Tessian’s mission is to secure the human layer by empowering people to do their best work, without security getting in their way.
Whether it’s done to work from home (or outside of office house), to print something, or to get a second opinion from a spouse, most of us have sent “work stuff” to our personal email accounts. And, while we might think it’s harmless…it’s not.
At Tessian, we call these emails “unauthorized emails”.
These are emails sent to unauthorized, non-business contacts (personal email addresses or third-parties). While these emails could be innocuous, they could be an attempt to exfiltrate data.
In this article, we’ll explore the reasons why employees might send emails to personal accounts, why sending these emails can be problematic, and how security leaders can solve the problem.
Most of the time, employees send company data to their personal email addresses because they’re trying to get their job done and – well – it’s easier than the alternative.
Easier than accessing files through the corporate VPN, easier than digging out the randomly generated password to their work email for use at home, easier than printing off everything they need and taking it home with them. They send an email, go home, and the documents are ready and waiting.
Most of us can relate. 54% of employees say they’ll find a workaround if security policies or software make it difficult for them to do their job.
Unfortunately, there can be more nefarious reasons for sending company data to personal email accounts.
45% of employees say they’ve taken data with them before leaving or after being dismissed from a job.
Can you guess what the most common way of exfiltrating data is? Email.
Looking for more information about insider threats? Check out these resources:
Whatever the reason, employees send a lot more unauthorized emails than security leaders currently estimate. How many? At least 27,500 a year in organizations with 1,000 employees.
Most organizations have policies in place explicitly saying that employees can’t email company data to personal email accounts. That’s not because every single email to a person results in a data loss incident or breach.
It’s because when it does result in a data loss incident or a breach, the consequences can be far-reaching.
Consequences include:
Check out this real-world example: In early 2017, an airline employee sent a spreadsheet containing approximately 36,000 employee records home so his wife could help with a formatting problem.
Based on data from the Ponemon Institute, this single spreadsheet may have cost the company as much as $5.7m.
It’s important security leaders take a holistic approach to data loss prevention (DLP). We suggest you…
Make sure your employees know how to observe best data security practices and they understand how best to secure the data they work with, especially confidential data.
Top tip: Host refresher courses if necessary.
Try as much as possible to ensure that your employees don’t feel the need to send work to their personal emails.
Implement secure file storage platforms they can access from home (SharePoint, GSuite, etc) or a corporate VPN so they can securely access the company network from anywhere.
You need to strike that happy middle ground between “easy to use but insecure” and “airtight but really disruptive”.
Choose email security platforms that offer complete protection against unauthorized email before it becomes a problem, instead of being left scrambling for a solution in the aftermath.
Find a solution that tracks and logs attempts to send data to a personal email address, and use the metrics to open a conversation with employees about data protection.
