FYI, The IP access list was removed ages ago (I can't remember when, but I got issued a VPN one time password keyfob thang shortly after I started back at PlusNet). For access to workplace, you have to be on our network, connected via VPN. As it happens, one of my tasks over the last few months has been working on the feasibility of reselling the cryptocard managed solution we use for workplace to our customers, although it hasn't really gone anywhere as of yet due to other priorities.
IMO the problem here isn't that we don't take security seriously across the board, but we certainly didn't take the security of the existing webmail platform seriously enough, perhaps because we were too busy planning to replace it - lets wait to see what tomorrows report brings before we discuss this element further though.
Out of interest hotblack, which ISPs do offer SSL based email / FTP as standard? I agree it's a good idea, especially for us now, but I don't think it's standard for an ISP to provide these is it?
Ian