Law firms are naturally concerned whenever anyone brings up the topic of “outsourcing security,” whether it relates to e-mail communications or any other aspect of the IT infrastructure.  Safeguarding the privacy and security of privileged communications is essential for law firms.  Yet comments by leading industry analysts, as well as industry surveys, reflect changing attitudes toward outsourcing security — particularly when it comes to fighting spam and viruses.  This article addresses and corrects the most common myths surrounding the concept of outsourcing e-mail security to a managed e-mail security service. 

Myth #1:  We’ll lose control if we outsource e-mail security.  On the contrary, thinks Mathew Kovar, a vice president for analyst firm Yankee Group’s security solutions group.  He recently observed that many companies today are making the move to outsourcing security:

Security outsourcing will prove attractive, for reasons other than the cost savings typically cited by companies that farm out business processes.  Among the drivers toward managed services are the accelerated attacks of today’s threats — giving enterprises virtually no time to put up defenses on their own before an attack infiltrates a network — legislative requirements such as HIPAA and Sarbanes-Oxley, and the trend toward pushing out the network perimeter to include partners and remote workers.1

Kovar cites anti-spam services as a prime example of this trend, saying that “One of the easiest managed services to see success is e-mail anti-spam services.  People saw the pain and saw that they needed to outsource the solution.”1

Phebe Waterfield, another analyst at Yankee Group is more specific:

“Many companies once tried to manage spam internally because they were concerned about entrusting their e-mail to an outside company.  That’s considered a little paranoid these days now that the aggressive and ubiquitous nature of spam has led to a change in mindset.”2

AmLaw Tech magazine’s own annual survey of anti-spam solutions published in September shows that outsourcing
e-mail security is now not only accepted but is a popular choice among many law firms.3

Myth #2:  We can’t comply with policies or regulatory standards if we outsource
e-mail security.  Many anti-spam managed service firms must first accept and store messages on their own servers, filter out spam and viruses from those messages and then pass along legitimate messages to their customers.  However, other managed services are able to conduct analysis of messages in memory, in real time.  The result is that no legitimate messages get stored, but rather, they are instantly passed along to their respective recipients.  It’s an important distinction when evaluating an outsourced e-mail security solution that will minimize privacy and security concerns.

If your firm’s e-mail system goes down for any reason, an e-mail security managed service should also have the ability to spool or hold messages rather than letting them bounce back to senders.  This ensures that in the event of an e-mail server outage inside your firm’s network, messages can be retained by the managed service until your e-mail server is able to accept them again.

For an extra measure of assurance you should look for an e-mail security managed service that has been SAS-70 or WebTrust certified.  Developed by the American Institute of Certified Public Accountants (AICPA) and based on the global ISO 17799 standard, both SAS-70 and WebTrust certifications mean that the managed service’s business and security practices pass inspection for ensuring the availability, integrity and confidentiality of its systems and your firm’s communications.

Myth #3:  It’s more expensive to outsource anti-spam and e-mail security.  The perception that outsourced services are more expensive than in-house solutions is clearly a myth when one considers the total cost of ownership involved in purchasing, updating and maintaining anti-spam software or appliances.  In fact, here’s how a managed service for e-mail protection can save money compared to in-house anti-spam software and appliance products:

Reduce administrative burden on IT staff.  By eliminating the burden of maintaining additional in-house IT infrastructure, your firm’s IT personnel are free to focus on supporting firm activities, and supporting revenue-enhancing tasks.

Restore user productivity.  Beyond e-mail infrastructure and IT staff time savings, an e-mail security managed service can easily pay for itself with improved productivity of all users in the firm.

1. Provide less complexity managing and maintaining e-mail security.  E-mail security managed services are effective, regardless of the mix of   e-mail platforms or operating systems in a firm’s IT environment.
2.  Minimize risk of e-mail system performance degradation or failure.  Since intrusions cannot reach the firm’s e-mail gateway, your network cannot be overloaded or compromised from e-mail threats, thus avoiding slowdowns or e-mail system downtime.
3.  Lower infrastructure costs.  By keeping spam, viruses and attacks from ever reaching internal e-mail servers, firms can eliminate or avoid purchasing additional servers because e-mail traffic is significantly less.  This also reduces your firm’s  e-mail archiving storage space requirements since no spam messages are ever accepted or stored.
4.  Reduce administrative burden on IT staff.  By eliminating the burden of maintaining additional in-house IT infrastructure, your firm’s IT personnel are free to focus on supporting firm activities, and supporting revenue-enhancing tasks.

Myth #4:  Outsourcing e-mail security can’t accommodate my diverse users.  While some anti-spam service vendors require a “one-size-fits-all” approach, others offer administrative flexibility that can reduce the necessity of time-consuming IT staff oversight and allow your attorneys and other users to customize their e-mail filtering within limits set by your firm’s overall e-mail policy.  A managed service should allow individual users to control the aggressiveness of spam blocking within limits set by the administrator, as well as give them the option to review quarantined (suspect) messages if they choose.  This permits the administrator to satisfy the requests of those who may want to review all quarantined messages.

Myth #5:  Outsourcing e-mail only lets me conduct content policy filtering for inbound mail.  Nothing could be farther from the truth.  An e-mail security managed service can block viruses and enforce policy compliance for both incoming and outgoing e-mail.  Look for Web-based access that will allow your e-mail administrator to set policies for individual users, user groups, as well as for the entire firm.  This kind of flexibility is particularly important for firms that want to vary message policies according to the roles of specific attorneys or other firm employees.

If believing any or all of these myths has stopped you from checking out outsourced e-mail security,  perhaps it’s time for another look.

End Notes
1  “Report Says Virtually All Big Companies Will Outsource Security by 2010,” Gregg Keizer, TechWeb News/InformationWeek, August 23, 2004.
2  “Get Rich Quick Fighting Spam?,”  Esther Shein, CFO.com, April 27, 2004.
3 The 9th Annual AmLaw Tech Survey, AmLaw Tech magazine, September 2004.

About our author . . .

Andrew Lochart is the Director of Product Marketing for Postini, Inc., the number one managed e-mail security service for law firms.  Andrew has extensive e-mail industry experience, having worked for more than a decade in a variety of senior marketing management roles at HP OpenMail, Mirapoint and Sendmail.  He can be reached at 650.482.3161 or lochart@postini.com.