Pub. 3 2012 Issue 1

www.wvbankers.org 20 There are an increasing number of organizations considering the use of webmail. Some of these organizations consider using webmail due to the lower cost of the email alternatives that are available to them. O thers are responding to employee requests to access their personal email accounts during breaks, lunch and off hours while at the organization’s offices. The financial institution’s industry has been no different – especially from the employee request perspective. We have been receiving an increasing number of inquiries regarding the use of web- mail in banking organizations. While allowing the use of webmail may be a convenience to your employees and in some ways to the bank, it introduces additional risks to your organization that need to be considered. With the regulatory requirements such as the Gramm-Leach-Bliley Act (GLBA), ad- ditional responsibilities and trust have been placed on the banking industry. This article addresses some of the risks that are introduced with the use of webmail and some of the controls you should consider if you elect to use web- mail in your bank. What is Webmail. There are two ways to describe webmail. One is the use of a webmail client where an email client is implemented as a web application accessed through a web browser (i.e. in- ternet explorer, etc.). Another definition is webmail as an email service offered through a webmail provider such as Gmail, Yahoo! Mail and Hotmail. One of the attractive components of webmail as an email service is that the email is provided at no charge to the end user. Also, since webmail allows email traffic to flow through the standard HTTP and HTTPS connections rather than SMTP, you can access your email from any com- puter with internet access without having to set up your client workstation (i.e. your computer) with your email solution. However, with this convenience come certain risks that need to be assessed. Risks of Using Webmail. There are sev- eral risks that are introduced with using webmail that should be considered while performing your risk assessment. • Compromised. As noted previously, webmail uses HTTP and HTTPS as opposed to SMTP. Computers that are used for webmail can be easily compromised with the results being a barrage of spam and email infected messages. • Improper Log Out. Historically, users frequently do not properly log out after their use of webmail. Simply closing the browser does not necessarily log out the user’s session. Since the computer being used is typically a publicly shared computer, subsequent users could have unrestricted access to their account. What if the user was checking an issue on one of the bank’s customers that included non-public customer information? With this one item, your bank would be in violation of the GLBA. • Back Door. Typically, banks dedicate a substantial amount of money and resources to secure their information technology (IT) infrastructure and data. The intent is to reduce the risk of your bank being infected with malicious and inappropriate emails and attachments. The resources invested are directed at the bank Utilization of Webmail Risks and Controls By Chris Joseph, CPA, CISA