Unrestricted access from the office to personal Web-based e-mail can pose security risks to businesses, but the practice is being largely ignored, according to a survey released by a security firm this week.
According to a poll taken at the Internet security monitoring portal of UK-based Marshal, 48 percent of the 242 respondents surveyed said they worked for companies that gave them complete and unrestricted access from work to personal Web mail.
“There are very few business-related reasons to allow — but many reasons to deny — Web mail access at work,” Marshal CEO Ed Macnair said in a statement.
“Web mail,” he continued, “can be a backdoor through which employees trade private company information, download or exchange inappropriate material or simply chat with their friends on company time.
“Forty-eight percent of companies without measures in place to prevent these issues is far too high a figure,” he declared.
Risky Business
Allowing employees to have access to Web mail in any corporation with a lot of intellectual property is a risk, noted Javier Santoyo, a senior manager at security software maker Symantec.
“A high percentage of attacks are attacks on the browser,” he said. “Even though companies like Hotmail, Yahoo and Google are modifying their Web mail to be safer, the most effective way to infect users is through e-mail.”
Web mail poses an additional risk because it arrives at a user’s desk without being subjected to security measures imposed on e-mail traveling through a company’s internal system, Santoyo explained.
“Web mail opens up a backdoor to the organization and relies on users to prevent an exploit or infection happening on its system,” he maintained.
Web mail is also a security risk because it tends to be in Web page format, or HTML, rather than plain text, asserted Shane Coursen, senior technical consultant at Kaspersky Lab.
“HTML e-mail presents a threat because of the scripting languages that can be contained in the e-mail itself,” he told TechNewsWorld. “They allow hackers to infect machines without much user intervention.”
Some companies recognize the risks posed by Web mail, but don’t do much about it, according to Mitchell Ashley, CTO of StillSecure.
“Many organizations may have an acceptable use policy but don’t actively enforce it,” he told TechNewsWorld.
Threat Can’t Get Respect
“Some corporations do use things like Web filtering to monitor employee activity and take disciplinary action, but that’s typically to find porn coming into the organization,” Ashley noted.
“Web mail is like Instant Messaging,” he continued. “It goes un-talked about and un-noticed.
“Employees could be running their own business out of their cubicle through their access to Web mail.
“It’s something that’s getting some attention,” he added, “but not to the degree that it should.”
Size Matters
How much attention it gets can depend on the size of the company, according to Edward Laprade, president and CEO of ADNET Technologies, of Windsor, Conn., a systems integrator whose clientele is largely small and medium-sized businesses.
“Fortune 1000 companies pay a whole lot more attention to what their employees are doing,” he told TechNewsWorld, “but if you’re talking about the small to mid market, they don’t. They really aren’t paying very close attention at all to what employees do with their mail.”
Risky or not, not all security experts believe that companies should block access to Web mail.
If an employee is malevolently motivated, shutting down Web mail is pointless, contended Jeremiah Grossman, CTO of WhiteHat Security in Santa Clara, Calif.
Monitoring Trumps Blocking
“If an insider is truly bad, they’ll figure a way to get the information out there,” Grossman told TechNewsWorld. “By blocking off that channel entirely, what you’re probably doing is cutting off your vision into who might be doing bad things.
“If you monitor employees’ activities instead of blocking them, you have a better chance of dealing with the situation and preventing it,” he added.
Monitoring can be a middle-of-the-road solution between two extreme choices for a company’s Web mail policy, observed Adam Schran CEO of Ascentive, a Philadelphia-based maker of network monitoring software.
“You can block everybody and come across as treating your employees like children, or you can enable it and place your organization at risk,” he told TechNewsWorld. “Monitoring allows a company to enable Web mail, but to give it some scrutiny.”