tools that might be run on your network, but I guess your key issue is that
most webmail sites use HTTPS so, unless you have a suitable HTTPS
man-in-the-middle proxy (which introduces its own significant security
issues), you won't be able to scan the plaintext.
It is feasible to ban such services and to ensure compliance by strict
network controls as well as policies and procedures, but you will have to
draw up a decent security risk analysis and make your case to counteract the
perceived value of allowing staff free access. If you can get any of those
DLP or similar tools in for evaluation, see if you can gather some
statistics to get a handle on the current scale of the problem: proven
exfiltration of sensitive/valuable data makes your business case more
powerful than mere conjecture.
By the way, your job is to make a clear recommendation but let "management"
make the risk-based control decision, unless YOU want to be held accountable
for any incidents (security, HR or otherwise) that flow from this. Don't
let them get away with a plain "No!", make it crystal clear that in so
deciding, they would be unwisely accepting what you presumably consider to
be an unnecessary risk, and therefore a range of compensating controls would
be necessary, such as additional training/awareness, policies & procedures,
compliance measures, incident and contingency plans etc.
UPS: abbreviation or oxymoron?
www.NoticeBored.com Creative awareness materials
www.ISO27001security.com ISO/IEC 27000 standards