Protecting Business

Critical Services - Email

by Richard Tubb
About the author
Richard Tubb has worked in the IT industry for over 15 years, working
at large corporations such as Ernst & Young and the NHS, as well as
being the owner of two award winning Managed Service Providers
(MSPs) providing outsourced IT solutions to Small and Medium-
Sized Businesses..
A popular speaker at events within the global IT community, Richard’s blog “Tubblog – The Ramblings of
an IT Consultant” (www.tubblog.co.uk) has twice been nominated for the Computer Weekly Blog Awards
in the “IT Consultant” category, and he was nominated by his peers for inclusion on both the “MSP Mentor
250” and “SMB Nation Magazine 150” 2010 lists.
Richard now works as an Independent Consultant, helping IT companies to feel more in control and
grow their businesses. You can find him on Twitter at www.twitter.com/tubblog or email him
at richard@tubblog.co.uk.

www.gfi.com/max-family GFI White Paper: Protecting Business Critical Services - Email | Page 2
Synopsis
This Whitepaper looks at the challenges of managing email for
businesses, and the options that are available to organizations
looking to deploy solutions to protect their email.
The author concludes that a Cloud-based Email Security, Continuity, and Archive solution is the best option
currently available.

Contents

Introduction 4

1.0 How important is email? 5

2.0 How much is email used? 5

3.0 How much storage does email require? 5

4.0 Why is there a need for email security? 6

5.0 Why is there a need to archive and backup email? 6

6.0 What happens when email is unavailable? 7

7.0 Understanding how to protect your business email 8

8.0 Potential Solutions 9

Conclusion 11

www.gfi.com/max-family GFI White Paper: Protecting Business Critical Services - Email | Page 3
Introduction
Email is the single most important service to businesses today. The
average user spends an hour and 47 minutes per day using email
[American Management Association].
With the advent of mobile devices, email is no longer tied to the office but is read, responded to and sent
everywhere, all the time. As well as constantly checking email at work, most people check email whilst at
home, whilst travelling, and even whilst on holiday.
As many as 1/3rd of people aged 18-34 now check their email when they first wake-up, even before they
visit the bathroom [Facebook Survey].
Ask most people which business service they couldn’t live without, and they’ll answer email.
The rise of social networking has added to the number of emails sent and received, and with large
amounts of multimedia content becoming the norm, the size of email messages has dramatically
increased.
From a security perspective, the threat of spam, viruses and malware is here to stay. Companies that
aren’t protected against these threats run a serious gauntlet of issues, not least of which being the
danger of an uncaught virus wreaking havoc on a network. Additionally, if a company’s email system is
compromised and used to send outbound spam or viruses, the organization can find itself “blacklisted”
and unable to send legitimate email to partners, suppliers and clients.
Government and industry regulations now require many companies to retain their electronic
communications in a verifiable manner. And organizations that have been involved in litigation are
only too aware of the burden of electronic discovery, and the importance of being able to conclusively
demonstrate the content of historical email communications.
Additionally, due to the importance of email, many organizations and people now actively seek to retain
their email messages indefinitely. With the huge growth in storage capacity on computers and corporate
networks, people are less likely to delete email that might contain valuable information, and more likely
to retain messages for future reference.
Together, these factors have led to new challenges for businesses managing email. Security threats
are ever-present. Users are spending more time searching for information stored within old emails.
Continuous access to emails is required, all the time. Even short outages of email services can leave users
unproductive, and with no external email communication, business opportunities may be lost.
As a result, organizations are increasingly looking to protect themselves by making sure email is online,
archived and fully protected 24 hours a day, 7 days a week.

www.gfi.com/max-family GFI White Paper: Protecting Business Critical Services - Email | Page 4
1.0 How important is email?

One of the earliest services available on the Internet, electronic

mail (email) was originally conceived for sending text based
messages between users.
Over time, email became the “killer app” of the Internet – with the ability for users of any technical ability to
easily send messages with any contents and any manner of file attachments.
Most users view their email client software - most commonly Microsoft Outlook but with many other
alternatives also available - not only as a tool for sending and receiving email, but also as their “trusted
source” for keeping track of documents, presentations and spreadsheets, and requests for appointments.
Email client software is also frequently used for managing to-do lists and tasks, for keeping information
about contacts, and for making notes. For many people, no other software is used as frequently.
Outside of general correspondence, messages from customer relationship management (CRM) systems,
telephone voicemail systems, external supply-chain systems, transaction processing, e-commerce and
other business critical systems all rely on email for notifications.
The explosion in popularity of social networking has created yet another reason for email communications,
since people now receive frequent updates from both friends and business contacts through email.
In summary, email has become the de-facto standard for communication within virtually all organizations
and is widely relied on.

