Personal Web Mail Security Risks

The debate drags on in various forums about the use and availability of personal webmail services such as those provided by Google and Yahoo from the office desktop. The questions being asked are: Should they be allowed to be used for sending business related messages? Are they a security threat? What are the risks?

I’m an advocat advocate of the “block access” point of view. Personal webmail, if accessible, provides another vector for your data to fly out of the window but one that you have poor control over and little ability to monitor and audit. Neither can you comply with data storage and archiving regulations if the service is being used to legitimately send and receive business data to and from external addresses.

The devil’s advocate would doubtless say something along the lines of “but what if I’m a small organisation that cannot afford to maintain a corporate email system.” I’d say fair enough, there is obviously always a need to meet requirements at the lowest cost. So if your company is small and not restricted by legislation that would prevent you from doing so then take the chance with webmail. But you a still subject to the same risks as the rest of us when it comes to unmonitored usage.

Of course, your own corporate email might not necessarily be secure – when’s the last time somebody checked that out? Regular audits, for instance, of who has administrative access to the server are essential. However, if users are forced to use only the corporate solution then you are more likely to be able to detect breaches of trust.

One solution is to provide an alternative means of accessing personal email accounts from the office. How about setting up a few PCs on a seperate ADSL line that allow employees to have access to resources that are otherwise blocked from the corporate network – sort of an Internet cafe set-up. One clever-dick at an organisation I know of which does just that decided it would too much trouble to use one of the Internet cafe machines so took into the office a wireless access point which he plugged in so that he could have unrestricted access from his own desktop. So, solving one problem created another.

What about my own organisation’s policy? Access to personal webmail is blocked in some of the locales we operate in but open in others. In countries such as France and Germany for example where there are active and powerful works councils it’s no simple matter to just block access to a resource that individuals feel they have a right to have access to – that would likely create a whole new set of expensive problems. Any changes to the work environment have to be discussed, negotiated, and agreed. Some aquaintances of mine report that their organisations block access while others leave it open.

I think there is too much blurring between business and personal Internet use from the corporate desktop as it is. Given that we want to be reducing the risk of private corporate data being compromised, blocking access to personal consumer services that make it easier to steal seems on the face of it like an easy solution. In fact, if you’re running your Internet provisioning through a proxy service such as Websense then it takes no more than a check in the right box to block access altogether. So why aren’t you?

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

Advocat is a drink. You mean advocate...
Thanks Mark - you are correct.
No, Advocaat is a drink - advocat is just a typo! But thanks for the spot, all the same. Now corrected. Our blogs are designed to be a more immediate, discursive form of publishing than print , our bloggers don't get to enjoy the benefit of sub editors checking their every word before publication - that would simply delay the process too much, and we'd pay the cost in content currency...
Stuart, This is a great post arguing the pros and cons for both restricting access and blocking employees from third-party webmail providers. IT security best practices call for companies to prohibit access; however, as you point out, many employees (especially younger ones) feel they have a right to their personal communications in the workplace, and if blocked will find a way to get around the firewalls. I have just launched NutshellMail, which provides a productive and compliant way for employees to access personal email and social networking messages in the workplace. The solution works by sending recurring email Updates to a user's work account on a schedule they define. The email Updates provide a snapshot of all new messages in their various accounts. Through the Update a user can retrieve any message into their work account. However, since all Updates and messages retrieved through NutshellMail are sent like any other email, they must pass through companies' internal servers. Consequently, NutshellMail is transparent and all messages can be monitored and retained inline with government IT regulations and most corporate policies. If you would like to learn more or give NutshellMail a try, please check us out at
Thanks for the feedback - sounds like an interesting product and I'll be taking a look at it.