email survey report final

8/14/2019 Email Survey Report FINAL

1/16

Survey on emailmanagementApproaches to security and compliance

in the finance industry


2/16

2 Survey on email management

Contents

Introduction 3

Methodology 4

Summary 5

Main Findings 6

Significant issues 6

Biggest challenges 7

Global vs. local control 8

Number of suppliers 8

Benefits of a single management point 8

Email interaction with customers 9

Cost of message management 10

Governance and compliance 12

Conclusion 14

Contacts 15


3/16

3Survey on email management

Introduction

Email is now the foundation of business communication, replacing paper and voiceas the most critical single element of the corporate communications infrastructure.

Recent years have seen an exponential growth in the amount of information flowing

through electronic communication channels.

Email and other electronic messaging, such as instant messaging (IM) and text

messaging (SMS), are now considered a viable medium for taking orders, sending

approvals and contracts, and discussing sensitive financial issues. As financial

services organisations open up their networks to clients and partners, they are being

forced to take the threat of spam, virus and denial of service attacks seriously to

avoid any disruption to their business. In the wake of complex corporate failures such

as Enron, WorldCom and Parmalat, they are also coming under increasing pressure

from regulators to maintain archives of all communications.

But how are large organisations managing these challenges? This was the overall

question set by this survey, conducted by MORI on behalf of BT, which sought clear

and unbiased feedback from leading financial services companies across the UK,

US and Europe.

Firstly, the survey established the profile of the interviewees, ensuring that respondents

had responsibility for contributing to strategic decisions about message management.

Respondents tended to be from large organisations, with 25 per cent claiming more

than 15,000 employees worldwide. These include names such as AIG, Barclays Bank,

Socit Gnrale and Swiss Life.

Major challengesThe survey considered the major issues in email message management that

organisations face today, and asked them to predict how the cost and significance

of these issues will change in the coming years. It then sought to discover how the

message management infrastructure is currently organised, and identify areas where

respondents thought this could be improved to meet future needs.

In particular, the survey examined the major challenges around security and

compliance, and sought to identify where organisations priorities lie in terms of

budget growth and allocation. The link between security and compliance was also

examined, in addition to organisations readiness to meet requests from regulators

for access to archived communications.

The results make important reading for any senior manager involved in strategic

decisions about message management. It reveals differences in focus in the countries

surveyed, and illustrates the key role that a secure messaging infrastructure plays in

todays financial organisations.

The following document provides important insights into the survey results.


4/16


Methodology

This research was conducted by MORI on behalf of BT. One hundred and twelveinterviews were conducted within retail and wholesale banks, insurance companies,

investment managers and building societies. Interviews addressed a representative

sample of organisations in the UK, US, France, Germany and the Netherlands.

Of the 112 respondents, 79 had responsibility within the IT side of the business,

and 33 worked in the areas of risk and compliance. MORI interviewed senior staff

with responsibility for IT, with job titles including CIO, systems director and IT

director. Managers responsible for operations and risk management were also

interviewed, and job titles in these areas included head of compliance and head

of risk.

Some questions were asked of both IT and risk groups, while others were specific

to one.

Within the 112, 89 respondents worked for organisations that had some level of

retail finance business, and several questions were asked just of this segment.

On certain questions, the responses do not add up exactly to 100 per cent due to

rounding or the fact that multiple responses were allowed.

Fieldwork

Fieldwork and data processing was carried out at the end of 2004. All interviews

were conducted by telephone using CATI (Computer Assisted TelephoneInterviewing). No financial incentives were offered to respondents, only a copy

of the final published findings.

UK US France Germany Netherlands TOTAL

management

Banking 10 19 16 10 5 60

Insurance 8 5 4 8 4 29

Investment 2 2 1 2 0 7

All 4 0 0 0 0 4

Other 1 5 0 0 0 6

Dont know/refused 5 0 0 0 1 6

TOTAL 30 31 21 20 10 112


5/16


Summary

The survey looks at issues impacting on message management that can becategorised as either controlled or uncontrolled. The uncontrolled category is

about reacting to external threats, which may or may not be experienced by

the organisation. Viruses, spam, hacking and phishing all fall into this area.

The controlled category is about an organisation making changes internally

in response to set regulation or best practice. This survey reveals that both

categories are crucial to successful message management, but there are

geographic differences in the prioritisation of issues.

Of the external threats that financial organisations face, viruses are still seen

as the most potentially damaging, and are rated as a more significant issue

than spam, hacking and phishing. This is expected to still be the case in three

years time.

