Another blog discussed how personal email addresses can make matters a mess for brokerage firms. However, this spells trouble in any type of business. Read more to learn why using personal email for work purposes is a bad move for business.
Loss of control of your data
When that employee resigns or is let go you can turn off all of their access to your corporate infrastructure. No more email, VPN or other access. All of those emails that they have received on their personal accounts over the years is still sitting in that account. Customer lists, client information, pricing, and other intellectual property. Out of your control and completely in theirs.
Let’s go back to the departing employee. What if he or she was the point person for some of your customers? If they made it a habit of communicating with the customer over personal email, you’ve got issues. Unless those customers are all notified that the employee has left, they are going to email that ex-employee when they need something. Even if they know that the employee has left, by having their email address, they are likely to contact that ex-employee if they have a good relationship with him or her.
Can’t spot theft
If someone is getting emails copied to their personal account, how do you spot what is business and what is theft? I’ve seen situations where employees regularly forward emails to their personal account under the guise of printing the information at home. I’ve also seen where other employees, vendors and clients also copy that individual’s personal account. Bad news during a forensic email investigation.
Using reasonable methods to protect your data
First a disclaimer, I’m not an attorney nor am I providing legal advice. What I’m about to say is based on my experience as a computer forensic expert. When a company is attempting to litigate a competitor or ex-employee over stolen IP, one of the things that they have to prove is that they’ve taken reasonable actions to protect their important data. Do you think that letting your employees send company data to their personal account is a reasonable action to protect that data? Didn’t think so.
If your company has not set up corporate email, it is about time. Some very inexpensive options can be created out there, including using Google Corporate Email. If your employees need to access email remotely, make it happen. VPN solutions and Outlook Web Application can facilitate that. If you open it to mobile devices, make sure that you control your company data existing on those devices. Applications such as Microsoft Exchange facilitate remote wiping of data should the employee be terminated or the device stolen. Encrypting the devices is also a must.
Work with counsel or HR to create a company policy that handles remote access of email and prohibits sending company email to personal accounts. Train your users, enforce the policy and monitor the policy’s effectiveness.
So in summary, monitor, identify and remediate use of personal email for business purposes. That way, when something goes wrong, you won’t be exclaiming “ye, Gods!”
Contact Vestige today for more information on forensic email investigations.
by Greg Kelley, EnCE, DFCP, Chief Technology Officer
at Vestige Digital Investigations