Reducing the Risk of Un-managed Email Accounts
Recent events have exposed a risk that many organizations are not well versed in: the use of personal web or mobile email accounts on the corporate network. These email accounts are often used in the ordinary course of the day without proper attention to the risk. Fortunately, the remedy is not onerous. Start by asking, do these unmanaged accounts have the same policies and safeguards that your corporate accounts do? Likely they do not.
Unmanaged accounts do not have policy driven security controls. As a result they do not go through corporate email gateways where security controls such as anti-phishing, malicious content removal, and data compliance checks are in effect. With unmanaged accounts you get only the blanket security capabilities the email provider applies to everyone, not controls tailored to your organization.
In addition, unmanaged accounts cannot enforce corporate policies on data retention. How can the organization manage email stored on a third party system which the organization has no business relationship with? What if you need to initiate a litigation hold to collect, preserve and produce emails that are relevant to corporate events, but do not have the direct authority to do so? Of particular concern is corporate email content that may be accidentally stored on servers outside the corporate jurisdiction.
Finally, unmanaged accounts potentially expose the organization to the risk of inappropriate and/or harmful content.
Despite all potential risks, there are benefits to empowering users to access their unmanaged accounts. Such benefits are well documented but include, employee satisfaction, reduced time off for scheduling conflicts, improved performance and efficiency, and lower personnel anxiety.
Fortunately, by implementing some network design discipline and applying appropriate security controls, organizations can have the best of both worlds: reduced risk and enhanced employee productivity and satisfaction.
Step One: Create a secured bring your own device (BYOD) network for employee use. This is a separate network from your guest network and corporate networks as it will have different controls and network segregation reduces risk. The network should be secured and authenticated and not open (like guest networks) so users can be deactivated from the network if they leave the organization.
Step Two: Inform employees of your policy and the reasons why you are creating a BYOD network for personal use. Note not all organizations have this flexibility, but share with your employees the benefit of a BYOD network separate from the guest network, and your expectations of them: shared infrastructure between the community, a place to conduct personal activities while in the office, and the expectation that such use will not be excessive or contrary to their commitment to the company.
Step Three: Specify what you expect the BYOD network usage to be: e.g. to connect mobile devices for streaming music, texting with family members, and personal email, or conducting quick personal transactions. Explain that this is not an unlimited resource, e.g. bandwidth will be limited on this network to provide a reasonable amount of performance, but to ensure the network is not abused.
By implementing this architecture and security controls you can: (1) reroute corporate email so it flows over the correct network; (2) run web security solutions to ensure malicious content does not enter the infrastructure from personal devices; and (3) run data loss prevention tools to verify corporate policies are being adhered to.
For more information on securing web e-mail, visit: http://www.websense.com/content/triton-ap-web.aspx
"Email" photo credit: https://www.flickr.com/photos/melenita/