Across the different countries surveyed, France is the most focused on security

concerns such as viruses and boundary protection, while the UK and US are most

concerned about archiving and compliance issues.

Most organisations use multiple suppliers of software and services to support

their messaging environments. Despite this, having a single point for management

is seen as beneficial, mainly in having a single user interface for management,

and also in the policy setting for individuals and groups.

Most organisations dont know the total cost of ownership (TCO) of their current

messaging environment, which is probably a reflection of the complexity of

measuring an environment that spans all parts of the business. Success is likelyto be seen as the absence of failures and attacks that damage the business.

The largest budget increases related to message management across all countries

except France will be in the areas of archiving and compliance. Although this will

include an element of security, storage and retrieval are the most crucial areas for

development.

For the majority of retail finance respondents, email is already an important tool for

interacting with customers. They would like to use this communication channel

more if security and authentication concerns can be addressed.

Particularly with viruses and

spam, a centralised

management shortens the line

of communication and makes

it easier to get a definite

answer. Hence its possible to

react faster to threats.

Germany


6/16


Main findings

Significant issuesViruses are considered the most significant issue that organisations face in managing

their messaging environment, with 86 per cent of respondents saying this was a

significant issue. Interestingly, even phishing attacks, which have mainly targeted

the most prominent retail banks to date, were considered a significant issue by 60

per cent of respondents. This is probably due to rising press coverage of the threat,

and associated reputational risk issues.

Looking at the geographic breakdown for ratings on the significance of these issues

illustrates some interesting trends that are borne out in the results of subsequent

sections.

Ninety per cent of UK respondents rated archiving as a significant issue today.

This result can be associated with that countrys Financial Services Authority (FSA)

and its regulatory agenda, together with the close linkages to US firms who have

already been forced to address this issue by the Securities and Exchange Commission

(SEC). This compares to the 60 per cent of Dutch and 67 per cent of French

respondents who thought this issue significant.

Spam

Viruses

Hacking

Phishing

Archiving

Mailbox management

31

70

51

32

54

39

40

16

18

28

23

37

21

9

21

26

16

16

6

5

7

11

4

4

2

0

3

4

2

4

%Base: All respondents (112)

Very Fairly Not very Not at all Dont know

Q1a. How significant do you think each of the following issues is for your organisation now?

Spam

Viruses

Hacking

Phishing

Archiving

Mailbox management

39

42

32

30

33

28

16

22

21

22

23

26

6

2

3

3

4

3

26

28

33

29

29

30

4

3

5

8

1

4


Much more Little more

8

4

5

7

11

9

Little less Much less Same Dont know

Q1b. How do you see the significance of these issues changing for your organisationin three years time?

UK

USA

France

Germany

Netherlands

27

32

48

5

60

63

58

43

50

20

7

3

5

30

20

0

0

0

5

0

3

6

5

10

0


Very Fairly Not very Not at all Dont know

Q1c. How well prepared do you think your organisation is to meet the challengesof mailbox management?

Identification and storage

of what we need to archive

is a challenge. Most of what

we receive is garbage, and

we dont want to have to

save everything.

UK

Our main challenges are

to ensure availability and

integrity of mails as well

as to make sure that

those mails arent

distorted during thetransfer from one person

to another one.

France


7/16


Archiving is an open question for us,

we know what we want to do but the

technical implementation will be achallenge, i.e. how in detail we will

set everything up to satisfy strategy

and cost-factors. We will also in the

near future harmonise the

messaging systems to prevent a cost

increase in the long-term. Again,

the real technical implementation

will be a challenge.

Germany

%Base: All IT respondents (79)

Security

Archiving

Email

Accessibility/availability

Other

Dont know

None

28%

30%

18%

5%

25%

5%

9%

Q2. What are the biggest challenges for your organisation in message management?

Looking at how this significance is expected to change, 90 per cent of French respondentsthought that viruses will be more of an issue in coming years, as opposed to just 57 per

cent of UK and 40 per cent of Dutch respondents. The French focus on security in

general and viruses in particular is another recurring theme of this survey.

On the subject of preparedness for dealing with mailbox management challenges,

German respondents were the least confident, with 35 per cent considering themselves

ill-prepared. Institutions in France, the UK and US were the most confident, all with 90

per cent believing they are well positioned to cope with any challenges.

Biggest challenges

This was an open-ended question and not surprisingly, given the wide range

of internal and external threats that organisations face, security tops the list of

challenges for IT respondents, followed closely by archiving.

Again, archiving and security are the two areas with the largest geographical differences.

