Recently the IT section of our company asked employees to stop using their freemail (gmail, hotmail, yahoo etc.) email accounts from work, for ‘security’ reasons.
Why are freemail accounts considered a security problem?
They’re not on the company servers and can’t be viewed by IT personnel. Also (WAG), not being behind the company firewall, more risk of viral infection.
As my old IT people explained to me, it’s because they can’t control your webmail account. If you download something, you risk introducing a virus into their system, which causes a lot of problems. You may not do this, but they’re not worried about you. They’re worried about the twit from accounting, who can’t understand why her computer locks up every time she downloads that inspirational screen saver her friend sends her.
The other reason is because some employers have policies against things like online fantasy sports leagues and managing outside businesses on company time or company property. A former employer filtered out many of these from their networks, forcing participants to do it on their own time and on their own computers. (This same employer also banned personal laptops from company property, which guaranteed that none of this could happen during the workday.) And, of course, you can use a webmail account to smuggle out intellectual property and confidential information, which you may not be able to do from your company e-mail account. In fact, another former employer of mine would flag messages containing certain kinds of files, and employees would have to justify why they should be able to send them from work, and attempts to send attachments from my personal e-mail to my work e-mail would bounce altogether.
The risk of virus infection is a red herring. Google, yahoo, hotmail, all run antivirus at the server level. Even if they didn’t, local antivirus software should be sufficient.
The real issue, as both MsRobyn and runner pat have said, is that the third party mail sites are outside of IT’s control.
Trust me on this - we don’t care about your email. Unless your company’s IT department is overstaffed, they have more than enough real work to do than to snoop on someone’s ramblings on Gmail.
We do care about what can come in and out through web-based email. Our last wide-spread worm infection was tracked down to someone who opened an attachment in their web-based personal mail. The major providers have stepped up their antivirus protections, but not all that long ago, webmail was not scanned by the providers. Also, as MsRobyn said, it’s easy enough for someone to take a customer list, rename it to something innocent-sounding like “Mom’s Cookie Recipe.doc” and sneak it out on webmail, bypassing the data leakage protections on the corporate email system that would read that “recipe,” find account numbers and prevent it from going out.
The OP is lucky that their IT department is only asking people to refrain from using webmail. At my employer, webmail is banned and the ban is enforced by making it impossible to access the popular webmail systems - their URLs are blocked.
Just use your smart phone if you can’t use the company’s computer or your own personal laptop to access your freemail. I’m glad my employer isn’t so strict!
As I understand it, aside from the aforementioned virus and malware risk, there is the fact that many users use email as their replacement for a thumb drive—to take work home (or send it home in this case). Free and clear over the wide wooly Internet.
Some months back I found myself handling some very sensitive documents at work that contained proprietary knowledge distilled down from many millions of dollars worth of research. I was afraid to email these to our external collaborators without using hard encryption. Do you think any of the scientists involved in this work would give it a second thought?
Let me put it a different way—I am using my new iPad to type this. This device was described only in vague rumors up to the point that Steve showed it off. What would have happened to that legendary secrecy if Apple employees were to send their work home via their Yahoo and Gmail accounts?
ETA: ataraxy22, I love my iPhone! I use it for my personal email and quick peeks at SDMB links that might not be kosher.
The last time we got a virus at work that brought down a whole large library system for weeks - no catalogs, no computers for any patrons, etc. - it was something somebody downloaded from their Yahoo mail.
It’s also to keep the company’s business in the company. If you kept your documents in webmail you’d now have access to them if they fired you.
I used to be the systems admin for a large downtown Chicago hotel and I always thought, well if someone’s gonna take something, they’ll do it anyway. But the thing is most people do not. We had a rule, give your notice and get booted out of the system. You don’t know how many sales people etc, came begging to me. “Please let me get my info.”
You’d think they’d move all the stuff out BEFORE quitting, but they usually didn’t.
We had a keystroke logger but we never used it. At least at the local level. Perhaps corporate had another one.
