CNET News.com has a report titled “Firms fret as office e-mail jumps security walls“. Many organizations are concerned about employees forwarding work email to their personal, often web-based email accounts provided by free services like Yahoo! Mail, Google’s Gmail, or Microsoft’s Hotmail/Windows Live Mail.
At times employees may do this to simply get to their email faster when they’re not at work, but most organizations have valid concerns about internal communication, trade secrets, and privileged information being leaked out. Web-based/personal email accounts can also be a source of viruses/malicious code – these do not go through the anti-virus and other security mechanisms in place on corporate messaging systems.
Further, many organizations are also concerned about email interactions related to work using personal email accounts, because these do not go through the organizations’ archiving systems where such archiving is required by policies.
Some companies monitor traffic to web-based email sites such as those mentioned above. Some organizations actually block access to these sites. Many organizations are considering implementing Information Rights Management (IRM) solutions to restrict protected email content from being copied or forwarded.
Nevertheless, it all boils down to intent of the employee copying or forwarding such content. A fellow MVP and Rights Management expert Paul Adare pointed out not too long ago in a conversation about IRM – there are no technology-based solutions that can protect against such intent. No technology can prevent employees from remembering stuff and relaying that in some form.
Microsoft Exchange prevents users from automatically forwarding email using Outlook rules – forwarding to internet recipients (through Exchange) is disabled by default. (In Exchange Server 2003/2000 -> Exchange System Manager | Global Settings | Internet Message Formats | Default -> properties | Advanced tab | “Allow automatic forward” is unchecked. In Exchange Server 2007, EMC | Hub Transport | Remote Domains | Default -> properties | Message Formats tab | “Allow Automatic Forward” is unchecked).
Organizations that are concerned about such actions should explicitly include policies regarding such behavior in their messaging/email/security policy, and ensure users know these policies and acknowledge them. It may be a good idea to include some details about possible consequences employees may face for violating or abusing such policies.