Does forwarding email introduce risk?

by

Forwarding email from one account doesn't add major technical risk, but there are issues that doing so can introduce, and cause IT admins concern.
Question:

I have several mail accounts. One is on an exchange server and usually
accessed with Outlook, which works poorly and is not accessible from outside a
certain protected network. I therefore asked for my email to this exchange
account to be automatically forwarded to my mail account on Google. The
exchange server administrator agreed, but now he is whining that this is a
security risk. How on Earth can simply forwarding mail messages be a security
risk??

Ah, those whiny administrators. Why can’t they just get out of the way and
let us do our work, right? Smile

Having worked in a corporate environment in the past, I do understand your
frustration. Not all of the decisions or rules make sense.

The problem is I can also understand your administrator’s position.

It all boils down to the definition of “security risk”.

]]>
<![CDATA[

Normally, when we think of “security risk” we’re thinking about things like viruses, spyware, malware, account hijacks and all sorts of other badness that we continually hear so much about.

“… simply forwarding email doesn’t add any additional technical risk.”

And you’re very correct – simply forwarding email doesn’t add any additional technical risk. If the mail had a virus, then the forwarded one likely will too. If it was safe, forwarding the email through another service like Gmail certainly isn’t going to add malware to it.

And I’m certain – or at least hopeful – that this isn’t what your admin had in mind.

Instead, I’m going to guess he’s concerned about something else. I’ll use a very vague and general term, and call it a “risk of exposure”.

You’ve indicated that your email’s available on a “protected network”. I’m guessing that could be as simple as a private LAN. That means that inter-office email never travels across the internet, and that email coming in from the internet never leaves the private LAN once it arrives.

In other words, your company, and your administrator, have total control over your internal communications. Access is restricted to those individuals who have been given access to that LAN. Even unauthorized access to your email, for example, would have to be an “inside job”, since your email is never allowed to leave the LAN.

If you auto-forward to Gmail, or any other service out on the internet, that changes. In theory it should be just as secure, or at least as secure as you keep your Gmail account. However, it opens the door to a few other issues:

  • If your Gmail account is compromised, sensitive company information could be visible.

  • If your ISP or internet connection is compromised, sensitive company information could be visible.

  • If you happen to access your email in an unsecure way at, say, an open WiFi hotspot, your company emails could be visible to an unauthorized third party.

  • Regardless of the problem or compromise, once the email has left your corporate LAN, your administrator has no control over what happens, and cannot rectify any problems that might result.

Most companies place these types of restrictions purely for that last reason: the risks of some kind of problem cropping up are simply perceived as too great, and the ability to “fix it” if something does happen is simply too small.

I’m not going to venture a guess as to whether or not your company is being overly cautious. Certainly the administrator could just be protecting himself, or retaining control, as opposed to truly thinking about what’s best for the company. The company rules could be in place simply to cover their assets. But it’s also quite possible that at the other end of the spectrum there are scenarios where what you’re asking for could legitimately be considered too risky.

Do this

Subscribe to Confident Computing! Less frustration and more confidence, solutions, answers, and tips in your inbox every week.

I'll see you there!

5 comments on “Does forwarding email introduce risk?”

  1. I understand that the mail may pass through several transit points (where it is stored unencrypted) when being transferred from 1 mail server and another, so it’s not just your own ISP you need to worry about …

    Reply

  2. I too understand your administrator’s issues being an administrator myself. There are a couple ways that can be opened up for the mobile user of Outlook. One is to enable the exchange server and Outlook for RPC over HTTP. Also the mobile user could VPN into the network and then open Outlook. There could be other, legal or regulatory, reasons the admin needs to keep the email locked down.

    Reply

  3. One option is to implement secure private network to enable the mails available for the users even from out side the corporate network any sort of VPN, Citrix Secure Access are some options.

    Another risk in forwarding the corporate mails to private mails like gmail is that once the employee leaves the organisation, he carries one copy of the mails which is generally not accepted

    Reply

  4. I have dealt with similar issues at the council where I work.
    If you look through Google’s terms and conditions for Gmail, they use their search tools to index your email to gather a profile about you. If you have sensitive data in those emails, it is being stored by Google.
    They claim that they won’t do anything with it but if you use the Youtube experience as a precedent, it is crazy for businesses to want their emails on the Gmail product.

    Reply

Leave a reply:

Before commenting please:

  • Read the article.
  • Comment on the article.
  • No personal information.
  • No spam.

Comments violating those rules will be removed. Comments that don't add value will be removed, including off-topic or content-free comments, or comments that look even a little bit like spam. All comments containing links and certain keywords will be moderated before publication.

I want comments to be valuable for everyone, including those who come later and take the time to read.

Creative Commons License
This work is licensed under a Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 International License.
Additional information is available at https://askleo.com/creative-commons-license/.