Whether it’s done to work from home, to print something, or to get a second opinion from a spouse, most of us have sent “work stuff” to our personal email accounts. And, while we might think it’s harmless…it’s not.
At Tessian, we call these emails “unauthorized emails”.
What is an unauthorized email?
These are emails sent to unauthorized, non-business contacts (personal email addresses or third-parties). While these emails could be innocuous, they could be an attempt to exfiltrate data.
In this article, we’ll explore the reasons why employees might send emails to personal accounts, why sending these emails can be problematic, and how security leaders can solve the problem.
Why would an employee send company data to personal accounts?
It’s easier than following security policies
Most of the time, employees send company data to their personal email addresses because they’re trying to get their job done and – well – it’s easier than the alternative.
Easier than accessing files through the corporate VPN, easier than digging out the randomly generated password to their work email for use at home, easier than printing off everything they need and taking it home with them. They send an email, go home, and the documents are ready and waiting.
Most of us can relate. 54% of employees say they’ll find a workaround if security policies or software make it difficult for them to do their job.
Unfortunately, there can be more nefarious reasons for sending company data to personal email accounts.
They’re maliciously trying to exfiltrate data
45% of employees say they’ve taken data with them before leaving or after being dismissed from a job. Can you guess what the most common way of exfiltrating data is? Email.
Whatever the reason, employees send a lot more unauthorized emails than security leaders currently estimate. How many? At least 27,500 a year in organizations with 1,000 employees.
What consequences are associated with sending company data to personal accounts?
Most organizations have policies in place explicitly saying that employees can’t email company data to personal email accounts. That’s not because every single email to a person results in a data loss incident or breach.
It’s because when it does result in a data loss incident or a breach, the consequences can be far-reaching.
- Breach of contracts or non-disclosure agreements
- Loss of IP and proprietary research
- Breach of data protection regulations
- Heavy fines imposed by regulators and clients (GDPR, in particular, will greatly increase fines for all manner of data breaches)
- Lost customer trust, damaged reputation, and revenue loss
Check out this real-world example: In early 2017, an airline employee sent a spreadsheet containing approximately 36,000 employee records home so his wife could help with a formatting problem.
Based on data from the Ponemon Institute, this single spreadsheet may have cost the company as much as $5.7m.
How can security leaders solve the problem?
It’s important security leaders take a holistic approach to data loss prevention (DLP). We suggest you…
1. Educate your workforce
Make sure your employees know how to observe best data security practices and they understand how best to secure the data they work with, especially confidential data. Top tip: Host refresher courses if necessary.
2. Ease of access
Try as much as possible to ensure that your employees don’t feel the need to send work to their personal emails. Implement secure file storage platforms they can access from home (SharePoint, GSuite, etc) or a corporate VPN so they can securely access the company network from anywhere. You need to strike that happy middle ground between “easy to use but insecure” and “airtight but really disruptive”.
3. Be proactive, not reactive
Choose email security platforms that offer complete protection against unauthorized email before it becomes a problem, instead of being left scrambling for a solution in the aftermath. Find a solution that tracks and logs attempts to send data to a personal email address, and use the metrics to open a conversation with employees about data protection.