See our new Attack Masterclass Webinar: How to Beat the Phishing and Ransomware Surge  — Sign Up Now

Request a Demo of Tessian Today.
Automatically stop data breaches and security threats caused by employees on email. Powered by machine learning, Tessian detects anomalies in real-time, integrating seamlessly with your email environment within minutes and starting protection in a day. Provides you with unparalleled visibility into human security risks to remediate threats and ensure compliance.
DLP

Unauthorized Emails: The Risks of Sending Data to Your Personal Email Accounts

  • 27 April 2021

Tessian’s mission is to secure the human layer by empowering people to do their best work, without security getting in their way.

Whether it’s done to work from home (or outside of office house), to print something, or to get a second opinion from a spouse, most of us have sent “work stuff” to our personal email accounts. And, while we might think it’s harmless…it’s not.

At Tessian, we call these emails “unauthorized emails”.

  • What is an unauthorized email?

    These are emails sent to unauthorized, non-business contacts (personal email addresses or third-parties). While these emails could be innocuous, they could be an attempt to exfiltrate data.

In this article, we’ll explore the reasons why employees might send emails to personal accounts, why sending these emails can be problematic, and how security leaders can solve the problem. 

Why would an employee send company data to personal accounts?

It’s easier than following security policies 

Most of the time, employees send company data to their personal email addresses because they’re trying to get their job done and – well – it’s easier than the alternative.

Easier than accessing files through the corporate VPN, easier than digging out the randomly generated password to their work email for use at home, easier than printing off everything they need and taking it home with them. They send an email, go home, and the documents are ready and waiting.

Most of us can relate. 54% of employees say they’ll find a workaround if security policies or software make it difficult for them to do their job. 

Unfortunately, there can be more nefarious reasons for sending company data to personal email accounts.

They’re maliciously trying to exfiltrate data 

45% of employees say they’ve taken data with them before leaving or after being dismissed from a job. 

Can you guess what the most common way of exfiltrating data is? Email.

Looking for more information about insider threats? Check out these resources:

  1. What is an Insider Threat?
  2. Real-World Examples of Insider Threats
  3. Insider Threat Statistics 

Whatever the reason, employees send a lot more unauthorized emails than security leaders currently estimate. How many? At least 27,500 a year in organizations with 1,000 employees.

What consequences are associated with sending company data to personal accounts?

Most organizations have policies in place explicitly saying that employees can’t email company data to personal email accounts. That’s not because every single email to a person results in a data loss incident or breach. 

It’s because when it does result in a data loss incident or a breach, the consequences can be far-reaching.

Consequences include:

  • Breach of contracts or non-disclosure agreements
  • Loss of IP and proprietary research
  • Breach of data protection regulations
  • Heavy fines imposed by regulators and clients (GDPR, in particular, will greatly increase fines for all manner of data breaches)
  • Lost customer trust, damaged reputation, and revenue loss 

 Check out this real-world example: In early 2017, an airline employee sent a spreadsheet containing approximately 36,000 employee records home so his wife could help with a formatting problem. 

Based on data from the Ponemon Institute, this single spreadsheet may have cost the company as much as $5.7m.

How can security leaders solve the problem?

It’s important security leaders take a holistic approach to data loss prevention (DLP). We suggest you…

1. Educate your workforce

Make sure your employees know how to observe best data security practices and they understand how best to secure the data they work with, especially confidential data.

Top tip: Host refresher courses if necessary.

2. Ease of access

Try as much as possible to ensure that your employees don’t feel the need to send work to their personal emails. 

Implement secure file storage platforms they can access from home (SharePoint, GSuite, etc) or a corporate VPN so they can securely access the company network from anywhere. 

You need to strike that happy middle ground between “easy to use but insecure” and “airtight but really disruptive”.

3. Be proactive, not reactive

Choose email security platforms that offer complete protection against unauthorized email before it becomes a problem, instead of being left scrambling for a solution in the aftermath. 

Find a solution that tracks and logs attempts to send data to a personal email address, and use the metrics to open a conversation with employees about data protection.

[if lte IE 8]
[if lte IE 8]