Several readers asked Paul Comfort, Chi’s Lead Engineer, to follow up his November 2018 Company Email vs Personal Email article with his thoughts on forwarding company email to a personal account.
If you have a tech or corporate question you’d like Paul to address either personally or as a future blog, please reach out to him at firstname.lastname@example.org.
When I wrote about the dangers of using your company’s email address as your personal address, the dangers were pretty balanced between the business and the personal risks. Setting up a rule to forward all email to a personal account is much worse in many ways, and the risk falls squarely on the shoulders of the business. For this reason, many companies have disabled the ability altogether. For those of you who have not yet done this, here are some compelling reasons to block your users from doing this immediately.
1. There is no reason it is necessary. Your users may see this as a convenience, but there is not one valid reason why this needs to be done. If you don’t allow your employees access to their email when away from the office, then you should never allow this because it is even worse.
2. It is not secure. Yahoo email accounts were breached for years without notification to their users. Even if accounts are not widely breached, you have no guarantee that only your one employee has access to your business email.
3. Sensitive email gets shared. Most company emails are benign, but every now and then sensitive email is sent by accident or sent on purpose. When emails are all on the same server, some people feel comfortable emailing passwords, social security numbers, and other sensitive information.
4. Your users may respond to business emails from their personal account. In this scenario, suddenly email addresses from Yahoo and Gmail show up on your work email chains and to your business partners. When people reply to those emails, the business is missing out on part of the conversation. It also looks very poor to outsiders for a business person to be using a Gmail or a Yahoo address to conduct business.
5. Liability issues. Combined with the previous point, this opens you up to issues with eDiscovery where certain things may have been emailed that you are now under obligation to produce, but you now have no record. An entity bringing a lawsuit can produce whatever data they want, and you might have no defense. Or you may not be able to hold a supplier to agreed-upon details.
6. Malicious actors within your organization can exploit others. All it takes is for someone to walk away from their computer for a few minutes with the screen unlocked and a rogue employee could create a forwarding rule to an off-premise throwaway email account. Many users do not even know rules exist, and the ones that do never think to check them periodically. Have users using OWA from shared PCs? Same problem, but with people outside your organization.
7. It can hurt your reputation score with email providers and spam engines. If your user reports an email as spam that was forwarded from your work address, whether or not it was actually spam, your email server’s headers are included in that spam report. As a general practice, email users should never report as spam any email that was forwarded to them by someone they know for this reason, but how many of them actually know this?
Fortunately, combating this is fairly easy. Create a policy that prevents auto-forward rules to off-site email addresses. Office 365 and Exchange make this pretty simple. Other services may vary, but most business email providers do allow for this. If your users complain, hopefully, the information above will help convince people who have a stake in the business from taking that policy down.