Blog | G5 Cyber Security

Desktop Email Clients: Security Risks & Alternatives

G5 Cyber Security

TL;DR

Using desktop email clients (like Outlook, Thunderbird) can introduce significant cyber security risks for your business. While convenient, they’re harder to control than webmail and more vulnerable to attacks. Switching to webmail or a managed client solution improves security but requires planning and training.

Why Desktop Email Clients Are Risky

  1. Security Updates: Desktop clients need regular updates. If employees don’t apply them, they become easy targets for malware.
    • Webmail is updated centrally by the provider – no employee action needed.
  2. Malware & Phishing: Desktop clients are prime targets for phishing attacks and can easily download malicious attachments.
    • It’s harder to control which files employees open compared to webmail with built-in scanning.
  3. Data Loss Prevention (DLP): Preventing sensitive data from leaving the organisation is much simpler with webmail.
    • Webmail can scan content before it’s sent, blocking confidential information. Desktop clients require complex add-ons and policies.
  4. Device Security: If an employee’s laptop is lost or stolen, the email data on that device is compromised.
    • Webmail doesn’t store emails locally; access requires authentication.
  5. Compliance: Meeting industry regulations (like GDPR) can be harder with unmanaged desktop clients.
    • Centralised webmail provides better audit trails and control over data handling.

Steps to Forbid Desktop Email Clients & Improve Security

  1. Assess Current Usage: Find out who is using desktop clients and why.
    • Use a network inventory tool or survey employees.
  2. Choose an Alternative: Webmail (like Gmail, Outlook 365) is the most common solution. Consider managed email client solutions if webmail isn’t suitable.
  3. Migrate Email Accounts: Move existing emails to the new system.
    • This can be complex; consider using a migration tool or IT support.
  4. Disable Desktop Client Access (if possible): Some email servers allow you to block IMAP/POP3 access, forcing users to use webmail. 
    # Example: Blocking IMAP on an Exchange server
    Set-CASMailbox -Identity <mailbox_name> -IMAPEnabled $false
  5. Group Policy (Windows): Use Group Policy to prevent users from adding new email accounts in desktop clients.
    • Navigate to User Configuration > Administrative Templates > Control Panel > Mail.
    • Enable the policy “Prevent users from adding profiles”.
  6. Firewall Rules: Block access to common IMAP/POP3 ports (143, 993, 110, 995) if necessary.
  7. Training & Communication: Explain the reasons for the change and provide training on the new system.
    • Highlight the security benefits.
  8. Monitor & Enforce: Regularly check that users are complying with the policy.
    • Use network monitoring tools to detect unauthorised email client usage.

Exceptions

In some cases, you might need to allow exceptions for specific roles (e.g., IT administrators). Ensure these users have extra security measures in place.

Exit mobile version