Unintended Consequences

That dark side is the number of complications e-mail can bring to an enterprise, requiring a CIO to strike the right balance between e-mail's usefulness and the trouble it can cause. Whether it's a security or archiving issue, e-mail creates headaches for the unprepared.

When the MyDoom worm tore through servers and PCs in early 2004, one CIO fought back with an interesting tactic.

Tom McQuillan, director of Information Technology for Grand Rapids, Mich., cut off city employees' access to Web-based personal e-mail accounts because of the danger of people bringing in viruses, worms or Trojan horses through the back door.

Oceanside, Calif., CIO Michael Sherwood had a different dilemma -- complying with public-records requests in a cost-effective way. E-mail, including citizen inquiries, complaints, contracts and interoffice communications, is part of public record, and the city's old way of archiving e-mails hampered efforts to finding specific e-mail documents upon request.

No More Web Mail

Now that e-mail is an important means of communication, many people have two, three, even four Web-based e-mail accounts, such as Hotmail or Yahoo, which can cause problems when a fast-spreading worm hits networks.

Grand Rapids' McQuillan said blocking city employees from using city PCs to access personal, Web-based e-mail accounts was the logical response when he was told how many MyDoom-infected e-mails were knocking on various city servers' doors in late January and early February.

"Our system picked up 15,289 occurrences of that virus in one week," McQuillan said. "We were getting, on average, more than 100 infected e-mails every 10 minutes. The good news was, it wasn't getting through. The bad news was, we wanted to make darn sure it wasn't going to find a way around our three layers of security.

"Knowing that we seemed to be on somebody's radar screen, we thought that was an appropriate move," he said. "City leadership supported that move, and we shut it down in basically one day."

McQuillan and Information Technology Manager Pete Sneathen said they weren't actively monitoring employee e-mail accounts, but noticed a spike in Web traffic to particular sites.

"We were looking at reports for general Internet access, and we saw quite a bit of traffic, from a percentage perspective, that was going to sites such as Hotmail and Yahoo -- a lot of traffic going to the Web e-mail portion of those sites specifically.

"Based on the traffic we were seeing and the type of new viruses out at the time, it was decided to shut down personal e-mail at that time," Sneathen said.

By using a Web browser to access an e-mail account and download attachments, employees could circumvent message scanning both at the e-mail gateway and within the city's e-mail solution itself, Sneathen said.

McQuillan said the ban on accessing private e-mail accounts hasn't been an issue for employees, adding that such precautions will likely be the norm in the near future for enterprises of all types. Despite private e-mail accounts' threat to network security, telling people they can't check personal e-mail isn't a popular policy in some organizations. Employees have a persistent freewheeling attitude toward the Internet, creating a situation in which many believe it's not culturally acceptable to ban access to private e-mail accounts.

"In the e-mail and networked world, we're still on the beginning edges of some of this," he said. "In another five to 10 years, that culture will have to change. That lackadaisical attitude by someone interacting with computer technology will have to evolve. It continues to evolve as new people come out of school with more education and more experience."