You've Got (No) Mail! Major Law Firm Blocks Employee Email Access
from the overreaction dept
Personal email accounts introduce possible threats to firm computers. A careless employee could open a trojan horse attachment and unleash a virus on the system. Even if the attack only infects the local drive, confidential information may be at risk.This puts firms in a bind. Either invest time and energy teaching basic Internet skills to their employees — lessons like, “don’t open attachments from unknown email addresses” — that most of us learned when we still had Prodigy emails, or condescendingly cut off access to a modern necessity because the employees are too hopeless to understand the rules.
Yesterday, a major law firm chose the latter route…
King & Spalding dropped this nugget on their employees yesterday:
The firm’s internal security experts, as well as our outside security experts, have advised us that accessing Personal Email Accounts from firm computers creates a significant security risk. Therefore, effective May 1, 2013, access to Personal Email Accounts (i.e., anything other than your kslaw.com email, including, but not limited, to personal email accounts like Gmail, Yahoo, Hotmail, cable company, etc.) from King & Spalding computers will no longer be permitted.
Most personal email sites will be blocked while you are on the firm’s network. However, you should not access Personal Email Accounts from a firm computer, even if you are not automatically blocked when trying to do so.
Yes, this policy was announced yesterday at approximately 4 p.m. Eastern time. So while the whole country was conversing over personal email (and its companion chat systems) about the latest news updates surrounding a national tragedy, King & Spalding was announcing that it would be cutting off this access. Perhaps less than savvy timing. Someone in a position of authority may have wanted to hold off for a week or so.
Employees can continue to check email on their phones not connected to the main network (a new “ksmobile” network has been set up for this purpose). This means all their employees will now spend an order of magnitude longer every day cruising their inboxes on 3.5-inch screens and typing detailed responses with their touchpads. EFFICIENCY!
King & Spalding isn’t wrong to recognize that third-party email services constitute a threat to the firm network. But the actual threat is entirely between the keyboard and the chair if you will. Gmail isn’t threatening the network, Donny Dips**t clicking on a link sent by a Nigerian Prince is threatening the firm network. In the estimation of King & Spalding, its firm email system can better guard against phishing and thus minimize the opportunity of its employees to expose the firm to harm. However, Internet users are getting smarter every year, and with the decline in these “user errors,” the whole phenomenon of phishing is in decline.
So after years of exposing the firm’s computers to risk, King & Spalding has opted now, while the risk is in decline, to take the drastic step of blocking personal email accounts. Perhaps this explains why King & Spalding didn’t survive the first round of the “Which Firm Has The Brightest Future?” bracket.
Full email below.
More stories from Above The LawKING & SPALDING — FIRM-WIDE-ANNOUNCEMENT — EMAIL ACCESS
New Policy Prohibiting Access to Non-King & Spalding Email Accounts (“Personal Email Accounts”) from Firm Computers
The firm’s internal security experts, as well as our outside security experts, have advised us that accessing Personal Email Accounts from firm computers creates a significant security risk. Therefore, effective May 1, 2013, access to Personal Email Accounts (i.e., anything other than your kslaw.com email, including, but not limited, to personal email accounts like Gmail, Yahoo, Hotmail, cable company, etc.) from King & Spalding computers will no longer be permitted.
Most personal email sites will be blocked while you are on the firm’s network. However, you should not access Personal Email Accounts from a firm computer, even if you are not automatically blocked when trying to do so. For example, you should not access Personal Email Accounts from a firm laptop, even when the laptop is not connected to the firm’s network (i.e., from your home network, a hotel internet, etc.). The firm’s computer systems hold confidential information about our clients and the firm and, as you know from reading articles in the press, individual users who innocently click on malicious e-mails are often the cause of security breaches. We need your help in protecting our systems by following this and other security related policies, even when you can do things that you are not supposed to do.
