Peculiar work security situtation

[purdin87]

I work at a college and was wondering what IT/security specialists had to say about this peculiar situation.

Every single employee’s work computer (President on down) blocks access to webmail like Yahoo!, Gmail and so forth. However, the company allows access to social networking sites like facebook and linkedin and so on, on those same computers.

Interesting thing is, that shared computers (like those in the library that students use) allow access to any website whatsoever including Gmail. Any employee is allowed to use the same exact login/password combination to login to a shared computer and hence do as they please (meaning, the company can’t actually tell which employee is using the shared computer since they all use the same generic login credential).

So, my question is:

If the company is afraid of information security leakage and therefore blocks all webmail everywhere to help stem the flow, then I get it. But this company only blocked webmail on the individual (not shared) work computers, and allows for generic access to a shared computer’s webmail.

Therefore, is the company truly monitoring the webmail or did it only block the webmail on individual work computers solely for productivity as opposed to information security purposes?

 

[seepy83]

I would guess that there is a policy in place that says "work" data can not be used, accessed, saved, etc on any of the "shared" computers (like those in the library). So they blocked access to webmail where they thought there was a significant risk.

They can't block it on shared computers because students use them, right?

Was it was created for information security or productivity reasons? You'll never know. But there is definitely some information security merit in it. It's certainly not a silver bullet policy for to prevent data leakage, but nothing is.

 

[Murloc]

sounds stupid because you can send attachments over FB afaik, or upload stuff to websites. FB causes more productivity loss than webmail in my opinion. There's the incompetence option: what if they blocked these websites 10 years ago and then didn't touch the list anymore?

 

[seepy83]

There's the incompetence option: what if they blocked these websites 10 years ago and then didn't touch the list anymore?

There's also the possibility that InfoSec went in to negotiate the policy with C-Level staff and wanted to block all kinds of stuff, and they had to come to some kind of compromise.

There's also the possibility that they didn't implement this policy to prevent data leakage, and their goal was to block webmail as a part of their strategy for preventing email-based worms, viruses, etc. from entering the faculty/staff side of the network.

You really won't know what their goals and intentions were unless you talk to the decision makers, but I can think of all kind of scenarios where the policy makes sense.

 

[Oakenfold]

You really won't know what their goals and intentions were unless you talk to the decision makers, but I can think of all kind of scenarios where the policy makes sense.

This. +1.
Depends on business need > risk of not securing the environment.

 

[Deleted member 4644]

How big of a college? I work at a larger college and we don't have any of this sort of blocking.