The Australian National Audit Office has just released a report ‘The Protection and Security of Electronic Information Held by Australian Government Agencies‘ based on a review of the approaches to information security by four agencies, the Office of Financial Management, ComSuper, Medicare Australia, and the Department of the Prime Minister and Cabinet.
Amongst other recommendations was one which has been much discussed on Twitter this morning, “emails using public Web-based email services should be blocked on agency ICT systems, as these can provide an easily accessible point of entry for an external attack and subject the agency to the potential for intended or unintended information disclosure.”
This reflects the recommendation in the Defense Signal Directorate’s Information Security Manual, the ‘bible’ for Australian Government agencies when it comes to ICT security, which states on page 100 that:
Agencies should not allow personnel to send and receive emails using public web-based email services.
The concerns are very clear and relevant – web-based email systems can easily be used, inadvertently or deliberately, to distribute large quantities of citizen’s personal information, or an agency’s In Confidence or other classified information rapidly and to large numbers of people, making it impossible to contain the spread of the information.
Web-based email is also a potential source of attacks against an agency, through viruses, worms and trojans in email attachments (which may not be able to be scanned at the same level as Departmental email can be) and through web-links in emails to compromised websites.
I don’t dispute these real concerns. They are concerns for corporations as well.
However, I do ask – what is ‘web-based email’?