Using personal accounts to conduct work business is often a very bad idea for both security and accountability reasons. Last week, the former UK Health Secretary, Matt Hancock, came under fire for using his personal email and WhatsApp accounts to exchange messages for official business. This was potentially in breach of government guidelines1 and led to accusations of cronyism over his personal communications with a recipient of a government contract during the pandemic.
Leaving aside the important issues of transparency and accountability, when it comes to electronic communications, what are the security risks of allowing staff to use personal accounts to conduct their professional business?
Personal accounts are outside of the corporate IT department’s control, meaning they are not subject to the same backup, audit and security controls. Below are some of the key reasons why businesses should make users aware of the need not to mix business with pleasure.
Multi-factor authentication cannot be enforced
One of the major security risks for most businesses is that of business email compromise (BEC) fraud, where attackers gain access to email accounts to hijack conversations and deceive participants to divert payments to the criminals’ bank accounts. Multi-factor authentication (MFA), where accounts are secured by more than just a password (for example by a code generated by an authenticator app, or SMS), is a key way by which businesses can protect emails. MFA can also protect against extortion stemming from access to sensitive corporate or personal data held in email messages.
If employees are using personal webmail accounts, such as Gmail or Hotmail, there is no way for IT security departments to ensure that they are using MFA, thereby increasing the risks of compromise and resultant fraud.
Personal accounts may let through malicious messages
Corporate IT security teams often use “email gateways”, software which can inspect, quarantine or reject incoming or outgoing messages to reduce the risks of malware infection, phishing or fraud. While some personal email services have security heuristics to identify malicious messages, there is no way for security teams to understand how these are configured and they may not be as effective as those controls implemented by security teams who have better knowledge of the threats faced by their business.
This means that users of personal email accounts may be more prone to other security risks, potentially meaning the contents of their computers are compromised, or that they accidentally provide passwords to criminals to be used in attacks against their employers.
Personal email accounts cannot be easily investigated in the event of a security incident
If a security incident occurs, corporate email can provide IT security teams with the ability to inspect logs, gain access to email accounts and take actions to secure them. Logging can show which IP addresses have accessed the mailbox to help determine unauthorised access or attempts. Security teams can also delete suspicious or malicious emails from users' accounts, removing potential threats. Corporate IT departments can also view which emails have been sent, received and deleted, and if any auto-forwarding rules have been set up, all typical tactics used by attackers.
Personal email accounts are controlled only by the employee themselves, and often harder to investigate, meaning that corporate security teams can do little to secure the employee and by extension, the business, if an attack has a bearing on this.
What are the legal risks?
Businesses which allow employees to use personal accounts also have no control over where the data is stored, meaning that they have no way of knowing where their data is. Furthermore, when registering, webmail users also agree to those providers’ terms and conditions, which may stipulate that content can be searched by third parties.
Organisations which need to comply with, and respond to data subject access requests under the UK General Data Protection Regulation (UK GDPR) are required to disclose data as part of a legal case, need to have oversight of and be able to access all relevant data, regardless of where it is. Failure to comply with UK GDPR can result in legal claims, regulatory investigations and fines. Failure to adequately disclose in civil proceedings can amount to contempt of court. This can have serious repercussions, including adverse costs orders, dismissal of a claim or a judgment made against a party.
What can businesses do to ensure control over communications?
To reduce the risks outlined above, businesses should ensure that they have published and clearly communicated appropriate usage policies around employee use of corporate and personal email accounts and other modes of communication, including instant messaging services like WhatsApp.
Furthermore, to reduce the risk of attacks against businesses which involve the compromise of personal accounts, employees should be advised on how to secure and increase the privacy of their personal digital footprint as part of regular data protection and IT security training. This includes how to secure personal email and other online accounts, such as social media or cloud storage, with MFA, how to review privacy settings and the use of long, complex and unique passwords, and password managers, where appropriate.
To ensure that employees are not forced to use personal email for work-related activities, businesses should ensure that employees can always access their corporate communications systems, particularly when travelling.
MDR Cyber and Mishcon de Reya use technical, procedural and legal methods to provide legally enhanced incident response services. We help businesses prepare for and recover from cyber-attacks, including making financial recoveries. To find out more, visit mishcon.com/services/cyber.