Yahoo Messenger was extremely unsecure and it used to be easy to tap into. But that was back in the early 00s. I’m sure it’s not like that anymore. Besides most people have cellphone to text messages.
I worked at a temp agencies and a lot of comanies are solving this type of problem by only allowing access to the Internet through a portal. If your sites not approved you can’t go there or you have to call the system admin to enter the site as whitelisted.
So this means theirs no antivirus on the workstations? That sounds like the problem to me, not the web mail.
People can download infected files from their in-house mail client just as easily as they can from web mail. The only difference is that gmail scans attachments and your in-house mail server might not.
I’m happy to be proven wrong, but I think the squawking about web based mail being a security threat (viruses, bots, trojan horses, etc.) is baloney.
I have known of cases of viruses getting past antivirus. Specifically, the fake antivirus that’s been going around has got past an up-to-date version of McAfee on a computer here at work.
I don’t think that free email accounts are, by definition, a higher virus risk, but consider the following:[ul]
[li]Corporate IT has control over in-house email scanning, regardless of how deep.[/li][li]Corporate IT has total control over spam filtering rules blacklists/whitelists[/li][li]External email can be a time waster (same reason they block Facebook)[/li][li]External email is not retained, while often every scrap of internal email is often held on to for legal reasons.[/li][li]External email accounts are easier to compromise (a bad dude probably will not hack you@yourcompany.com, but you@gmail.com is a different story)[/li][li]Freemail is a common route for disseminating confidential information without proper security. Corporate IT can set up secure channels with partners and vendors; freemail doesn’t have this. [/li][/ul]
And on and on. I think it’s more about control than inherent virus risk.
email I received at work just last week:
I would say the problem is more security-related than a product of some Orwellian desire to monitor internet & network activity.
The threat of zero-day exploits that are not caught by virus scanners always exist. No virus protection is 100% effective, and cutting off “freemail” is one way to close a potential, though slim, window for infection. I don’t deem it necessary at my office, although even one of our developers managed to kill his machine with a virus despite our corporate anti-virus system.
ETA: And, of course, what others said after the post I responded to.
Ok, maybe I’m missing something, but how is the risk of getting viruses downloaded from third party web mail any greater than getting viruses downloaded from a local mail client? In most cases, I’d wager that the risk is actually less.
And I find Inigo Montoya’s post fascinating. So some schlub downloaded a file, double clicked the executable, and it wreaked havoc… and their conclusion is that the problem is webmail? I’m stunned.
It was another line of Inigo Montoya’s post that leapt out at me. “883 workstations had to be replaced to ensure system integrity.” Replaced? They replaced 888 machines to deal with a virus? That doesn’t seem economically reasonable.
On the systems I help design for large corporate/govt customers, the time to flatten and rebuild a compromised workstation or stick a replacement system on a desk is minimal (30 minutes engineer time max), as compared with an onsite visit and antivirus removal. Removed systems will be flattened, reinstalled, and recycled as replacements.
Webmail systems are far less restrictive than corporate systems - a good mail preprocessor will probably strip zip files, any form of executable, and maybe odd URLs as well, all things that webmail systems will not do. And Webmail accounts are more likely to be the target of zero-day exploits that antivirus systems may not detect.
Si
There is also ‘control’ over the account, but in a good way.
If someone is using webmail to conduct legitimate business and there is a problem with the account, the IT people are powerless to help them.
Suppose Google or Yahoo decide you are a spammer and lock you out of your account.
That’s it. It’s between you and them and good luck even getting them to respond.
On an in-house system, the IT people can deal with the problem.
I wonder whether most of that $119,000 was really things like the salaries of IT people who would have been paid anyway and the value of equipment that the company already owned. I am skeptical that the company’s bank account is actually $119,000 less than it would have otherwise been as a result of this incident (but I’m just guessing, of course).
I’m certain of it. Of course, 1743 hours works out to 218 work days, or 44 emplyees full time for a full week. I’m pretty sure the IT department isn’t so overstaffed that they were able to handle this without impacting the run of the mill routine significantly.