«
»

Discussion: Block Web Mail or Not?

One of the sessions I attended last week at ABA Techshow was one that was aimed at helping attorneys and legal staff handle their email better. Since this is something we are going to be trying to help people do, in an effort to cut down on the ridiculous amount of email we store, I went looking for ways to help explain handling email better.

As the session went along, one of the speakers recommended using a second, web-based, email account for non-essential stuff. That way you don’t have mailing lists, newsletter subscriptions, Google News alerts, or other non-essential email keeping you from finding what you need in your Outlook, or interrupting you with a new mail alert. (Although they suggested killing that too, in all fairness.)

Anyhow, that got me thinking. Lots of places block access to web based email as a matter of policy. I began to wonder if unblocking that would put a small dent in the amount of email that our users are storing, and handling? After all, I know there are mailing lists I would rather subscribe to in Gmail, but don’t because I can’t access it at work.  That means, at least in my case, there’s a significant amount of email being handled by our Exchange server, and having to be dealt with somehow, in my Outlook, as opposed to just being over in Gmail, and me looking at it occasionally.

Now, I know the common refrain is that web based email account are a security risk, but is the risk that large, and does blocking access to web mail really mitigate that risk in a significant way? For example, years ago people decided to block it because of the virus risks, but just about all major web mail services do anti-virus scans on any attachments, and even then,  your desktop AV product should scan any attachments when you try to open them. So, to my mind, blocking might decrease the chance of getting a virus attachment slightly compared to depending on these other tools, but doesn’t make that much of a difference.

Now I know that’s hardly the only concern, but it’s just an example. Anyway, what do you think? I know some of you guys block web mail, and I’m sure some of you don’t. I also know almost all of us are struggling with what to do with all that email coming into, and being stored on, our networks and mail servers, so I’m curious about what you all think? Would allowing access put a dent in that, or is it not worth the increased risk?

DeliciousLinkedInPinterestShare

This entry was posted on Monday, March 17th, 2008 at 3:55 pm and is filed under IT, Mike McBride. You can follow any responses to this entry through the RSS 2.0 feed. You can skip to the end and leave a response. Pinging is currently not allowed.

  • Acid Reign

    …..My company pretty much HAS to block web-based email, due to no AV product on individual desktops. They’re trying to control it all via policies and restricted user accounts. In a big company, you’ve got idiots that will click on that “naked pictures of Jennifer Love Hewitt.exe,” sent in an email. I think most sysadmins look at it as “giving them less rope.”

    …..I’d also think that keeping all communications though the company network going through the Exchange server would make searches/keeping tabs on people a lot easier, too.

  • Acid Reign

    …..My company pretty much HAS to block web-based email, due to no AV product on individual desktops. They’re trying to control it all via policies and restricted user accounts. In a big company, you’ve got idiots that will click on that “naked pictures of Jennifer Love Hewitt.exe,” sent in an email. I think most sysadmins look at it as “giving them less rope.”

    …..I’d also think that keeping all communications though the company network going through the Exchange server would make searches/keeping tabs on people a lot easier, too.

  • http://www.mikemcbrideonline.com/ Mike McBride

    On the flip side of that though, in theory it would make it easier to track what people are doing, but that also means when it comes time to find something, like in an e-discovery request, you have that much more crap (non-business related email) to deal with.

  • http://www.mikemcbrideonline.com/ Mike McBride

    On the flip side of that though, in theory it would make it easier to track what people are doing, but that also means when it comes time to find something, like in an e-discovery request, you have that much more crap (non-business related email) to deal with.

  • http://virtual.answerguy.com Jeff Yablon

    No answer to this one, folks. Large corporations (Big Brother-esque?) will do what they do, and to them it isn’t so much about blocking webmail as it is having a cohesive “not invented here” policy. Those of us (most of us here?) in the SMB or at-home spaces, on the other hand, don’t live tethered to Outlook, Lotus Notes, or whatever “they” say we “have to” use.

    Know your market . . . as is almost always the case, that’s the real story here . . .

    Jeff Yablon
    President & CEO
    PC-VIP/Virtual VIP
    Virtual VIP

  • http://virtual.answerguy.com Jeff Yablon

    No answer to this one, folks. Large corporations (Big Brother-esque?) will do what they do, and to them it isn’t so much about blocking webmail as it is having a cohesive “not invented here” policy. Those of us (most of us here?) in the SMB or at-home spaces, on the other hand, don’t live tethered to Outlook, Lotus Notes, or whatever “they” say we “have to” use.