In certain limited circumstances, clients require us to communicate via a third party email system. If you have such a client requirement, please contact Thomas Gaines or Gene Viscelli so that we can determine the best way to address your client requirement. Please do not simply access the third party email without checking with Thomas or Gene (or the Service Desk if you cannot reach Thomas or Gene first).
Permissible Ways of Accessing Personal Email Accounts
The prohibition against accessing Personal Email Accounts from firm computers does not impact your ability to access Personal Email Accounts such as Gmail, Yahoo or Hotmail from your own personal devices (e.g., smartphones, iPads, tablets, personal laptops, etc.) while at the firm.
The firm has installed a wireless network called “ksmobile” in each office. This wireless network is reserved for K&S personnel (not clients or visitors who should be directed to the ksguest network), is a direct route to the Internet, and is appropriately sized to accommodate the many personal devices that are being used by K&S personnel. Because ksmobile does not connect to the firm’s internal network, it provides the firm a more secure way to allow you access to your Personal Email Accounts while you are in the office.
If you wish to use the ksmobile network, you may obtain the password to access this network by calling the Service Desk at ext. 8-3000. After your initial connection to ksmobile, your personal device will automatically reconnect whenever you are in a K&S office and retain the connection throughout the K&S space without the need to reenter the password.
If you have any questions about this new policy, please contact Gene Viscelli, Thomas Gaines, or any member of the Technology Oversight Group (Pat Brumbaugh, Derek Hardesty, Ted Hester, John Keffer, Floyd Newton, Bob Perry, Glen Reed and Kathy Rhyne).
Gene Viscelli
Chief Information Officer
- What’s the Difference Between Being a Porn Magazine Editor and a Lawyer?
- Do I Really Need To Explain To Fox News Why Miranda Warnings Are Important?
- From the ‘Why People Hate Lawyers’ File: A Suit About a Suit
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: email, law firms, personal email
Reader Comments
Subscribe: RSS
View by: Time | Thread
Most financial institutions already block personal e-mail
I believe this was originally driven by regulatory requirements to preserve all written communications for possible audit and legal discovery purposes, and perhaps also to show that the firm had made all reasonable efforts to prevent inside information from leaking out to be traded on.
[ link to this | view in thread ]
Compliance issues are more cumbersome than the security aspects, at least in that field.
[ link to this | view in thread ]
Nothing new
[ link to this | view in thread ]
guest network FTW
So in the end, this won't affect employees that much: if you work at a law firm and don't already have an expensive mobile device, something must be wrong with you. ;-)
[ link to this | view in thread ]
Users are idiots
And too many of them nod their heads, spit out yes, thank you, what would I do without you and blah blah blah when they're given that assistance.
Only to fall right back into stupid-land.
Stupidity can't be extricated from the masses.
But just for fun - let's take it further - when you're at work as an employee, why should you even be allowed to spend time with personal email? Save it for your break, on your own time, on your own connected device.
[ link to this | view in thread ]
Every single place I have worked
[ link to this | view in thread ]
What do I do at lunch?
I check my email.
I surf a couple forums.
If I have time I might look for a funny video.
[ link to this | view in thread ]
The last virus outbreak was back in 2004 and that was due to a usb drive and not email.
But it is their computers and network and they can do what they want as long as it is legal.
[ link to this | view in thread ]
Gotta agree
At the state park in which I volunteer, just last week someone managed to wipe out 2 PCs by opening an attachment in personal mail on one, then moving to another to try again.
[ link to this | view in thread ]
Re: Users are idiots
[ link to this | view in thread ]
[ link to this | view in thread ]
Re: Users are idiots
Stupid lives forever.
[ link to this | view in thread ]
Heck, I've worked at 4 jobs in my life, one which had no computers, two blocked everything but the intranet or the company website, and one that let me use the internet at will (which I.... promptly abused, watching a few too many cat videos on youtube).
And, well, even good computer users can be tripped up and introduce a virus. If a virus wants to get in, it will, and only staying off the internet is a good way to prevent a virus 100% of the time.
[ link to this | view in thread ]
How off the mark you are on this one.
