Exchange Server mailboxes are big risks when it comes to security threats. However, the biggest security threat that administrators may overlook are the use of PST files for Microsoft Outlook mailbox data storage.
What are PST files?
Microsoft® Personal Storage Table (PST) files or “Personal Folders Files” can be created using Microsoft Outlook to move or copy e-mail or attachments from your Server Mailbox account to your local PC.
How do PST files work?
PST files essentially act as a local archive/storage file you create to store e-mail and attachments on your computer’s hard drive, USB or server share. This way, you wouldn’t have to take up so much space on your company’s mail server.
Microsoft® Personal Storage Table (PST) files multiply rapidly when users send and receive email messages, rely on their computers for calendar reminders, and perform other tasks in Microsoft Outlook®. These can present significant management challenges and business risks because these are stored on individual workstations rather than on a centralized server.
Why shouldn’t your company use PST?
PST files may seem to be the solution for mailbox storage handling for e-mail office administrators but while they seem handy, it is best to avoid using them in your company if possible.
1. PST files are prone to data loss and corruption
PST files are unlikely to be backed up because most system administrators do not backup workstation hard drives where PST files are usually saved. PST files also usually tend to become corrupted when their maximum storage is pushed to the limit.
Since PST files contain email that house information critical to business, retrieving them would be close to impossible especially if data corruption occurs. PST files have limited recovery capability. Permanent data loss is likely to happen.
2. Using PST files pose a threat to security compliance
Since PST files can be saved into USB or external hard drives, confidential and sensitive information can easily be walked out the door. Even regulatory issues describing the proper handling of data can be overstepped since PST files are usually seen as part of Microsoft Outlook’s Server Exchange Program.
PST files’ portability can be a liability. PST files stored in laptops that are often taken out of the office can be misplaced or worse, stolen. Along with the stolen hardware are your company’s confidential data.
3. PST files are local to a device and only work with Outlook
PST files are device specific. If Outlook stores data in PST files then the data will only be accessible using that copy of Outlook and will not be accessible to any other device that accesses the corresponding mailbox. Another disadvantage to using PST files is that they only work with Outlook. Mobile devices that attach to Exchange mailboxes using ActiveSync cannot open PST files. Even the Outlook Web App does not reflect any data from the PST files.
4. PST files can be a liability to message lifecycle management policies
Some companies have policies to regulate lifecycles of their e-mail, automatically purging those when they reach a certain age. A company is no longer required by law to keep a copy of messages when they reach a certain age and these can be purged to keep them from being subpoenaed in the event of litigation. If a user stores old messages in a PST file then they have effectively circumvented the message lifecycle management policies.
5. PST files increase the cost of doing business
PST files affect the capacity requirements and performance of backup servers. Imagine how users of personal folders have multiple copies of documents within their PST files. Multiply that situation by the amount of messages and users and the impact on storage requirements is clear.
PST files have a tendency to increase the administrative burden. Administrators might be asked to discover PST files across the organization or try to recover data from a corrupt PST file.
In these two cases, there is a cost associated with the extra administrative effort and storage requirements. Not to mention that there will also likely be costs associated with data loss or leakage.
To fully control and manage company information, organizations need to review the usage and risks of PST files or folders, define a policy regarding their existing and future use, and implement and enforce that policy.