|
Top Security News |
Insider Threats
Organizations in many ways contribute the actions of their employees. Either through not wanting to lose a star player who sometimes does things that they shouldn't to not monitoring who is accessing what, and are those accesses in the performance of their job duties.
Computer Security Still Damaged By Social Engineering
Interesting article out of CIO magazine about Vista, and that while it is a highly secure operating system, with some neat things it can do, it still is not invulnerable to those programs that require social engineering to get the user to do something. For as long as there..
Collaborative Information Security Next?
Have anyone ever been on the phone with a client after the job, where the client wants more information, needs a copy of the report, or just wants to spend some time discussing the implications of the report that the company generated for them? The files are...
EBay Launches Web Smart Guide For Safety
According to a recent survey, a lot of Australians feel the online world is becoming a safer place to shop - 76 percent, to be exact. A significant portion - 58 percent - "did not think the industry was doing enough to educate people about security online," though. eBay is trying...
RSS Exposes Users to Attack
ZDNet reports from the Black Hat conference in Las Vegas that security experts are increasingly concerned about the potential for malicious attacks perpetrated through web feeds. SPI Dynamics examined a number of online and offline applications used to read RSS...
|
|
|
01.16.07
Corporate Email Wanders
 By
Dan Morrill
Technewsworld is running a story on company personnel who forward company e-mail to their MSN, Google, Yahoo, or other hosted e-mail accounts.
So after spending all that money to secure your corporate e-mail systems, users as always have found a way around it, and its not new.
Users are really clever when it comes around to circumnavigating security controls. We would not keep on piling on security controls if users could just work with what controls are already in place. But the forwarding of tidbits, or even hostile e-mails to your home account is a time honored tradition that all users really do, they do it a lot, and probably some security folks are also guilty of the same thing. It is a way to back up what ever you think the issue is going to be in the future, because you just ever know. Or if it is lights out, and the company is down, using personal e-mail from home is a way to keep getting work done, send it from your home account to your receiver, and just CC your work address on it.
This following point though is the most interesting:
"Also, because messages sent from Web-based accounts do not pass through the corporate mail system, companies could run afoul of U.S. laws that require them to archive corporate mail and turn it over during litigation. Lawyers in particular wring their hands over employees' using outside e-mail services. They encourage companies to keep messages for as long as necessary and then erase them. Companies have no control over the life span of e-mail in employees' Web accounts." (Technewsworld)
As well as corporate intellectual property falls under some uncertainty when it comes ot outside e-mail services:
"Many corporate technology specialists express the fear that Google and its rivals may actually own the intellectual property in the e-mail that resides on their systems. Gmail's terms of service state that e-mail belongs to the user, not to Google. Its automated software does scan messages in Gmail, looking for keywords that might generate related text advertisements on the page. A spokesperson for Google said it had an extensive privacy policy to ensure that no humans at Google read user e-mail." (Technewsworld)
Not only do we have a discovery problem, but we also have a intellectual property problem along the way. Once lawyers have checked the send box, or the headers of the e-mails, those personal accounts also become discoverable, and users have to worry about turning over control of their personal e-mail boxes as well as the corporate e-mail boxes. This is an additional hurdle not just for the company, but for the hosted e-mail systems as well as the user who uses those hosted e-mail systems.
It will be interesting when these problems get addressed in the courts, and how those hosted e-mail systems might just prove to be the issue of the day. Where does ownership of corporate e-mail end, and under what issues does liability end for the company along the way.
The best solution is probably not to have people use their external e-mail systems to host corporate data, but then end users will do what they think they need to do, to do their jobs, or cover their butt in case something they are working on goes south. Its worth finding out why people do this at the office, and something that should be governed by corporate policy.
Comments
About the Author:
Dan Morrill has been in the information security field for 18 years, both
civilian and military, and is currently working on his Doctor of Management.
Dan shares his insights on the important security issues of today through
his blog, Managing
Intellectual Property & IT Security, and is an active participant in the
ITtoolbox blogging community.
|
