In our experience, most employees want to do a good job. They’re committed, passionate and in the habit of helping their employer. However, many employees are under lots of stress, being pulled in a variety of directions on a daily basis. For simple convenience, some may use their personal emails for corporate work at one time or another. This is a bad practice and should be avoided at all costs.
In fact, you should have a policy in place that prevents staff (and management for that matter) from using their personal emails for corporate purposes. This may sound draconian but it is a foundational step in preventing the use of personal email in the workplace.
So why does this matter?
This matters as it can create a backdoor to a data breach. Of course, not every single email sent from a personal account creates an issue, but it’s a bad habit to fall into. It’s like driving without shoulder checking. You might get away with it for a while but eventually, that habit is likely going to come back to haunt you. It’s better to nip this unnecessary risk in the bud.
In some cases (yes, sadly this does happen) the intent of an employee may be more malicious. Perhaps they are exfiltrating data from your organization for nefarious purposes. But, it should be said, in the vast majority of cases, employees don’t mean to cause an issue. Yet the reasoning is not hugely relevant, the consequences are what matter most.
Using personal email can also create a crack in your security armour allowing malware and other cyber threats to slip through. After all, the protocols and protections for personal email are typically less stringent than those used on professional accounts.
Moreover, personal email is not managed by an organization’s IT department, nor is it visible to them. They may not even know where the servers are (i.e. where the data is stored). This means there is no standard security, compliance, back up or governance in place. This is a substantial problem.
Another potential issue is accidental data loss. If your environment is lax with its data security protocols, an employee may store important files on an account that can only be accessed via their personal email. Yet, perhaps some months later, they move on to take a new position elsewhere in the country. It may be another few months before you even realize that the file you thought you had access to is unavailable. This accidental leakage can be just as damaging as a deliberate leak and it happens more than you think. How about an example? Check out what happened at Boeing a number of years ago. Big yikes!
Sharing sensitive data via personal email may also represent a consumer privacy violation in certain contexts or breach of contract. Long story short, it needs to be avoided at all costs.
Walk the data security walk…
At the end of the day, all electronic communications being sent on behalf of your organization should be centralized to minimize risk. The security protocols should be carefully managed by your internal IT team, perhaps in conjunction with a trusted and reputable third party.
However, policies and procedures are only as effective as their enforcement. You may have a policy of not using personal email. But if senior management and other team members are allowed to use personal email without repercussions, this is a problem. The use of personal email for corporate work should be strongly discouraged. Everyone at the organization needs to walk the data security walk.
Thanks to the folks over at Computer Economics for this chart:
This includes making things as easy as possible for your employees. If you have a culture that sees team members using personal email for corporate work, try to find out why. The work to develop a solution that rectifies the issue without creating unnecessary obstacles for your team. Simply explaining the importance of avoiding using personal email can also help too. Again, most employees want to do a good job for their company.
At SeekingFire Consulting Inc., we offer a wide variety of data security services. If you’re looking for help or advice with your cybersecurity needs, please contact us. We would be happy to help. We’re also happy to partner with in-house IT specialists to deliver the solution that best suits your organization’s needs.
While we have made every effort to present accurate, unbiased and helpful information in this article, please note that it reflects the author’s opinion and is written for the purposes of general knowledge, information and discussion. This article is not intended as legal advice, nor should it be considered as advice specific to your individual data security situation. If you would like to discuss your cybersecurity needs in specific detail, please get in touch with us.