Carl Weinschenk spoke with Ed Macnair, CEO of e-mail security firm Marshal. A poll by the company in late October revealed that 48 percent of companies allow employees to use personal Webmail accounts.
Weinschenk: How big a corporate threat is Webmail?
Macnair: Most companies realize they have to secure corporate e-mail because of tremendous threats including viruses, confidential data leaving the organization, spam and so on. However, the big back door into most organizations is Webmail. It's kind of a hidden threat, really. Most organizations give employees access to the Web and think a URL filter is protecting their organization. The reality is that all a URL filter does is stop a person from going to certain Web sites. It doesn't protect organizations in any way, shape or form beyond that. Last year, the CSO of a large chemical company that makes household soap powder and other things like that came to us. One of its competitors had just launched a product like theirs within two months of their launch. This happened twice within a six-month time frame. He said, "This happening to me once is a coincidence, twice - absolutely no way at all. It takes a couple of years to develop these products." Besides monitoring e-mail traffic, we suggested monitoring Web access as well. They have a product bible - which has all the chemical makeup, how things are packaged and that sort of thing about a product all in one document. We put WebMarshal in place to monitor it and within a week we found out that two people were sending out confidential data to a competitor, one via Yahoo, one via Hotmail.
Weinschenk: It sounds like something that can be a big problem simply because the technologies of Webmail and corporate e-mail are so different, but the application - e-mail - is similar. Is that so?
Macnair: It's a big risk because corporate security people don't pay attention to it in general. Also, more employees are wise to the fact that companies are monitoring corporate e-mail. There are two ways of actually approaching this. The draconian way is to not let employees have access to Webmail. Some organizations choose to do that. It's quite hard to do because there are numerous free Webmail services available today. You have to play catch-up to find what is available and what people are using. The other way of thinking about this is my favored approach: Employees spend a heck of a lot of time at work every day and need to be able to communicate with friends and family and sometimes it's not acceptable to use corporate e-mail to do that. So we should really allow our employees to use Webmail. If we are going to do that, we are going to have to protect the organization and make sure they are not using confidential data and make sure they are protected against aggressive viruses and make sure the same standards that are in place to apply to the corporate e-mail system apply to employees' Webmail as well.
Weinschenk: Are the users ahead of IT in understanding the difference between Webmail and corporate e-mail?
Macnair: It is a whole new sub-frontier. Unfortunately, some employees do exploit it. A tremendous amount of porn is being distributed around organizations via e-mail today. They know not to do so by corporate e-mail so they do it by Webmail. There is a whole host of corporate e-mail security out there today. You read trade magazines and see the various names. However, in Webmail, it is a completely different proposition. This, along with corporate e-mail, is the area in which we play. There are many fewer companies providing Webmail security. You are dealing with different protocols; you are looking at HTTP traffic rather than SMTP traffic. When you are looking at corporate e-mail systems, you unpack the e-mail and run a whole load of tests against it. When you look at Web traffic, it is on port 80 or 443 so it's a completely different protocol. And there's no way to actually secure it. It's not an inherently secure protocol.