Only six per cent of French respondents considered archiving a challenge, as opposed to

41 per cent of UK and 50 per cent of Dutch respondents. On the flipside, 61 per cent of

those representing organisations in France thought security was challenging, compared

to 18 per cent of US and zero Dutch respondents.

Other challenges identified as a result of these questions include efficiency, productivity

and rationalising solutions. Nine per cent of those surveyed thought they faced no

challenges in message management, which either indicates a high degree of sophistication

and preparedness, or complacency about the issues identified in question 1.

In a separate question, 81 per cent of respondents agreed with the following statement:

The threat of email anarchy and escalating costs is real for those companies who do

not address their message management correctly.


8/16


Main findings

Global vs. local control

In all the areas identified, the majority of organisations have centralised management

at a global head-office level. Taking France out of the equation, the trend towards

centralised management is even stronger. In each area, the majority of French

respondents said responsibility for decisions and management resided at a local level.

As the organisations surveyed in France comprised both French companies and local

subsidiaries of global firms, this irregularity cannot be explained just in terms of a

unique French approach to organisational structure.

Number of suppliers

Although this question didnt specify the full scope of messaging areas, from general

email applications through to boundary protection and archiving and retrieval,

the majority of respondents, 51 per cent, admitted to using more than one supplier.

Almost one in five (19 per cent) use more than four. US-based organisations use

the most with 55 per cent having three or more suppliers. German organisationsuse the least with 78 per cent having only one supplier.

Benefits of a single management point

Having a single user interface for all messaging systems and simplified implementation

of policies for individuals or groups of users were seen as the major benefits from having

a single management point. Other benefits mentioned by survey respondents include

central administration and management, lower cost of control, and increased speed of

response to incidents. It is interesting to note that 28 per cent of those surveyed in

France considered remote management as a key benefit, and this probably relates to

the less centralised management structure identified in question 3.


Simplified implementation of policies forindividuals or groups of users

Single user interface for all messaging systems

Remote access to single management interface

Centralised administration

Control

None

Other

24%

22%

11%

9%

4%

14%

35%

Q5. What would you see as the key benefits of having a single management point for yourmessaging systems?

Base: All IT respondents (79)

Q4. How many suppliers do you usefor messaging solutions?

38%

16%16%

19%

10%

1

2

3

4 or more

Dont know

22%


4%

Q3. Are the following areas managed primarily at a global level (i.e. decisions are takenstrategically from head office and implemented consistently across the company network)or at a local level (i.e decisions are taken locally or regionally on a case-by-case basis)?

Boundary protection (e.g. anti-spam/virus/content control)

Secure messaging (e.g. phishing/hacking/B2B and BC2 emails)

Compliance (e.g. regulatory archiving/audit trail)

Mailbox management (e.g. hosting/DR/Exchange migration)

Global Local Dont know

%

75%

29% 1%70%

27% 4%70%

44% 3%53%


9/16


Email interaction with customersAmong the majority of respondents whose organisations operate in the retail

financial sector, email is already an important tool for communicating with

customers, and its use is likely to increase if the security and authentication

concerns can be addressed.

Across all respondents, 60 per cent are looking for some increase in customer

interaction via email. But it is interesting to note the geographical differences for

this question. In the US, only 43 per cent of respondents are seeking more use of

this channel, which is perhaps a reflection of the maturity of internet banking and

the existing use of e-statements in that market. In Germany though, 77 per cent

of respondents want to do more in this area, indicating that this is a relatively

untapped channel.

The majority of all respondents want to increase use of email for almost all the listed

purposes, but a significant number 72 per cent believe that security is the biggest

deterrent to realising their ambitions. This highlights the need for a more secure

email infrastructure that is capable of integrating with other bank systems and

delivering information to customers in a trustworthy manner.

%Base: All retail respondents (89)

72%

65%

57%

47%

30%

7%

Q8. Which, if any, of the following would you say are significant deterrents toincreased customer interaction by email?

Security (e.g. hacking)

Authentication (e.g. online fraud)

Viruses

Compliance

Archiving (recoveringinformation efficiently)

Non of these

%Base: All retail respondents (89)

Day-to-day contact

Statement provision

Application form provision

Contract provision

Quotes provision

None of these

55%

54%

53%

51%

49%

17%

Q7. Which of the following would you like to do more with customers by email?Base: All retail respondents (89)

Q6. Considering your current interaction withcustomers (business and individuals) viaemail, would you like this interaction toincrease, decrease or stay the same overthe next three years?

