Companies should look to scan webmail activity for malicious activity, data loss and to control the insider threat.
According to Peter Galvin, chief marketing officer for Proofpoint, as well as email companies should look to scan other email applications, or at least monitor use on it and then choose to block it or not.
When asked if this would infringe privacy policies, Galvin said: “It depends on the organisation and its policies, in a financial services company they are trying anything that secures the network. It does have an impact and it depends on the company, as an organisation should be comfortable with monitoring, but the rule is do not use it. It is still a requirement to protect confidentiality of information in the organisation.
“I think from a privacy standpoint it is between control over the enterprise network and what goes over the network, and in most cases privacy issues are understood. People are realising that companies are trying to comply with rules, regulations and policies and in many cases they are trying to protect against non-malicious employees that are sending out information, but you can set up a system that can do outbound scanning.”
Dan Bleaken, malware data analyst at Symantec Hosted Services, claimed that traditionally, the vast majority of 419 scams are sent from webmail accounts and sending the scam via a webmail adds legitimacy to the mail, makes the email harder for security vendors to block, and helps to hide the identity of the scammers.
In a discussion on the SC Magazine LinkedIn group, various opinions were given on the ethics and practise of blocking webmail access in the workplace to cut down on potential problems that access can cause.
Darron Gibbard, threat assessment manager at BSkyB, said that if a company has a clear statement in its security or acceptable use policy stating that access to webmail is not permitted, then it is not an issue. “The technology solution you put in place to monitor this is then a cape cost to your team in respect to data loss prevention (DLP) or email monitoring,” he said.
Jeremy Orritt, corporate accounts executive at Redstone, said: “If webmail being used in the workplace is non-work related then I believe it is down to the employer as to whether they allow its use or not.
“As with social networking, if it is safe and poses no threat to the network then allow it. If it is being used for business purposes then there needs to be clear differentiation between personal and business use. There are a number of DLP products available today that do not rely on which channel is being used and rather approaches this problem from a data centric position. Surely if the data itself is protected then whether a user tries to send it maliciously or it is pure accident it becomes a moot point.”
Richard Turner, chief executive at Clearswift, said that simply reading and logging a message for the sake of it would be considered by most as an invasion of privacy, and it really has to come down to how you do it and why you are doing it.
He said: “Cleary defined policies and a culture of openness with regard to how and what you do will clarify to all. A search for specific terms/details within an email can be done to ensure that it adheres to corporate compliance and by doing so an employer is undertaking a duty of care to protect its employees.
“If a business is open and progressive enough to allow webmail to originate from within its firewalls, and let's face it, more and more are, what's wrong with ensuring that a file that would be blocked were it attached to a corporate email isn't at risk of disclosure simply because it's being communicated on the http channel instead?
“The term ‘accidental' is often used by organisations to highlight why things have gone wrong – but this just means that the data security policy was not defined, not shared nor enforced. Whether it is via webmail or information shared on a social network, employees today expect to be able to live their personal lives online whilst in the workplace - remember, we are working harder than we've ever done and as a result of VPN's, notebooks and more recently smartphone technology, the line between business and personal has greyed, if not gone entirely.”
Nick Sears, FaceTime's VP of security, management and compliance for unified communications, IM and social networks, claimed that to block access is counterproductive to most organisations as users heavily rely on them to support business processes, but that should not mean opening up the network to every application.
He said: “Organisations do however need to provide granular access to applications appropriate to the role of the user in the company. You might want Nick in sales to have access to webmail, but not to be able to attach files, or access to Facebook, but not Farmville.
“From a legal standpoint anything that occurs on the company network is liable to a variety of government and regulatory legislation. Many of which make it quite clear that an organisation's liability is for all electronic communications, not just the ones provided by the organisation such as email or unified communications. That means Facebook, Twitter, Live messenger etc, all come under the legislative banner, not just webmail.
“Obviously any monitoring needs to be included in the usage policy, but it should also be backed up by educating the user as to why it is required. Besides legislation, an organisation also needs to protect its own interests against fraud and intellectual property and if it is not checking the content of posts and messages of all accessible communication channels, then it should seriously consider blocking access altogether. Giving the choice I expect users would rather be slightly more circumspect with what they send out at work than a total ban on webmail.”