Personal Web Mail Security Risks

The debate drags on in various forums about the use and availability of personal webmail services such as those provided by Google and Yahoo from the office desktop. The questions being asked are: Should they be allowed to be used for sending business related messages? Are they a security threat? What are the risks?

I’m an advocat advocate of the “block access” point of view. Personal webmail, if accessible, provides another vector for your data to fly out of the window but one that you have poor control over and little ability to monitor and audit. Neither can you comply with data storage and archiving regulations if the service is being used to legitimately send and receive business data to and from external addresses.

The devil’s advocate would doubtless say something along the lines of “but what if I’m a small organisation that cannot afford to maintain a corporate email system.” I’d say fair enough, there is obviously always a need to meet requirements at the lowest cost. So if your company is small and not restricted by legislation that would prevent you from doing so then take the chance with webmail. But you a still subject to the same risks as the rest of us when it comes to unmonitored usage.

Of course, your own corporate email might not necessarily be secure – when’s the last time somebody checked that out? Regular audits, for instance, of who has administrative access to the server are essential. However, if users are forced to use only the corporate solution then you are more likely to be able to detect breaches of trust.

One solution is to provide an alternative means of accessing personal email accounts from the office. How about setting up a few PCs on a seperate ADSL line that allow employees to have access to resources that are otherwise blocked from the corporate network – sort of an Internet cafe set-up. One clever-dick at an organisation I know of which does just that decided it would too much trouble to use one of the Internet cafe machines so took into the office a wireless access point which he plugged in so that he could have unrestricted access from his own desktop. So, solving one problem created another.

What about my own organisation’s policy? Access to personal webmail is blocked in some of the locales we operate in but open in others. In countries such as France and Germany for example where there are active and powerful works councils it’s no simple matter to just block access to a resource that individuals feel they have a right to have access to – that would likely create a whole new set of expensive problems. Any changes to the work environment have to be discussed, negotiated, and agreed. Some aquaintances of mine report that their organisations block access while others leave it open.

I think there is too much blurring between business and personal Internet use from the corporate desktop as it is. Given that we want to be reducing the risk of private corporate data being compromised, blocking access to personal consumer services that make it easier to steal seems on the face of it like an easy solution. In fact, if you’re running your Internet provisioning through a proxy service such as Websense then it takes no more than a check in the right box to block access altogether. So why aren’t you?