ENDisclaimerThe information and content in this document is provided for informational purposes only and is provided “asis” with no warranty of any kind, either express or implied, including but not limited to the implied warranties ofmerchantability, fitness for a particular purpose, and non-infringement. GFI Software is not liable for any damages,including any consequential damages, of any kind that may result from the use of this document. The informationis obtained from publicly available sources. Though reasonable effort has been made to ensure the accuracy of thedata provided, GFI makes no claim, promise or guarantee about the completeness, accuracy, recency or adequacy ofinformation and is not responsible for misprints, out-of-date information, or errors. GFI makes no warranty, expressor implied, and assumes no legal liability or responsibility for the accuracy or completeness of any informationcontained in this document.If you believe there are any factual errors in this document, please contact us and we will review your concerns assoon as practical.© 2011. GFI Software. All rights reserved. All product and company names herein may be trademarks of theirrespective GFI White Paper: Protecting Business Critical Services - Email | Page 12