2.0 How much is email used?

Email is the single most used application for the business user. In
research, 26% of an individual’s time was spent checking, reading
and sending emails [Radicati Group].
That’s well over 2 hours a day – more time than is spent on the telephone or using social networking
combined.
15% of Americans claim to be addicted to email [AOL Survey]. Certainly, research shows that 62% of people
admit to regularly checking work email over the weekend whilst at home, and 50% of people confess to
checking email whilst on holiday, 78% of this checking being through mobile devices (AOL Survey).
The number of emails sent worldwide is 294 billion messages per day, and some 90 trillion email messages
per year. The typical business user sends 43 emails per day, and receives 130 [Radicati Group].
Disturbingly, 90% of these billions of emails sent are spam and viruses [Nucleus Research]. For companies
not protecting themselves against these threats, there is a very high chance they’ll suffer damage in one
way or another.

3.0 How much storage does email require?

The average size of an email is now 75KB [About.com]. Whilst the majority of email messages are still
short and text based in nature, many messages contain images and formatting information in addition
to mere text. Newsletters and other marketing emails typically contain both text and HTML versions of
their contents, along with inline images, increasing the size of the average email message as they grow in
prevalence.
People also frequently use email to send a wide variety of file types. Even though more efficient and more
secure alternative methods are available to transfer files, the convenience of simply attaching files to
an email message has made email the most popular method for sending large documents. With email
attachments reaching as much as 10 or 20 MB in size, significant capacity is required to both transmit and

www.gfi.com/max-family GFI White Paper: Protecting Business Critical Services - Email | Page 5
store the associated messages.
These figures relate to legitimate emails and do not consider the 90% of emails that are spam and viruses,
further adding to the amount of processing power and storage capacity required to manage email
communications.

4.0 Why is there a need for email security?

While most individuals consider spam emails a nuisance, for businesses it is a much greater concern.
With 90% of all emails being spam and viruses, research shows that without any protection in place, lost
employee productivity from dealing with spam will cost businesses a minimum of £538 per worker per year
[Nucleus Research].
There is the added risk that if a virus is received by email, and infects an employee’s computer, then it may
cause loss of data and at least loss of productivity. Further, the virus will try to replicate itself – often sending
messages to the contents of a user’s address book, or by trying to connect to other devices on the network.
Frequently a virus or other malware on an infected workstation will be used to send out spam from an
organization’s network without their being aware of the activity.
Quite apart from the damage done to an organization’s reputation when suppliers, clients and prospective
clients receive spam messages from a business in this way, the business itself can end up being “blacklisted”.
This occurs when an email server is identified as a source of spam messages (including those generated by
a virus-infected PC), with the effect that other email servers will subsequently reject legitimate messages
from that server and that organization. The process of getting removed from an email blacklist is extremely
time consuming and difficult; often the reputation of that mail server or domain will be harmed for a long
time.
Many organizations now deploy spam and virus filtering on their email servers. Whilst this has the benefit
of reducing the levels of junk mail that end users see in their inboxes, the email message is still being sent
through the company’s network, received by the email server, and processed as any other message before
it is classified as spam. This may have the effect of slowing down the processing of legitimate email, and
that spam message is typically also stored on the company’s email server along with legitimate email. If a
company is retaining emails for legal or regulatory compliance, this can add massive overhead to storage
requirements.

5.0 Why is there a need to archive and backup email?

Many countries now place legal or regulatory requirements on email. Organizations that are heavily
regulated, such as those in the financial or legal industry, must archive all inbound and outbound emails.
Quite apart from the requirements to archive email for legal or regulatory compliance, the majority of users
now use email as a storage system - deleting few messages, and instead attempting to keep their emails
for potential future reference.
Given the growing quantity of emails received each day and the increasing size of an average email
message, this requirement to retain old emails can put a significant strain on storage systems. For many
businesses, the storage requirement for email backup no longer grows annually, but quarterly. Whilst the
cost of storage space has fallen considerably, the continuous need to backup systems, and to monitor and
regularly verify the backup procedure, is an on-going load for the IT department.
Additionally, there is a significant distinction between backup and archive. A backup provides a point in
time snapshot of the data on the customer’s mail server. If there is a problem with an organization’s mail
server, the email data may be recovered from the backup. However, if a user wants to retrieve a message
that was deleted, or if an organization is trying to locate messages that are no longer part of their message
store, a backup will not help. Furthermore, a backup is not verifiable evidence of email communications in
the event of litigation or other disputes - only an archive solution that provides verifiable evidence of the
date and contents of a given message will satisfy those requirements.

