Skip the navigation

Security Manager's Journal: Auto-forwarded emails could be a huge problem

Our intellectual property and sensitive data have been leaving the relatively safe confines of our internal network without adequate security precautions, all because users find it convenient to get their company email in their personal webmail accounts

By J.F. Rice
July 8, 2013 08:23 AM ET

Computerworld - Recently, a bounce-back message from one of my company's internal email distribution lists led to a startling discovery: People are automatically forwarding their company email offsite to Gmail and other personal webmail services.

It all started when our marketing group set up a meeting using the marketing email distribution list in Outlook. One person then replied to all that she wouldn't be able to attend. She then received the bounce-back message -- from an outside email address. Because she assumed that the error meant there was a problem with our email system, she opened a help desk ticket.

Our email administrator tipped me off to the problem. How could an internal email message result in an error from an outside email service? There's only one explanation: The internal message had been forwarded to an outside email account.

In fact, the webmail service in question was experiencing an outage, resulting in error messages in response to every email sent to its customers.

The important questions for me were, "How did our internal email get outside, and does this sort of thing happen a lot?" The answer to the first question was in Microsoft Outlook, which lets users set up rules to manage email in various ways, including forwarding email to another inbox -- any inbox, in fact, with a valid SMTP email address.

The guilty culprit in this case was the manager of the marketing group. I explained to her that our security policy prohibits internal company data from being sent outside our network, without appropriate security. Her position was that her job required her to keep in touch 24 hours a day, so she found it convenient to get her email in more than one place. She tried to make a case for the importance of mixing personal and business systems, claiming that we all lead what she calls "blended lives" -- meaning that our professional and personal time are mixed together. We take calls from our kids during the workday, make appointments with our dentists, hairdressers and mechanics, and we take calls at night from our management or support staff.

As someone whose workday sometimes seems endless, I have some sympathy for what she was saying, but her argument didn't change my stance. I'm responsible for protecting our data and intellectual property. Auto-forwarding rules just do not allow appropriate protection of information. There are other ways to get company email,includingOutlook Web Access and VPN, which are useful for people who are traveling or working from home. I think the only reason our marketing colleague was trying to use webmail was that she is more comfortable with that service than with the services my company provides. But personal comfort can't always override security.



Our Commenting Policies