36%

24%

33%

3 2 2

Increase a lot

Increase a little

Stay the same

Decrease a little

Decrease a lot

Dont know

Particularly with viruses

and spam, a centralised

management shortens the

line of communication

and makes it easier to get

a definite answer. Hence

its possible to react

faster to threats.

Germany


10/16


Main findings

Cost of message managementOutsourcing of message management processes and infrastructure is still in its

infancy, but the survey shows that it can deliver cost benefits. An interesting difference

in the ongoing cost of mailbox management can be seen when comparing those who

outsource some or all of their message management including those who would

consider outsourcing in the future and those who dont. More than twice as many

respondents who outsource, or would potentially outsource, expect costs for message

management to decrease, at 26 per cent, compared to only 10 per cent of those who

plan to keep the solutions in-house.

The cost of administering the messaging infrastructure is most likely to increase in the

area of compliance, according to 65 per cent of all respondents. Particularly in the

Netherlands and US, costs are predicted to rise in this area, with 75 per cent and 73

per cent respectively predicting compliance will become more expensive. France (67

per cent) and the UK (65 per cent) also expect compliance costs to rise, with only

Germany lagging behind the average with 50 per cent.

In line with the security focus identified in earlier questions, the highest response for

costs increasing in relation to boundary protection came from those surveyed in

France, at 78 per cent, followed closely by the Netherlands with 75 per cent. In the UK,

only 29 per cent expected costs in this area to rise.

Expected costs and budget allocation normally align quite closely, although this isnt

always the case, as sometimes costs can be borne out over several budget cycles. But

in this case, compliance cost increases and budget increases would look to be broadly

in alignment. This is particularly the case in those countries that have previously been

identified as being concerned about compliance issues. Forty one per cent of UK and

55 per cent of US respondents will be spending more on compliance, as opposed to

only 11 per cent of German respondents. France is the odd country out with only sixper cent planning to increase compliance budgets, despite 67 per cent believing the

cost of compliance is likely to rise.

In the area of secure messaging, many more French and Germans expected budget

rises than their UK, US and Dutch counterparts.


Boundary protection

Secure messaging

Compliance

Mailbox management

19%

18%

13%

15%

Q9. Which of the following messaging processes or systems do you currently outsource?


11/16


Given the cost cutting exercises that many banks have gone through in the past few

years, and the pressure on managers to demonstrate return on investment (ROI) and

total cost of ownership (TCO) for technology investment, the results for question 12

might seem surprising.

Seventy seven per cent of all respondents dont know the TCO for their current

message management services, and this percentage was even higher 89 per cent

in both France and Germany. This is possibly due to the complex nature of the

messaging infrastructure and the fact it touches every line of business and support

department. As well as specific messaging applications, the infrastructure also

requires associated investment in hardware and ongoing maintenance and support.

In the majority of cases where TCO has not been calculated, it is likely that reliability

and invulnerability the lack of attacks and failures are seen as the measuring stick

for success or otherwise of any investment in the messaging infrastructure.


Q12. Do you accurately know the total costof ownership (TCO) for your currentmessage management services?

Yes

No

23%

77%

20

25

29

18

34

38

35

34

1

3

3

4

24

22

22

30

8

4

8

1

Incr. lot Incr. little

13

9

4

13

Decr. little decr. lot Same Dont know

Boundary protection

Secure messaging

Compliance

Mailbox management


Q10. How do you expect the costs of administering each of the following areas to increase ordecrease over the next three years?


Q11. Of those four areas, where do you thinkwill be the single biggest budget increase?

Compliance

Boundary protection

Secure messaging

Mailbox management

Dont know

29%

19%19%

19%

14%


12/16


Main findings

Governance and complianceAlthough an increased focus on security was seen as the biggest issue arising from

regulatory compliance, the results from respondents indicate there is not a great deal

of consensus on any single impact. This could arise from the different regulations faced

by financial organisations in the markets in which they operate. It could also arise from

confusion in the market about the implications of specific items of legislation.

IT governance includes activities such as providing clear audit trails and effective

archiving in order to meet organisation compliance and governance regulations.

Only 25 per cent of German respondents expect a significant increase in IT governance

costs, as opposed to a group average of 56 per cent. The UK came in highest here,

with 70 per cent. Costs rise in relation to what needs to be undertaken to help the

organisation achieve compliance and best practice, so this indicates that there is still a

lot of work to be done.

The retrieval aspect of the archiving required by legislation is often ignored. But simply

having all relevant information and communications stored somewhere is not enough

to achieve compliance. Organisations need to be able to access the required

information in a timely fashion in response to requests, or risk a fine.

