By BRAD STONE
January 11, 2007
SAN FRANCISCO, Jan. 10 -- Companies spend millions on systems to keep
corporate e-mail safe. If only their employees were as paranoid.
A growing number of Internet-literate workers are forwarding their
office e-mail to free Web-accessible personal accounts offered by
Google, Yahoo and other companies. Their employers, who envision
corporate secrets leaking through the back door of otherwise
well-protected computer networks, are not pleased.
Its a hole you can drive an 18-wheeler through, said Paul D. Myer,
president of the security firm 8E6 Technologies in Orange, Calif.
It is a battle of best intentions: productivity and convenience pitted
against security and more than a little anxiety.
Corporate techies who, after all, are paid to worry want strict control
over internal company communications and fear that forwarding e-mail
might expose proprietary secrets to prying eyes. Employees just want to
get to their mail quickly, wherever they are, without leaping through
too many security hoops.
Corporate networks, which typically have several layers of defenses
against hackers, can require special software and multiple passwords for
access. Some companies use systems that give employees a security code
that changes every 60 seconds; this must be read from the display screen
of a small card and typed quickly.
That is too much for some employees, especially when their computers can
store the passwords for their Web-based mail, allowing them to get right
down to business.
So far, no major corporate disasters caused by this kind of e-mail
forwarding have come to light. But security experts say the risks are
real. For example, the flimsier security defenses of Web mail systems
could allow viruses or spyware to get through, and employees could
unwittingly download them at the office and infect the corporate
Also, because messages sent from Web-based accounts do not pass through
the corporate mail system, companies could run afoul of federal laws
that require them to archive corporate mail and turn it over during
Lawyers in particular wring their hands over employees using outside
e-mail services. They encourage companies to keep messages for as long
as necessary and then erase them to keep them out of the reach of legal
foes. Companies have no control over the life span of e-mail messages in
employees Web accounts.
If employees are just forwarding to their Web e-mail, we have no way to
know what they are doing on the other end, said Joe Fantuzzi, chief
executive of the information security firm Workshare. They could do
anything they want. They could be giving secrets to the K.G.B.
Hospitals have an added legal obligation to protect patient records. But
when DeKalb Medical Center in Atlanta started monitoring its staff use
of Web-based e-mail, it found that doctors and nurses routinely
forwarded confidential medical records to their personal Web mail
accounts not for nefarious purposes, but so they could continue to work
In the months after the hospital began monitoring traffic to Web e-mail
services, it identified a couple hundred incidents, said Sharon Finney,
DeKalbs information security administrator. I was surprised about the
lack of literacy about the technology we depend on every day, she said.
DeKalb now forbids the practice, and uses several software systems that
monitor the hospitals outbound e-mail and Web traffic. Ms Finney said
she still catches four to five perpetrators a month trying to forward
The Web mail services may also be prone to glitches. Last month, Google
fixed a bug that caused the disappearance of some or all of the stored
mail of around 60 users. A week later, it acknowledged a security hole
that could have exposed its users address books to Internet attackers.
Even the security experts most knowledgeable about the risks of e-mail
forwarding to personal accounts acknowledge doing so themselves.
Of course I do it; who doesnt? said Kimberly Getgen Bargero, vice
president for marketing at Sendmail, an e-mail software company in
Emeryville, Calif. Ms. Bargero said she often used her Yahoo Mail
account on business trips so she does not have to access her corporate
It is difficult to quantify exactly how many otherwise model employees
are opting to use services like Yahoo Mail or Googles Gmail over their
companys authorized e-mail programs. Sophisticated users at the
companies most lax about e-mail security can automatically forward all
of their work e-mail to their personal accounts, hopscotching over the
various requests for passwords meant to ward off intruders.
The more casual e-mail scofflaws send only the occasional message to
their personal accounts or just cc messages to their Web in-boxes to
preserve them for later use even when the messages contain sensitive
Some companies frown on office use of any Web-based accounts, even for
personal messages. At the business software maker BEA Systems, Anthony
Bisulca, a senior security analyst, estimated that around 30 percent of
his employees were using private e-mail accounts in the office, even
though the companys Internet policy clearly prohibits it.
But it is not easy to wean people off of their online mailboxes. Of
course they scream, said Todd Wilson, an operations manager at the
Bloomberg School of Public Health at Johns Hopkins University. They look
at me like I have three heads.
Mr. Wilson said that the use of the Web services had become a huge
concern, partly because copies of the forwarded messages sit untouched
on the schools servers, taking up space.
Many corporate technology professionals express the fear that Google and
its rivals may actually own the intellectual property in the e-mail that
resides on their systems. Gmails terms of service, however, state that
e-mail belongs to the user, not to Google. The companys automated
software does scan messages in Gmail, looking for keywords that might
generate related text advertisements on the page. A Google spokeswoman
Google read user e-mail.
Paul Kocher, president of the security firm Cryptography Research, said
the real issue for companies was trust. If you cant trust employees
enough to use services like Gmail, they probably shouldnt be working for
you, he said.
Many companies apparently do not have that level of trust. In a survey
conducted last year, the e-mail security firm Proofpoint found that 37
percent of companies in the United States used software to monitor
office use of Web mail.
The Internet companies themselves are looking to take advantage of
consumer preferences for Web based e-mail services. This year, Google
plans to introduce a more secure version of Gmail for use in large
But Microsoft and other providers of traditional internal e-mail
systems, which the research firm Radicati says generated $2.5 billion in
sales last year, are helping companies combat employee use of the Web
The new version of Microsofts corporate e-mail service, Exchange Server,
offers administrators improved tools to monitor the content of employee
mail and block forwarded messages.
At the same time, upgrades to Exchange and Microsofts e-mail program
Outlook have made it easier for traveling employees to access e-mail on
the corporate network from a Web browser. Microsoft also recently began
urging corporate technology departments to give employees more storage
space in their e-mail accounts.
But the Web services are improving as well, and employees will no doubt
continue to find them tempting.
We have as high a security standard as any company, said Ms. Bargero of
Sendmail, and sometimes it is just too difficult to access our e-mail.
Copyright 2007 The New York Times Company
Subscribe to InfoSec News