[Infowarrior] - Firms Fret as Office E-Mail Jumps Security Walls

[Richard Forno]

January 11, 2007
Firms Fret as Office E-Mail Jumps Security Walls
By BRAD STONE
http://www.nytimes.com/2007/01/11/technology/11email.html?ei=5094&en=e91f4d2
5007d7c7a&hp=&ex=1168491600&partner=homepage&pagewanted=print

SAN FRANCISCO, Jan. 10 ‹ Companies spend millions on systems to keep
corporate e-mail safe. If only their employees were as paranoid.

A growing number of Internet-literate workers are forwarding their office
e-mail to free Web-accessible personal accounts offered by Google, Yahoo and
other companies. Their employers, who envision corporate secrets leaking
through the back door of otherwise well-protected computer networks, are not
pleased.

³It¹s a hole you can drive an 18-wheeler through,² said Paul D. Myer,
president of the security firm 8E6 Technologies in Orange, Calif.

It is a battle of best intentions: productivity and convenience pitted
against security and more than a little anxiety.

Corporate techies ‹ who, after all, are paid to worry ‹ want strict control
over internal company communications and fear that forwarding e-mail might
expose proprietary secrets to prying eyes. Employees just want to get to
their mail quickly, wherever they are, without leaping through too many
security hoops.

Corporate networks, which typically have several layers of defenses against
hackers, can require special software and multiple passwords for access.
Some companies use systems that give employees a security code that changes
every 60 seconds; this must be read from the display screen of a small card
and typed quickly.

That is too much for some employees, especially when their computers can
store the passwords for their Web-based mail, allowing them to get right
down to business.

So far, no major corporate disasters caused by this kind of e-mail
forwarding have come to light. But security experts say the risks are real.
For example, the flimsier security defenses of Web mail systems could allow
viruses or spyware to get through, and employees could unwittingly download
them at the office and infect the corporate network.

Also, because messages sent from Web-based accounts do not pass through the
corporate mail system, companies could run afoul of federal laws that
require them to archive corporate mail and turn it over during litigation.

Lawyers in particular wring their hands over employees using outside e-mail
services. They encourage companies to keep messages for as long as necessary
and then erase them to keep them out of the reach of legal foes. Companies
have no control over the life span of e-mail messages in employees¹ Web
accounts.

³If employees are just forwarding to their Web e-mail, we have no way to
know what they are doing on the other end,² said Joe Fantuzzi, chief
executive of the information security firm Workshare. ³They could do
anything they want. They could be giving secrets to the K.G.B.²

Hospitals have an added legal obligation to protect patient records. But
when DeKalb Medical Center in Atlanta started monitoring its staff use of
Web-based e-mail, it found that doctors and nurses routinely forwarded
confidential medical records to their personal Web mail accounts ‹ not for
nefarious purposes, but so they could continue to work from home.

In the months after the hospital began monitoring traffic to Web e-mail
services, it identified ³a couple hundred incidents,² said Sharon Finney,
DeKalb¹s information security administrator. ³I was surprised about the lack
of literacy about the technology we depend on every day,² she said.

DeKalb now forbids the practice, and uses several software systems that
monitor the hospital¹s outbound e-mail and Web traffic. Ms Finney said she
still catches four to five perpetrators a month trying to forward hospital
e-mail.

The Web mail services may also be prone to glitches. Last month, Google
fixed a bug that caused the disappearance of ³some or all² of the stored
mail of around 60 users. A week later, it acknowledged a security hole that
could have exposed its users¹ address books to Internet attackers.

Even the security experts most knowledgeable about the risks of e-mail
forwarding to personal accounts acknowledge doing so themselves.

³Of course I do it; who doesn¹t?² said Kimberly Getgen Bargero, vice
president for marketing at Sendmail, an e-mail software company in
Emeryville, Calif. Ms. Bargero said she often used her Yahoo Mail account on
business trips so she does not have to access her corporate network
remotely.

It is difficult to quantify exactly how many otherwise model employees are
opting to use services like Yahoo Mail or Google¹s Gmail over their
company¹s authorized e-mail programs. Sophisticated users at the companies
most lax about e-mail security can automatically forward all of their work
e-mail to their personal accounts, hopscotching over the various requests
for passwords meant to ward off intruders.

The more casual e-mail scofflaws send only the occasional message to their
personal accounts ‹ or just ³cc² messages to their Web in-boxes to preserve
them for later use ‹ even when the messages contain sensitive company
information.

Some companies frown on office use of any Web-based accounts, even for
personal messages. At the business software maker BEA Systems, Anthony
Bisulca, a senior security analyst, estimated that around 30 percent of his
employees were using private e-mail accounts in the office, even though the
company¹s Internet policy clearly prohibits it.

But it is not easy to wean people off of their online mailboxes. ³Of course
they scream,² said Todd Wilson, an operations manager at the Bloomberg
School of Public Health at Johns Hopkins University. ³They look at me like I
have three heads.²

Mr. Wilson said that the use of the Web services had become a ³huge
concern,² partly because copies of the forwarded messages sit untouched on
the school¹s servers, taking up space.

Many corporate technology professionals express the fear that Google and its
rivals may actually own the intellectual property in the e-mail that resides
on their systems. Gmail¹s terms of service, however, state that e-mail
belongs to the user, not to Google. The company¹s automated software does
scan messages in Gmail, looking for keywords that might generate related
text advertisements on the page. A Google spokeswoman said the company has
an extensive privacy policy to ensure no humans at Google read user e-mail.

Paul Kocher, president of the security firm Cryptography Research, said the
real issue for companies was trust. ³If you can¹t trust employees enough to
use services like Gmail, they probably shouldn¹t be working for you,² he
said.

Many companies apparently do not have that level of trust. In a survey
conducted last year, the e-mail security firm Proofpoint found that 37
percent of companies in the United States used software to monitor office
use of Web mail.

The Internet companies themselves are looking to take advantage of consumer
preferences for Web based e-mail services. This year, Google plans to
introduce a more secure version of Gmail for use in large companies.

But Microsoft and other providers of traditional internal e-mail systems,
which the research firm Radicati says generated $2.5 billion in sales last
year, are helping companies combat employee use of the Web services.

The new version of Microsoft¹s corporate e-mail service, Exchange Server,
offers administrators improved tools to monitor the content of employee mail
and block forwarded messages.

At the same time, upgrades to Exchange and Microsoft¹s e-mail program
Outlook have made it easier for traveling employees to access e-mail on the
corporate network from a Web browser. Microsoft also recently began urging
corporate technology departments to give employees more storage space in
their e-mail accounts.

But the Web services are improving as well, and employees will no doubt
continue to find them tempting.

³We have as high a security standard as any company,² said Ms. Bargero of
Sendmail, ³and sometimes it is just too difficult to access our e-mail.²