Across all industries, people routinely send work from their corporate email account to their personal account to more easily work from home, or outside of office hours. On the surface, this may not pose any great threat to your organization, be it because your employees are careful, or because the data they handle isn’t sensitive enough.
The main reason employees send work home is that it’s easier. Easier than accessing files through the corporate VPN, easier than digging out the randomly generated password to their work email for use at home, easier than printing off everything they need and taking it home with them. They send an email, go home, and the documents are ready and waiting.
In earlier 2017, an airline employee sent a spreadsheet containing approximately 36,000 employee records home so his wife could help with a formatting problem. Based on data from the Ponemon Institute, this single spreadsheet may have cost the company as much as $5.7m.
While bad practice, a security breach like this (because it doesn’t have to be damaging, or even publicized to constitute a breach) will most of the time not result in damage or require clean up, but the one time it does, the financial and reputation risk can be high.
There is also the possibility that disgruntled employees may deliberately send information to their personal email to more easily disseminate it to competitors or the press, as happened in 2016. A former employee at a UK law firm was pronounced liable by the ICO and prosecuted under the Data Protection Act for sending confidential client data to their personal account, which they hope to use as leverage in their new role at a rival company.
Loss of data through personal email could mean:
• Breach of contracts or non-disclosure agreements
• Loss of IP and proprietary research
• Breach of data protection regulations
• Heavy fines imposed by regulators and clients (GDPR, in particular will greatly increase fines for all manner of data breaches)
In brief: something as seemingly insignificant as sending sensitive company data to a personal email account can be devastating.
“Nearly 75% of office employees send work files to a personal email account, a majority of whom say it’s because they prefer using their own computer, while 14% say it’s because it’s too much work to bring their work laptop home.”
Make sure your employees know how to observe best data security practices. Make sure they understand how best to secure the data they work with, especially confidential data, and ensure they adhere to company data security policies, hosting refresher courses if necessary. The ICO has released some posters to help you on your way.
Try as much as possible to ensure that your employees don’t feel the need to send work to their personal emails. Implement secure file storage platforms they can access from home (SharePoint, GSuite, etc) or a corporate VPN so they can securely access the company network from anywhere. You need to strike that happy middle ground between “easy to use but insecure” and “airtight but really disruptive”.
Choose email security platforms that offer the most complete protection against sending to unauthorized email accounts before it becomes a problem, instead of being left scrambling for a solution in the aftermath. Find a solution that tracks and logs attempts to send data to a personal email address, and use the metrics to open a conversation with employees about data protection.
