As administrators we sometimes have to deal with as many user issues as we do technology issues. One of those issues is email. We may have employed great spam and phishing solutions from Mimecast and others yet the users still receive that occasional email that makes it through our filters and causes issues. Surely you have heard the story of the employee who bought a stack of apple gift cards for the “CEO” and sent the codes to the phisher. I have heard that story in first hand reports where it happened at their company from at least a half-dozen people, and second hand reports more times than I can count. In spite of our best protections, people are always going to find a way to get through. Much of our exposure at work could be limited if the users would take a little more care with their email addresses. One of the best things you can do to minimize the amount of exposure your company gets is to use your company email address for company business only.
If you use your company email address for personal use yourself, hopefully this will be enough to convince you why that’s a terrible idea. Otherwise, hopefully you can find some arguments here to share with your staff or to improve your email posture in the face of unsafe employees.
There’s usually only one argument for using company email for your personal email: It is convenient. That is a weak argument in light of the consequences for that convenience. If you use your company’s email:
- Your personal email is archived per the company’s standards, potentially forever, and subject to eDiscovery searches and disclosures. If you don’t want your personal email to end up in a court filing, don’t use the company’s email.
- Your personal email should be private. Corporate email is not private. Administrators and other company officials must have access to your unencrypted email in order to provide the services they provide. Occasionally employees will get carried away with prying into the personal lives of other employees. Not saying that it is a routine thing at every business, but you take away the temptation if your business email is used for business only.
- It increases the amount of SPAM the company must deal with. By posting or registering with your company email address in forums and services, it gets on more and more lists, becomes involved in more breaches. Verified corporate email addresses are valuable to people doing spear phishing and blind marketing (also known as unsolicited commercial email.)
- It increases attacks against the company, and can lead to successful attacks. When a forum or online service is compromised, user and password combinations found are used against other services. If a compromised user has a corporate email address they’ll immediately start trying that same password and derivatives against your corporate email account and other corporate assets. Password reuse is a big problem.
- It increases the amount of email the company must save. This increase in cost to the business can be significant. Storage costs are one thing, but backup costs, DR, archiving, eDiscovery searches, email migrations, and other efforts made harder by storing non-business email can significantly balloon the costs to the business.
- Your email and your intellectual property is not your own. Read your company policies. You will likely find that anything created, stored, or processed on company equipment is owned by the company. This means that the idea you had for a startup that you emailed to a friend can be taken and used by the business whose email you used.
- Job searching may be monitored. Some businesses pay attention to emails from job boards. If you don’t want your boss to know you are hunting, use a different email address. Even if you are not job hunting you may get these emails and cause concerns. When you do change companies, you have a lot of people to notify about your new email address, and you may lose emails sent to your old address.
- Your email is only as safe as the company hosting it. If you are let go or the company goes out of business, your email may be gone forever. If the company has any IT infrastructure failures or breaches, your email may be lost or exposed to unknown hackers.
- When you leave the company, even if you manage to take a copy of your personal email with you, a copy remains behind. It is common practice in many businesses to archive that email and make it available to your replacement(s). Deleting your email and emptying your trash is not enough since many businesses have backups or archiving that you can’t delete. Many businesses consider the email you accumulated to be an asset and will recover it if you delete it upon leaving.
- It gives you much needed downtime. You need to be able to separate work from the rest of your life when you are on vacation, holidays, or even when you are trying to go to sleep at night. Regardless of your involvement in your work around the clock, your email in two buckets gives you the opportunity to decide when to take a break from work. It is a vital component of a work-life balance.
Moving away from using company email as personal:
- Finding the right email address and service is the most important thing. If you want to ensure portability and your own email address for life, purchase your own domain name. Pair your own domain name with a reputable service like FastMail, Office 365, GSuite, or ProtonMail.
- If you prefer free, find an email service that has acceptable terms of service to you. Common services like Gmail, Yahoo! Mail, and Outlook.com are free, but come with advertising. Your information is sold or used by the company to provide advertising targeted at you. Stay away from smaller providers, or services constantly fighting privacy and security breaches, but realize that Yahoo also lost all their accounts in a series of breaches over several years time. Sometimes the big providers are also compromised. Generally, you get what you pay for with free.
- Pick an email address that is reasonable. Your email address shouldn’t be something you are embarrassed about. Often people use work email addresses simply because they don’t want to be crazysarah21@<freemailprovider>. Unless you plan to be crazy and 21 years old forever, pick something else. Maybe you missed out on first.last@<freemailprovider> so consider your own domain name, or pick something else relevant but not embarrassing or too revealing about you such as your age, birth year, etc.
- Stay away from ISP provided email addresses. ISP email is typically poorly run. They don’t make money on these services – they make money selling Internet access. They provide poor spam and phishing protection, sometimes low amounts of storage, and they don’t necessarily stay around forever. As soon as you move addresses or change your ISP or your ISP is acquired, you could lose that address.
- Get more than one address. A throwaway email address that you can use for website registrations that you don’t want to receive promotional emails from, for example.
There are things businesses also need to do to facilitate this policy change and mitigate against employees who will not change:
- Make and publish a policy that clearly defines how corporate email is to be used.
- Allow access to email providers through your corporate web filter. There is a philosophy that says if you allow this your employees will waste too much time doing personal email. You, as an administrator, should always champion the idea that personnel problems should not be solved with technical solutions. If an employee is spending too much time checking their email instead of working, blocking their email won’t suddenly make them a star employee. They will just find something else besides work to occupy their time. Personnel productivity problems should be solved with management and HR, not IT.
- Enable credential reuse blocking if your firewall (Palo Alto for example) provides the ability. This can prevent the reuse of your main credential on 3rd party sites, although it can not stop every abuse.
- Some extreme measures after employing the above may involve actively blocking emails from domains that are clearly not related to your business.
- In some cases, it might be required for an employee to have a corporate email address that is given to a questionable site. Consider creating an additional email address or alias for those people so that messages received on that alias are clearly different.