Forty-eight hours is the usual turnaround time for requests from the US Securities and

Exchange Commission (SEC), and while many other regulators havent specifically set

such timeframes, it is a useful benchmark for analysing an organisations archiving and

retrieval capabilities.

Governance compliance

and regulatory

pressures are making us

manage our messaging

environments better.

There is governance

around what we can

and cant do, and this is

having a positive

impact in making us

more efficient.

US

%

Increased focus on security

Increased costs

Improved archiving

Advanced search/retrieval capability

High impact

Authentication

More difficult

Improve standards

Pre-scanning for dangerous word combinations

Little impact

Other

Dont know/no answer

30%

22%

21%

8%

Q13. What impacts do you think compliance will have on your message infrastructure?


6%

1%

1%

14%

7%

5%

2%

2%


13/16


Not surprisingly, given the SECs enthusiasm in enforcing compliance through thethreat of large fines in recent years, the US is the most confident, with 81 per cent

saying they could meet a request if it wasnt necessarily within 48 hours. Germany

achieved the lowest score on this count, with just 60 per cent of respondents

confident they could meet a request.

Those respondents that outsource some or all of their messaging infrastructure, or

would consider outsourcing in the future, are consistently more confident of meeting

regulatory request timeframes. Asked specifically about their confidence to meet the

requirement to provide three years audit trail within 48 hours, 63 per cent of those

who outsource were confident, whereas only 40 per cent of those that dont

outsource could reply with confidence.

Base: All respondents (112)

Q15. If you received a request from a regulatory body to provide an audit trail going back threeyears, how confident would you be of retrieving all of the necessary information within48 hours? And how confident would you be about retrieving the necessary informationat all (i.e. without a tight deadline)?

Within 48 hours

Very confident

Fairly confident

Not very confident

Not at all confident

Dont know

Base: All respondents (112)

At all

Very confident

Fairly confident

Not very confident

Not at all confident

Dont know

23%

26%21%

21%

10%

40%

28%

13%

16%

4%Base: All respondents (112)

Q14. How significant do you expect anyincreases in IT governence costs to befor your organisation?

Very significant

Fairly significant

Not very significant

Not at all significant

I dont expect them to increase

I expect them to decrease

Dont know

13%9%

44%23%

3

4

5


14/16


Conclusion

The respondents to this survey are all working for sophisticated organisationsthat should have a pretty good grasp of the issues that arise when managingcrucial messaging environments for large, often global, financial institutions.So if even small numbers of respondents to this survey claim to be havingproblems with boundary protection, secure messaging and compliance,there is cause for concern.

The methods used for hacking and the propagation of viruses and spam will continue

to evolve and become more sophisticated. So organisations are faced with a moving

target. They recognise the need for constant vigilance to guard against the threats,

and have subsequently placed a priority on dealing with these issues.

Compliance, on the other hand, is a relatively static challenge. Regulations and best

practice do periodically change and evolve, but each time they do, organisations

have an easily identifiable set of objectives to achieve. The challenge is how to achieve

these objectives.

But archiving and compliance still seem to be a bit of a blind spot for many

organisations. Although the focus on security and boundary protection is strong,

the expected increase in compliance budgets and lack of confidence in meeting

regulatory requests for access to archived communications shows that this is an area

that requires more work and focus, at least in the short term. Clearly though, the

SEC is leading the way, driving change in the US at a faster rate than the other

countries surveyed.

The number of those currently outsourcing aspects of message management showsthat the practice is in its infancy, but statistics about expected cost reductions and

increased ability to meet regulatory demands show that there are benefits to

adopting this model.

The lack of understanding of TCO in current messaging environments suggest that

organisations could benefit from looking more closely at how their organisation uses

the messaging infrastructure and which critical business areas it touches. Having a

single framework for message management is one way that the required visibility

and control can be achieved, and this will have further knock-on benefits when

addressing the security and compliance challenges organisations will continue

to face.


15/16


Contacts

For more information,

please contact:

Chris Hughes

BT

Guidion House

Ancells Business Park

Fleet, Hampshire

GU51 2QP

United Kingdom

Tel: 07736 636 106

Email: [email protected]

www.btconsulting.com/financialservices


16/16

About BT

BT is one of the worlds leading providers of communications solutions

serving customers in Europe, the Americas and Asia Pacific. Its principal

activities include IT and networking services, local, national and

international telecommunications services, and higher-value broadband

and internet products and services.

www.btconsulting.com/financialservices/mori

British Telecommunications plc 2005. Registered Office: 81 Newgate Street, London, EC1A 7AJ.Registered in England No 1800000.

email survey report final

Documents