    Know your market . . . as is almost always the case, that’s the real story here . . .

    Jeff Yablon
    President & CEO
    PC-VIP/Virtual VIP
    Virtual VIP

  • http://packetu.com Paul Stewart

    I don’t necessarily think that by allowing users access to webmail would reduce in our storage requirements. The way users use their mailbox is more of a user practice and that results in bloated storage requirements when they keep everything.

    In addition to the typical argument of AV not being under our control, I think there are other items that should be brought up and may be more relevant. For example by allowing users to access webmail servers, we may be in violation of certain regulation depending on the type of organization we are responsible for. Also, we may be allowing for users to easily steal our data (although there are many other avenues). Additionally, our users could funnel their contact and leads through their webmail account and thus have contacts after they leave the company. Another item is that end users don’t think about security. While the corporate infrastructure may have an email encryption appliance, the user may be bypassing the controls.

    I’m not pro big brother by any means. However, there are many items that should be considered when addressing the topic of webmail. The risk in any case should be brought up to the appropriate individuals in the organization and weighed against the benefit.

    Paul Stewart
    The Packet University

  • http://packetu.com Paul Stewart

    I don’t necessarily think that by allowing users access to webmail would reduce in our storage requirements. The way users use their mailbox is more of a user practice and that results in bloated storage requirements when they keep everything.

    In addition to the typical argument of AV not being under our control, I think there are other items that should be brought up and may be more relevant. For example by allowing users to access webmail servers, we may be in violation of certain regulation depending on the type of organization we are responsible for. Also, we may be allowing for users to easily steal our data (although there are many other avenues). Additionally, our users could funnel their contact and leads through their webmail account and thus have contacts after they leave the company. Another item is that end users don’t think about security. While the corporate infrastructure may have an email encryption appliance, the user may be bypassing the controls.

    I’m not pro big brother by any means. However, there are many items that should be considered when addressing the topic of webmail. The risk in any case should be brought up to the appropriate individuals in the organization and weighed against the benefit.

    Paul Stewart
    The Packet University

  • sean

    So my work blocks webmail and MSN Messenger. No biggie anymore. My iphone will do Hotmail and Gmail and uses the Fring app to allow me access to all of the chat applications. I personally think the policies of blocking portions or the web are completely out of touch with our new Web 2.0 business world.

  • http://www.georgestarcher.com georgestarcher

    Well most webmail and msn messenger are not being used for the business paying the person's paycheck. And in fact in a lot of situations create legal issues with communications retention, SOX, GLBA and other legislations. So unless your company specifically taps one of these web 2.0 services for business use it is understandable they block them.

  • Dave

    I use my IM almost exclusively for business contacts – making connections and getting information. With the company blocking IM I almost feel like I'm missing an arm. If it's a security risk, couldn't they just block the file transfer portion or something along those lines?

  • http://www.georgestarcher.com georgestarcher

    Because the makers of the instant messaging do no t make it easy to block just part of their service. Also depending on where you work your employer whom pays you may have legal obligations in dealing with its communications particularly if lawsuits come up. Using non owned systems such as public IM may present serious legal challenges for your employer. So it is way more complicated an issue than just blocking IM because it might allow malware into the company network though that is also a valid concern. There are technical solutions that can be very expensive that allow blocking file transfers etc but they can be complex to setup and manage.

  • Dave

    I use my IM almost exclusively for business contacts – making connections and getting information. With the company blocking IM I almost feel like I'm missing an arm. If it's a security risk, couldn't they just block the file transfer portion or something along those lines?

  • http://www.georgestarcher.com georgestarcher

    Because the makers of the instant messaging do no t make it easy to block just part of their service. Also depending on where you work your employer whom pays you may have legal obligations in dealing with its communications particularly if lawsuits come up. Using non owned systems such as public IM may present serious legal challenges for your employer. So it is way more complicated an issue than just blocking IM because it might allow malware into the company network though that is also a valid concern. There are technical solutions that can be very expensive that allow blocking file transfers etc but they can be complex to setup and manage.

  • Sophia

    Webmail is surely a huge risk, what's to stop someone attaching a confidential document or spreadsheet to a hotmail? My company uses BrowseControl from http://www.currentware.com to block all types of Webmail.

    Most of the employees now have internet on their phone and can check their personal email that way.