How dangerous is it to use work email addresses for personal accounts?
Cyber attacks can come through many avenues; the blame doesn’t lie solely with employers or only with employees in the workplace. One scenario we’ve seen cyber attacks or data breaches from businesses has been through employees using their work email addresses for non-work related online accounts.
We all need to understand why using your work address outside of your work network can be a risk and how this scenario may develop into leaking sensitive company data.
As a sole trader or freelancer, separating your work email address may be harder when using your personal devices. So it’s important that your devices are secure with face-id and pin access. In addition, ensure your online accounts are secured using strong passwords and multi-factor authentication.
By utilising work email accounts for personal accounts, your business is exposed to another route for attackers, especially as you don’t have control over basic things like password quality and multi-factor authentication. In addition, it means the staff's personal lives are linked to their work account, offering valuable information for someone to target that individual or your business.
Scenario: Hacked social media account which uses a work email address
An employee uses their work email address to sign up for a personal Facebook account. Unfortunately, this Facebook account had a weak password, and two-factor authentication (2FA) was not enabled. The account was hacked, with the employee's personal information, conversations and images then leaked on the dark web.
What is the potential risk to the employer?
Sensitive data exposure - Information relevant to company projects/campaigns could now be available on the dark web.
Harmful PR / Reputational damage - With a data breach, the company could face headlines in the local/national media, which could strain essential business relationships and affect the company's confidence with customers, investors and other stakeholders.
Leaked images of the work environment showing the technologies/equipment used by the company - put the company at risk of potential cyber attackers exploiting vulnerabilities in the leaked technology.
GDPR / Data breach reporting to the ICO - the company will now be liable to report this breach to the ICO, with potential consequences being a substantial financial penalty.
Time cost - your IT department will then have to set up a new email account for the employee. Employees should also undertake further security awareness training to improve their cyber resilience.
Spoofing - cyber attackers may use the breached work email address and pose as the employee to contact clients, partners or other work colleagues.
What is the risk to the employee?
Personal information is now available on the dark web - other criminals may use social engineering techniques to perform further attacks.
Loss of Job / Breach of contract / Reputational damage - this data breach could result in the termination of your employment.
Time cost - you will need to contact existing internal/external contacts to inform them of your change of email address.
What could you do to mitigate the impact of this incident?
Report this incident to the relevant department of your employer - it’s crucial an incident like this isn’t ignored, or the consequences could be magnified.
Review your other accounts for potential data breaches and remove/delete non-work-related accounts using your work email address. (Check Haveibeenpwned to see if your email or phone has been caught in a cyber breach).
Change any passwords that involve your work address to mitigate the risk of these accounts also being compromised.
How can you prevent a hacked work email address?
Do not use your work email address when signing up for any personal online accounts.
Training staff to understand the risks of sharing emails - whether that is sharing between colleagues or sharing between your personal and work email accounts
Set clear boundaries with employees about what work emails can be used for
When using work devices, these should only be used for work activities, and the relevant security measures should always be adhered to.
If your business wants to strengthen your resilience to online crime, talk to us about training your staff. Our membership and training packages are designed and delivered by cyber experts with the most up-to-date information in an ever-changing cyber landscape. In addition, Security Awareness Training is a great way to prevent and mitigate the risk of cyber attackers tricking or scamming your staff.