(3 min read)
We’ve been (professionally, of course) interested in recent stories about politicians using their personal email accounts to conduct government business.
For many commentators, the main issues are to do with lack of transparency and traceability, but for us, it’s all about poor cyber security awareness and the potential for your email security to be compromised.
The discussions have led to various conversations in our team – which of our previous jobs banned personal email use for work purposes? Well, it turns out pretty much all of them. We’ve worked in banking and finance, public sector services, commercial enterprises and charities – and in all cases, using personal email has been ‘against the rules’.
Why is this such a big deal?
Organisations have a responsibility to protect themselves, their people and the data they hold. So it’s no surprise that they put various systems and procedures in place to help them do that. Keeping emails secure is part of that. When you’re using your organisation’s network, security procedures, email addresses and passwords, you’re part of a deliberately-designed system. When you choose to use your personal account, all those security features fall away.
And of course, people do use their personal email accounts. If we’re honest, we’ve probably all done it at some point in the past. It’s easier to forward that document to your personal email so you can work on it at home or print it out. It’s quicker to send your client’s personal details to your own email so you can call her from home tomorrow. It’s less complicated to copy yourself into a work email than to remember how to set up your remote access to the office.
All of these seem great reasons to use your personal email – you just want to get your work done, and this is the easiest way.
Unfortunately, it’s also the leakiest way. It’s the thing that hackers are just waiting for you to do. It’s the way you can compromise the whole of your organisation without even trying.
In fact, in a recent survey by software provider Tessian, security leaders estimated that around 720 unauthorised emails were sent every year from organisations with more than 1000 employees. It turns out the actual figure is 27,500. That’s some difference.
So, it’s a big deal because it happens more often than we think. And because it gives hackers and other cyber criminals an open door to your organisation.
Here are just a few of the cyber security consequences of taking data outside of your organisation’s secure systems:
- Fines and even custodial sentences for breach of data protection regulations, including GDPR
- Breach of contract or non-disclosure agreements with clients
- Loss of trust from clients, suppliers and advisers
- Loss of proprietary data, research or intellectual property
- Reputational damage
- Regulatory fines and loss of regulatory approvals
Why is personal email more vulnerable to attack?
Organisations are able to put a range of measures in place to maintain email security. These include things like two-factor or multi-factor authentication – where users are sent an additional security code by text message or through an app. In addition, incoming emails often have to get through a gateway process, which is a first layer of protection, spotting potential scam emails and putting them into quarantine, or rejecting them outright. Most people do not have any of these protections on their personal email accounts, and so they are therefore more vulnerable to cyber attack, potentially resulting in the loss of critical data.
What can you do about it?
If you’re running an organisation, you need to dissuade people from using their personal email accounts for business matters. This is best achieved through a combination of education and training, and making it easy for your people to use their business email when they are working remotely.
In today’s post-Covid business environment, it’s more likely that you will have a significant number of people working remotely all or some of the time. So getting your systems and your people in order will help everyone to work efficiently and productively without compromising your security.
Our top tips for managing this problem are:
Use secure systems – like Microsoft Teams, for example – that allow your staff to communicate and access files safely, from wherever they are working.
Educate your people – give people a clear understanding about why using personal email is dangerous for your organisation. The better they understand the risks, the less likely they will be to use their own email.
Consider behavioural training – we learn best when we do things. So rather than using ‘talking’ training, it’s worth considering training where people are actually changing online behaviour. This will give you greater confidence in the way your employees approach cyber security and will keep your business safer whether people are working from the office or remotely.
You can find out more about Psybersafe’s easy, behaviour-changing online training by watching our cyber training video.