www.gfi.com/max-family GFI White Paper: Protecting Business Critical Services - Email | Page 6
Last but not least, a backup does not facilitate a search for historical messages. Nor do most mail servers
include this functionality. Technologies enabling swift searching of large amounts of data are ever improving,
but without this technology in place specifically for an email system, individuals and organizations are left
spending considerable time searching for old emails.
In cases where the IT department does not offer a comprehensive solution to email archiving and backup
to their users, the users themselves often make their own arrangements. This might be by way of storing
emails locally on their computers or laptops, in an uncoordinated fashion completely separate from any
centralized email system. These methods of backup are unreliable and insecure, with the number of laptops
reported stolen or lost growing daily, including many high-profile cases reported in the press. Furthermore,
for legal or regulatory compliance, these individual backups scattered throughout an organization create a
logistical nightmare. Without a centralized repository for the message storage, it can be extremely difficult
to find relevant messages, particularly when a local backup is lost or an employee leaves a company.
In short, organizations need both a backup solution that can help to restore data after the failure of a
mail server, and an archive solution that provides a verifiable record of email communications as well
as a centralized and reliable means to access and search historical messages, including those that were
subsequently deleted from the mail store.

6.0 What happens when email is unavailable?

Modern email systems are considered reliable, although 26% of Small and Medium Sized Businesses still
suffer almost 30 minutes of unplanned downtime each month, and half of those organizations reported
unplanned downtime of 2 hours+ each month. [Osterman Research Group]
This is quite apart from planned downtime - where email services are unavailable due to necessary
upgrades, patches and security fixes.
With 26% of a typical worker’s day being spent working on email, any unplanned downtime can have a
significant impact on productivity. Workers suffer with being unable to find the information they require
readily; find lack of email a significant roadblock to external communication with suppliers and clients; and
indicate that they spend as much time catching up on email when service is restored as passed during the
outage itself.
The effect of any email outages on an internal IT department can be considerable. Due to the critical nature
of email systems, staff in the IT department will be compelled to drop what they are doing and work on the
emergency at hand. Other work is delayed, and IT staff may spend whole days absorbed by responding to
the after-effects of an outage, even after email services are restored.
Where email is unavailable for extended periods, the costs are multiplied. It is not uncommon to see a
100% loss in productivity if a department or entire organization is sent home due to unplanned email
downtime. Such is the reliance upon email systems in modern business.
Mobile workers are also significantly impacted by even short periods of email downtime. With email
replacing telephone as the primary means of communication, mobile workers can be severely disrupted
when email is not available. This can particularly affect people who work during short windows of
opportunity for communication, such as in between meetings.
The impact of downtime on a business’s reputation can be significant. The most common worry for
businesses during an email outage is that the downtime may impact communications with prospects or
pending orders. When suppliers or clients receive a “bounced” email message as a result of an email outage,
it undermines confidence in a business. When a prospective client receives the same “bounced” response,
they often won’t re-send the email at all. Even if no bounce messages created, a delay in receiving an
important email can result in lost business.
When email is unavailable, many workers look to alternative methods of communication. This can include
sending faxes, and using personal web-mail systems such as Hotmail and Gmail. Sensitive information sent
outside the corporate email system via these mediums can be insecure. In October 2009, 21 million people
and businesses using the Hotmail service were warned their data was potentially at risk after passwords to
the system were acquired illegally. Faxes can very easily be read by unintended recipients, making it a very
poor system for sending sensitive information.

www.gfi.com/max-family GFI White Paper: Protecting Business Critical Services - Email | Page 7
And comparably few people have ready access to a fax machine.
Additional, all messages sent by these methods will bypass the organization’s archive and retention policies,
creating a compliance issue for companies subject to regulation.
Clearly, an email outage can have far reaching effects – in lost productivity, harmed communications with
customers and prospects, potential security ramifications, and in the risk of lost business.

7.0 Understanding how to protect your business email

The first step to protecting your organizations email services is to answer the following questions.

7.1 What are email outages currently costing your business?

The cost of an employee being unproductive during an email outage is a “soft” cost. That is to say,
because the business is not actually writing a check for this cost, it is tempting to ignore it when
calculating costs. As we’ve discussed, there is a real and significant cost to a business of employees being
unable to access email.

