Security Manager's Journal: Auto-forwarded emails could be a huge problem
Our intellectual property and sensitive data have been leaving the relatively safe confines of our internal network without adequate security precautions, all because users find it convenient to get their company email in their personal webmail accounts
Computerworld - Recently, a bounce-back message from one of my company's internal email distribution lists led to a startling discovery: People are automatically forwarding their company email offsite to Gmail and other personal webmail services.
It all started when our marketing group set up a meeting using the marketing email distribution list in Outlook. One person then replied to all that she wouldn't be able to attend. She then received the bounce-back message -- from an outside email address. Because she assumed that the error meant there was a problem with our email system, she opened a help desk ticket.
Our email administrator tipped me off to the problem. How could an internal email message result in an error from an outside email service? There's only one explanation: The internal message had been forwarded to an outside email account.
In fact, the webmail service in question was experiencing an outage, resulting in error messages in response to every email sent to its customers.
The important questions for me were, "How did our internal email get outside, and does this sort of thing happen a lot?" The answer to the first question was in Microsoft Outlook, which lets users set up rules to manage email in various ways, including forwarding email to another inbox -- any inbox, in fact, with a valid SMTP email address.
The guilty culprit in this case was the manager of the marketing group. I explained to her that our security policy prohibits internal company data from being sent outside our network, without appropriate security. Her position was that her job required her to keep in touch 24 hours a day, so she found it convenient to get her email in more than one place. She tried to make a case for the importance of mixing personal and business systems, claiming that we all lead what she calls "blended lives" -- meaning that our professional and personal time are mixed together. We take calls from our kids during the workday, make appointments with our dentists, hairdressers and mechanics, and we take calls at night from our management or support staff.
As someone whose workday sometimes seems endless, I have some sympathy for what she was saying, but her argument didn't change my stance. I'm responsible for protecting our data and intellectual property. Auto-forwarding rules just do not allow appropriate protection of information. There are other ways to get company email,includingOutlook Web Access and VPN, which are useful for people who are traveling or working from home. I think the only reason our marketing colleague was trying to use webmail was that she is more comfortable with that service than with the services my company provides. But personal comfort can't always override security.
More by J.F. Rice
- Security Manager's Journal: A rush to XP's end of life
- Security Manager's Journal: Security flaw shakes faith in Apple mobile devices
- Security Manager's Journal: Cyberattacks just got personal
- Security Manager's Journal: Target breach unleashes fresh scams
- Security Manager's Journal: Giving thanks for SIEM
- Security Manager's Journal: Hashing out secure applications
- Security Manager's Journal: Why the shutdown is like the cloud
- Security Manager's Journal: Thinking about passwords
- Security Manager's Journal: Android panic
- Security Manager's Journal: Auto-forwarded emails could be a huge problem
- Silicon Valley's 19 Coolest Places to Work
- Is Windows 8 Development Worth the Trouble?
- 8 Books Every IT Leader Should Read This Year
- 10 Hot Hadoop Startups to Watch
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- Radicati: Cloud Business Email - Market Quadrant 2013 Google was named the top cloud business email provider in a recent report by research firm Radicati. Out of 14 key players, Google...
- Tablets in the Enterprise: A Checklist for Successful Deployment How can you enterprise manage and secure tablets in order to protect corporate data while providing access to the information and applications employees...
- Enterprise Mobility: A Checklist for Secure Containerization The advantages and disadvantages of the multiple approaches to containerization. Learn More>>
- Enterprise File Sync & Share Checklist File sync and share has changed the way people work and collaborate in today's tech-savvy world. Gone are the email roadblocks, clunky FTP...
- Live Webcast LIVE EVENT: 5/7, The End of Data Protection As We Know It. Introducing a Next Generation Data Protection Architecture. Traditional backup is going away, but where does this leave end-users?
- LIVE EVENT: 5/7, The End of Data Protection As We Know It. Introducing a Next Generation Data Protection Architecture. Traditional backup is going away, but where does this leave end-users?
- On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy... All Security White Papers | Webcasts