Commentary: Spam and security

By Laura Koetzle, Analyst

Spam isn't just an annoyance--it has altered people's behavior.

Today, North American online consumers are 47 percent less likely than they were in 2000 to look through e-mail promotions for interesting items. The spam problem won't go away, because the costs of sending it are extremely small. In fact, the bulk of the cost of junk e-mail is borne by the recipient--in increased bandwidth and server requirements--rather than by the sender.

In response to users' desire to be insulated from oceans of junk e-mail, Microsoft's new Outlook 11 will ship with defaults designed to spare them from involuntary exposure to offensive and extraneous images that often accompany spam. This shift in policy for Outlook isn't just a crowd pleaser--it reflects a broader shift in Microsoft's strategy.

Security can't be considered in isolation--it always must be traded off against either cost or ease of use. Microsoft historically has shipped its products with the security settings dialed down to win over end users. Users and system administrators have long had the option of locking down Microsoft's operating systems and applications with more restrictive settings but have rarely chosen to do so, because they enjoyed convenient features like the automatic download of images referred to in HTML e-mail.

Today, however, Microsoft needs to drive growth in the high-end enterprise market, which means winning over information security staffers who feel burned by Microsoft's longtime policy of user-friendly, relatively insecure default settings. That's what

		Related story New Outlook to boot spammers Microsoft takes spam fighting more seriously in the next version of its e-mail software.

Microsoft designed its Trustworthy Computing initiative to do, and that effort will be critical to Microsoft's success, because 85 percent of billion-dollar North American companies have groups dedicated to information security.

The more restrictive default settings that will ship with products like Outlook will be the most visible pieces of the Trustworthy Computing initiative for end users. However, information security officers will pay far more attention to the effects of the secure coding training that Microsoft's developers received as part of the initiative. Security czars will expect that training to result in fewer security holes in Microsoft's forthcoming .Net Server operating systems.

Although more security-oriented default settings from Microsoft will help improve overall security, they don't absolve users and system administrators of the ultimate responsibility for securing their computing environments.

© 2002, Forrester Research, Inc. All rights reserved. Information is based on best available resources. Opinions reflect judgment at the time and are subject to change.