7.2 Do you have a Disaster Recovery plan?

Some businesses have a Disaster Recovery (DR) plan that includes how the business will cope if struck by
a natural disaster, fire, theft or loss of building. These plans should include IT systems such as email and
how a company will cope without these services.

If you have a Disaster Recovery plan, consider how you would cope as a business without email, and
incorporate contingency plans into your DR plan.

If your business does not have a Disaster Recovery plan, creating a strategy for tackling email continuity
can be both the first and a significant step towards creating your own DR plan.

7.3 What are the Regulatory and Legal Requirements?

Seek more information of the regulatory and legal requirements that are placed upon your business,
dependent upon its location and the nature of the business. Often, this will dictate the requirements and
scope of any system that you need to implement for email retention.

7.4 Do you need an agile Email solution?

When considering an email security and continuity plan, consider “future proofing” it. If your business
were to grow, could your email grow with it? Even replacing a single email server can be a time
consuming migration, causing downtime and loss of services. Would an email continuity platform help
alleviate any of these migration pains?

If your organization were to acquire or merge with another organization, could your email system quickly
be adapted to this purpose?

7.5 Can you ensure the organizational knowledge in email is retained?

60% of critical information within a company is contained within email [Radicati]. Yet many companies
do not have the ability to easily search through this knowledge, particularly after employees have left the
organization.

www.gfi.com/max-family GFI White Paper: Protecting Business Critical Services - Email | Page 8
Additionally, the time an active employee spends searching for information within email should be
considered. How much more productive would an employee realistically be if they could find the
information they wanted from email quickly and easily.
When determining a Return-on-Investment (ROI) on any system or process that prevents email downtime
and provides archive solutions, it is prudent to include these costs.

7.6 What is your solution for email security, and is it integrated with your solution for
continuity and archive?

Almost all companies have some form of spam and virus detection. However, such solutions are often
hardware or software point solutions that are separate from any solutions for email continuity or email
archive. Using different, non-integrated solutions for spam and virus protection, a backup system for
email continuity, and an email archive solution, can greatly increase the initial investment necessary
along with the ongoing management time and costs compared to a single integrated solution. The
difference is magnified when considering the learning curve, time and costs for employees of learning to
use two or three different systems instead of one.

8.0 Potential Solutions

Given the factors discussed in this document, an email management solution for organizations should
encompass three different elements:
1. Email security - to provide robust, comprehensive defense against email borne spam, viruses, and
. other threats
2. Email continuity - to provide organizations with continued access to their email in the event that
. their own infrastructure is off-line
3. Email archive - to provide organizations with reliable, secure storage of all of their historical .
. communications, for subsequent search and retrieval
The options for meeting these goals can broadly be split into three categories.
8.1 Software Solutions
Typically installed on the same server that is used for email services, or on another server that is locally
connected to the main email server, a software solution can at first glance appear to be the least expensive
approach, especially if older server hardware can be repurposed.
This solution does suffer from the fact it is hosted inside the company’s premises, if not on the mail server
itself. This means that spam and virus emails will be downloaded to the server before being processed,
potentially slowing down the process of legitimate email and adding storage overhead. It is also a single
point of failure, susceptible to any problems with the server running the anti-spam/antivirus software. FAs
an archive solution, a software approach is also less than ideal, as the archived messages will typically be
stored in the same datacenter or server closet as the primary mail server - meaning that a fire, earthquake,
flood, or other local issue could impact the archive along with the primary mail server.
A software solution can also be the most expensive solution to manage on a longer-term basis, as IT staff
in-house need to maintain and monitor the underlying hardware as well as make ongoing configuration
changes to the software itself.
Last but not least, a software solution cannot provide continuity in the event that primary mail server is off-
line. And a software solution for spam and virus protection will typically not be integrated with a solution
for email archiving.
8.2 Appliance Solutions
An appliance solution typically consists of a pre-built set of hardware running specialized software,
specifically for the purposes of filtering and/or archiving email data.

