Implications of using webmail for government business

Download CSOC Protect Notice, Implications of using webmail for government business (PDF), February 2013


  1. Web-based email (webmail) is email accessed using a web browser, such as Gmail, Hotmail or Yahoo, or email portals provided by Internet Service Providers.
  2. Using non-agency-sanctioned webmail to conduct government business is attractive as it allows easy communication with stakeholders or colleagues at any time, from any place. However, such services can allow users to bypass security measures that agencies have put in place to protect their systems and information. This heightens the risk of the unauthorised disclosure of government information, which can cause embarrassment and loss of confidence in government services, or even adversely affect Australia’s national security and economic well-being.

Intended audience

  1. This advice aims to inform users of the risks of using non-agency-sanctioned webmail services for conducting government business.

The risks of using webmail for government information

  1. ASD has seen malicious emails sent to government agencies also forwarded on to users’ personal webmail accounts, which could lead to the compromise of the personal computing device from which you access your webmail.
  2. Your agency will have established security measures and handling procedures for transmitting sensitive, official and classified government information in line with its organisational policy and wider government requirements. By using webmail you may also be breaching legislative requirements.
  3. You may unwittingly endanger Australian government information by using non-agency-sanctioned webmail from your organisation’s network, as doing so can bypass security measures your agency has put in place to protect against network compromise.
  4. Webmail can be accessed from anywhere. This can place government information at a greater risk, as you may be using a computing device with little or no security, or one which has already been compromised.
  5. You should be aware of your webmail services’ privacy policy and ensure it is acceptable to your agency. However, it is important to note that you may not have full control over your data when using a webmail service, as such service providers are subject to the laws and regulations of the country where they are based. This may involve a number of countries, depending on where the data is stored and processed and where it transits. Foreign governments may have the right to lawfully access the data held by the webmail service without your knowledge.
  6. Any sensitive or classified information that is leaked from a non-agency-sanctioned webmail account will be difficult to clean up properly or retrieve if lost, as your agency will have no control over the actions and equipment of the webmail service provider.
    1. For example, a government employee had all their information and contacts deleted when their public webmail account was compromised. Sensitive business material was sent to and from this account. Had they been using the agency provided email service, such a compromise would likely have been avoided and the information more likely to have been recoverable.
  7. As you and your colleagues become accustomed to seeing webmail used for business, it will be more difficult to detect the commonly-used intrusion technique of ‘spoofing’. This is where a webmail account is set up to appear as if it is a legitimate user, such as you, for the purposes of social engineering.
  8. Information transmitted using webmail services will be used to target you with advertisements related to your communications. If you are using such services to conduct business, the webmail service provider can form a picture of government information.

Where to get help?

  1. Consult your ICT staff prior to any use of webmail services for government business. They will provide advice in line with your agency policy.
  2. If your agency does allow the use of webmail, our top tips are as follows:
    1. To reduce the risk of a government network compromise, use your agency-provisioned email service rather than webmail when accessing email from your agency network.
    2. Maintain separate accounts for work and personal purposes.
    3. Ensure any government information you send using webmail is considered publicly available, and is not sensitive or classified.
    4. To help stop known viruses, ensure the software on the device you are using to access webmail is up-to-date and runs anti-virus software.
    5. Use a strong and unique password to reduce the risk that a malicious actor will gain access to your webmail account. For greater protection, opt to use a second factor of authentication should your webmail provider offer such a service. For instance, Gmail offers users a combination of a normal password and a one-time code sent via SMS for authentication.

Further information

  1. Further information for users, including Detecting socially-engineered emails and Top security tips for the home user, can be found at ASD Publications.
  2. Visit for further guidance on protecting yourself online, including guidance on generating strong passwords.


Australian government customers with questions regarding this advice can contact ASD Advice and Assistance.

Australian businesses and other private sector organisations seeking further information should contact CERT Australia.