Discussion: Block Web Mail or Not?
One of the sessions I attended last week at ABA Techshow was one that was aimed at helping attorneys and legal staff handle their email better. Since this is something we are going to be trying to help people do, in an effort to cut down on the ridiculous amount of email we store, I went looking for ways to help explain handling email better.
As the session went along, one of the speakers recommended using a second, web-based, email account for non-essential stuff. That way you don’t have mailing lists, newsletter subscriptions, Google News alerts, or other non-essential email keeping you from finding what you need in your Outlook, or interrupting you with a new mail alert. (Although they suggested killing that too, in all fairness.)
Anyhow, that got me thinking. Lots of places block access to web based email as a matter of policy. I began to wonder if unblocking that would put a small dent in the amount of email that our users are storing, and handling? After all, I know there are mailing lists I would rather subscribe to in Gmail, but don’t because I can’t access it at work. That means, at least in my case, there’s a significant amount of email being handled by our Exchange server, and having to be dealt with somehow, in my Outlook, as opposed to just being over in Gmail, and me looking at it occasionally.
Now, I know the common refrain is that web based email account are a security risk, but is the risk that large, and does blocking access to web mail really mitigate that risk in a significant way? For example, years ago people decided to block it because of the virus risks, but just about all major web mail services do anti-virus scans on any attachments, and even then, your desktop AV product should scan any attachments when you try to open them. So, to my mind, blocking might decrease the chance of getting a virus attachment slightly compared to depending on these other tools, but doesn’t make that much of a difference.
Now I know that’s hardly the only concern, but it’s just an example. Anyway, what do you think? I know some of you guys block web mail, and I’m sure some of you don’t. I also know almost all of us are struggling with what to do with all that email coming into, and being stored on, our networks and mail servers, so I’m curious about what you all think? Would allowing access put a dent in that, or is it not worth the increased risk?
March 17th, 2008 at 4:41 pm
…..My company pretty much HAS to block web-based email, due to no AV product on individual desktops. They’re trying to control it all via policies and restricted user accounts. In a big company, you’ve got idiots that will click on that “naked pictures of Jennifer Love Hewitt.exe,” sent in an email. I think most sysadmins look at it as “giving them less rope.”
…..I’d also think that keeping all communications though the company network going through the Exchange server would make searches/keeping tabs on people a lot easier, too.
March 17th, 2008 at 4:50 pm
On the flip side of that though, in theory it would make it easier to track what people are doing, but that also means when it comes time to find something, like in an e-discovery request, you have that much more crap (non-business related email) to deal with.
March 18th, 2008 at 5:40 am
No answer to this one, folks. Large corporations (Big Brother-esque?) will do what they do, and to them it isn’t so much about blocking webmail as it is having a cohesive “not invented here” policy. Those of us (most of us here?) in the SMB or at-home spaces, on the other hand, don’t live tethered to Outlook, Lotus Notes, or whatever “they” say we “have to” use.
Know your market . . . as is almost always the case, that’s the real story here . . .
Jeff Yablon
President & CEO
PC-VIP/Virtual VIP
Virtual VIP
March 23rd, 2008 at 4:30 am
I don’t necessarily think that by allowing users access to webmail would reduce in our storage requirements. The way users use their mailbox is more of a user practice and that results in bloated storage requirements when they keep everything.
In addition to the typical argument of AV not being under our control, I think there are other items that should be brought up and may be more relevant. For example by allowing users to access webmail servers, we may be in violation of certain regulation depending on the type of organization we are responsible for. Also, we may be allowing for users to easily steal our data (although there are many other avenues). Additionally, our users could funnel their contact and leads through their webmail account and thus have contacts after they leave the company. Another item is that end users don’t think about security. While the corporate infrastructure may have an email encryption appliance, the user may be bypassing the controls.
I’m not pro big brother by any means. However, there are many items that should be considered when addressing the topic of webmail. The risk in any case should be brought up to the appropriate individuals in the organization and weighed against the benefit.
Paul Stewart
The Packet University