Blocking personal email sites is smart.
How efficient are you supposed to be on company time replying to your personal emails?
You are obviously such an entitled punk and have had so much handed to you for so long you are no longer capable of understanding what "work" is.
You can not train the stupid out of certain people when it comes to email. We have been trying for decades.
You sir on this topic have proved to be an idiot of massive scale.
[ link to this | view in thread ]
Nothing New
Most federal government employees have been blocked from using personal email sites for about the last half decade. And in my agency, the list of blacklisted auto-blocked web sites grows exponentially every month.
I would estimate, for example, that on any given day, at least 40% of the links on the Drudge Report site come back blocked. And most of them are legitimate news sites.
It's pretty ridiculous, but hey, that's what iPads are for, no?
[ link to this | view in thread ]
better idea than it may seem
As a law firm, the costs of losing control over privileged information can be very high, ranging up to firm-destroyingly-high should confidential & embarrassing records get published.
Add that to the fact that most security awareness training doesn't work, and is even argued against[1]. In order for most training to be effective the we need to see our actions and the reward as coupled. With security training you sit in a boring seminar (or complete some basic computer based training program) once a year, then forget about it once the quiz is through. You may not be presented with a chance to apply your training for days, weeks, or months. Even then, the cost of failure might be nil, just like the reward for success. I can't think of a less effective method for education.
Training every single employee of that law firm to behave correctly 100% of the time is unlikely to work. Instead IT, full of people with a better understanding of the problem at hand, manages all routes for data to reach internal computers. Email, web, gopher, whatever. They actively manage block lists, virus scanners, etc. all in attempt to minimize risk. Drop one of those horrible link manipulation tools on the mail server that runs the link through a checker at click-time, rather than receipt time (the delay between the two adding valuable minutes or hours for a block-list to be updated) for good measure. Delete or quarantine all password protected compressed files, and quarantine any attachment from an unknown mail address.
If the user avoids all of that, and downloads a compressed .rar file with a password from a spear-phisher over gmail, they've skipped over half the defense in depth from the start. All that stands between that virus and the network is the virus scanner, which is generally reactive rather than proactive.
[1] http://www.schneier.com/blog/archives/2013/03/security_awaren_1.html
[ link to this | view in thread ]
Re: Re: Users are idiots
> it isn't some group of others who are idiots.
> To quote Scott Adams:
> Everyone is an idiot, not just the people
> with low SAT scores. The only differences among
> us is that we're idiots about different things
> at different times. No matter how smart you
> are, you spend much of your day being an idiot.
Exactly. I was about to say the same thing but Adams said it better. People who are computer/IT savvy love to haughtily rail about how stupid 'the masses' are, but the take them out of the IT realm and they suddenly become just another one of the stupid masses with regard to someone else's expertise.
[ link to this | view in thread ]
smart policy
They're even setting up a separate net for personal systems/devices. Like most everyone else, I'm not seeing the complaint.
[ link to this | view in thread ]
Which then makes this whole policy moot.
[ link to this | view in thread ]
Re: Nothing New
Hell, the law firm even went out of its way to install a separate wifi network throughout its offices to facilitate employee's use of their personal phones and tablets.
Like many in the comments here, I have to ask, what's the big deal?
[ link to this | view in thread ]
Which then makes this whole policy moot.
[ link to this | view in thread ]
Response to: Crashoverride on Apr 19th, 2013 @ 4:26pm
By going through the corporate servers, all the protections it provides are enabled.
[ link to this | view in thread ]
good idea
[ link to this | view in thread ]
Re:
Law firm issues aside, some personal use of the interwebz can lead to increased employee productivity. About 9%, on average.
Summary:
http://arstechnica.com/business/2009/04/study-surfing-the-internet-at-work-boo sts-productivity/
Scholarship:
Coker, B. L.S. (2011), Freedom to surf: the positive effects of workplace Internet leisure browsing. New Technology, Work and Employment, 26: 238–247. doi: 10.1111/j.1468-005X.2011.00272.x
Now get back to work you lazy entitled punk shitheads who so obviously value empiricism over properly subservient work practices.