www.gfi.com/max-family GFI White Paper: Protecting Business Critical Services - Email | Page 9
Appliances can be deployed to a wide variety of sites, as they are not directly tied to a mail server or
operating system. They may also be easier to manage than a software solution.
An appliance solution can be an expensive option, requiring an initial capital investment to cover both the
software and hardware inherent in an appliance. Additionally, an appliance will need to be replaced every
few years, requiring time and expertise, as well as periodic additional capital investments.
An appliance, like a software solution, will also have limited capacity and may not grow with the needs
of an organization’s storage requirements. Also similar to a software solution, the appliance represents a
single point of failure.
Appliances may also suffer from being stored on the same site as the businesses primary email service. In
the event of a disaster involving fire, theft or loss of building – the appliance may suffer the same fate as
the email server.
Appliance solutions also may provide email security but not continuity or archive capabilities. Indeed, an
appliance has limited capabilities as a continuity solution, as it will be susceptible to the same network
issues as the mail server itself.
8.3 Cloud-Based Services
Cloud-based services, also known as Software-As-A-Service (SAAS) solutions, are hosted in the Internet
(or “Cloud”). They benefit from being easy to deploy, and can be easily accessed from any location. Good
solutions are engineered to have multiple points of redundancy so that they will be always available on a
24x7x365 basis.
A SAAS email security solution filters email for spam and viruses in the cloud, and delivers only legitimate
emails to a business’s email server. This reduces an organization’s bandwidth requirements as well as the
processing requirements of its mail server.
Cloud-based email security solutions can provide integrated continuity. In the event of an issue with an
organization’s email server, users can be re-directed to the Cloud-based service where they can from any
location continue to send and receive email. This reduces the urgency to restore the on-premise solution,
and makes migrations or changes that require downtime much more manageable.
Cloud-based solutions also benefit from being a secure and trusted environment for sending outbound
emails. By delivering outbound messages through the cloud service, an organization can avoid being
blacklisted, as outgoing emails are checked for spam and viruses, and would not be permitted past the 3rd
party host – which stakes its reputation, and those of all its clients, on maintaining a healthy environment.
As an archive solution, a cloud-based solution offers geographic redundancy for the message storage,
providing greater reliability compared to an on-site hardware or software solution.
A cloud-based solution also automatically scales to meet a customer’s requirements, whether that is to
provide additional protection in the event of a large spam run or denial of service attack, or to provide
additional storage space for a growing email archive.
Generally, cloud solutions are the easiest and fastest solution to deploy – with minimal training required,
no hardware or software to install or configure, and a 3rd party providing the infrastructure and assisting
with deployment.
Cloud-based services also benefit from being an Operating Expenditure (OPEX) as opposed to a Capital
Expenditure (CAPEX), meaning little or no up-front investment and predictable on-going costs with no risk
of obsolescence.
Last but not least, a cloud-based solution can provide a single integrated answer for email security, email
continuity, and email archive - saving money and time for both administrators and end users.
Longer term, cloud-based solutions may appear more expensive than on-premise solutions, due to their
ongoing monthly costs. However, those costs include all the infrastructure necessary to provide reliable
and seamlessly scalable services, which has the result of reducing other expenses for the business - namely
those for network bandwidth, IT staff time, hardware and software costs, and of course the on-going
periodic costs in maintaining and upgrading on-premise hardware and software over time.

www.gfi.com/max-family GFI White Paper: Protecting Business Critical Services - Email | Page 10
Conclusion
The author of this White Paper concludes that a Cloud-based, integrated email security, continuity, and
archive solution is the best solution for the majority of businesses. A Cloudbased solution is ultimately the
fastest and easiest to deploy, provides the most effective continuity options, offers the potential to grow
with the business, and reduces both the time and cost of on-going maintenance requirements.

www.gfi.com/max-family GFI White Paper: Protecting Business Critical Services - Email | Page 11
 WP/0005/v1.0/EN
Disclaimer
The information and content in this document is provided for informational purposes only and is provided “as
is” with no warranty of any kind, either express or implied, including but not limited to the implied warranties of
merchantability, fitness for a particular purpose, and non-infringement. GFI Software is not liable for any damages,
including any consequential damages, of any kind that may result from the use of this document. The information
is obtained from publicly available sources. Though reasonable effort has been made to ensure the accuracy of the
data provided, GFI makes no claim, promise or guarantee about the completeness, accuracy, recency or adequacy of
information and is not responsible for misprints, out-of-date information, or errors. GFI makes no warranty, express
or implied, and assumes no legal liability or responsibility for the accuracy or completeness of any information
contained in this document.
If you believe there are any factual errors in this document, please contact us and we will review your concerns as
soon as practical.
© 2011. GFI Software. All rights reserved. All product and company names herein may be trademarks of their
respective owners.

www.gfi.com/max-family GFI White Paper: Protecting Business Critical Services - Email | Page 12