Personal Web-Based E-mail Creates Security Risk

Companies that allow their employees to access personal e-mail accounts via Web-based sites are putting their companies at risk, according to experts.

“If companies let employees use personal e-mail tools, but do not retain those messages, they could be facing serious legal and regulatory trouble,” says Nancy Flynn, executive director of the ePolicy Institute in Columbus, Ohio. “E-mail today is the electronic equivalent of DNA evidence. If there is a lawsuit, you can take it to the bank that e-mail will be subpoenaed.”

In fact, a 2004 Workplace E-mail and Instant Messaging Study, co-sponsored by the ePolicy Institute and the American Management Association, found 21 percent of the 840 U.S. businesses surveyed had employee e-mail and instant messages subpoenaed in the course of a lawsuit or regulatory investigation.

Flynn says courts are not discriminating about whether the e-mails were sent via personal e-mail accounts or business e-mail accounts. “They want all business-related e-mails that are being transmitted by employees,” she says. Not producing these e-mails could result in a “five-to-six-figure fine”.

This puts companies that allow access to popular Web-based services like Google’s Gmail, Microsoft’s HotMail, AOL and Yahoo Mail on the hot seat.

“How many legitimate business records are escaping the company system via these services and won’t be available if the company gets involved in a lawsuit,'”she says.

Web and security experts agree the use of personal Web-based accounts is a problem for companies under strict compliance and regulatory rules, such as the Sarbanes-Oxley Act of 2002, as well as those trying to protect intellectual property.

“It’s about risk minimization,” says Mark Gibbs, founder of Gibbs & Co., a Web and network consultancy in Ventura, Calif. “Can you fully defend your compliance? If you are allowing the use of personal Web mail, you are introducing a whole new realm of risks.”

Policy and Enforcement
Gibbs says companies must decide if they’re going to take a soft or hard approach.

“If you go for the hard approach, then you’ve decided you are not going to let them access those accounts, and you have to make your network bulletproof,” he says. This requires a two-pronged approach that includes clearly stated policies and advanced monitoring, blocking and filtering technology.

First, said Gibbs, you should develop and articulate a policy to all employees regarding the use of personal e-mail. “You should have a written statement that clearly says employees cannot use Web-based e-mail from inside the corporate envelope,” he said.

Joel Snyder, senior partner at Opus One security consultancy in Tucson, Ariz., agrees. “Make sure you not only have a policy, but that you explain to your employees why you have a policy,” he says.

According to the 2004 ePolicy Institute/AMA study, 37 percent of organizations surveyed were unclear about the difference between an electronic business record and an insignificant message. Flynn says this indicates that companies need to clearly understand what information is important to them and would pose a risk if it were to get out.

She says it’s critical for companies to make employees aware of the risks involved in everyday communications, adding that companies have to put muscle behind their policies. In the survey, although 79 percent of companies have a written e-mail policy in place, only 25 percent terminated employees for violating that policy.

Flynn says companies often are unclear about what constitutes personal use. Executives must set guidelines about how much time employees can spend on personal messaging, via what systems, and with whom they can communicate.

To make sure these rules are being enforced, she recommends companies put in place monitoring and filtering tools.

Gibbs suggests using software to block popular mail service Web sites. He also says companies can use tools that perform on-the-fly keyword monitoring to ensure that messages do not contain sensitive information.

Some businesses employ virus scanners to keep an eye on personal messaging, but Snyder warns that ‘most, if not all of these tools don’t handle Web-based e-mail very well. Instead, he says some of the free tools, like Snort, might be better suited to examine these packets. He adds that companies could force all outbound HTTP/HTTPS traffic through a proxy as a safeguard.

Flynn says organizations that can’t afford the risks associated with any kind of personal e-mail use should ban it altogether.

“The risk, in terms of lost business records, lost productivity and lost intellectual property far outweigh any argument anyone would give in terms of giving employees flexibility. There is just no reason for employees to have to access personal e-mail tools in the office,” she said.

Adapted from

Do you have a comment or question about this article or other small business topics in general? Speak out in the Forums. Join the discussion today!

Must Read

Get the Free Newsletter!

Subscribe to Daily Tech Insider for top news, trends, and analysis.