[ link to this | view in thread ]
I disagree
In addition, while phishing may have dropped 15 percent for some sectors, it's risen for others as the link posted shows. Phishing remains one of the best ways for hackers to breach a network.
Suggesting that PEBCAC is the reason doesn't help. PEBCAC doesn't go away without major training. Worse, hackers with proper reconnaissance can craft an email that NO ONE would refuse to click on because it would look exactly like something they should click on. That's true whether the email comes in as company business or as personal business.
So removing one entire source of such phishing efforts is worth a small price in efficiency.
Personally, I think companies should follow CIA policy: two computers on each desk, one classified, one unclassified. The classified one runs on the main business network, the unclassified one runs on an entirely different network. And never the twain shall meet except via a specific protocol for transferring vetted data from one to the other. This goes beyond just having a firewall and a DMZ.
[ link to this | view in thread ]
Re: Re: Re: Users are idiots
When my car has a problem, I don't go start taking apart random shit because I feel I can take care of it.
When I get a call over the phone telling me I won a million dollars but I need to give my credit card info in order to collect, I don't go reaching for my wallet. I imagine most people would realize they are being scammed
Why is the internet any different? Why do people think that things they get over email is somehow more trustworthy than someone calling them on the phone?
[ link to this | view in thread ]
Re:
Plus I imagine the computers at your school district are far more locked down and restricted than people trying to do their work at a law firm.
[ link to this | view in thread ]
Re: Re: Re: Re: Users are idiots
While I am no better than anyone else, given that I am human, I am more likely to use what we all to quickly label as "common" sense.
It's called "critical thinking" and most people do NOT use it.
[ link to this | view in thread ]
Comment from the Irony Department
The firm is taking very reasonable steps to protect their data (and their clients' data). Agreed the security risk is the employee, not the technology. But they rightly recognize that no amount of training will completely eliminate employees mistakes, especially since the scammers keep inventing new ruses.
And the firm is taking the reasonable step of mounting a new network outside their firewall to support employee access to personal accounts. So the firm isn't trying to wall off access completely during the workday, an action that would be problematic on several dimensions.
I'd say the overreaction here is on the part of our poster, not on the part of the law firm.
[ link to this | view in thread ]
But I get the feeling that the person who sent me that thing would have clicked on a similar attachment without a second thought, had one been sent to her.
It's annoying for users who know what they're doing, when stuff gets locked down because of the people who don't. But often, it's needed.
[ link to this | view in thread ]
Very disappointing.
[ link to this | view in thread ]
As long as your home broadband has at least two IP addresses available, this can be done.
That is the easiest way to circumvent the filtering.
[ link to this | view in thread ]
People who come up with such solutions, are merely attacking the "symptoms."
There are simply no short cuts when it comes to security.
[ link to this | view in thread ]
Sensible policies
[ link to this | view in thread ]
Re: Re: Re: Re: Re: Users are idiots
Yes, this is Kettering's Principle of Intelligent Ignorance: the intelligent don't lack ignorance. They just know what they're ignorant about.
Two quotes from Kettering:
and
[ link to this | view in thread ]
Re:
I keep hearing this, but have never actually experienced it even once. But then, the big companies I've worked for have been software companies. That might make a difference.
[ link to this | view in thread ]
Re:
[ link to this | view in thread ]
Re:
This would be a stupid thing to do. Employers can, and most of them do, monitor and store all emails flowing through their corporate server. Do you really want your employer to have access to all you personal email?
[ link to this | view in thread ]
This is the first time I've seen an article on Techdirt
Clearly a non story.
[ link to this | view in thread ]
With the added benefit it would protect the company as a whole.
[ link to this | view in thread ]
Just no
[ link to this | view in thread ]
Personal E-Mail is a Threat
[ link to this | view in thread ]