Onboarding typically includes signing an employee handbook that includes acceptable technology usage policies and guidelines. Details often contain policy restrictions regarding unacceptable email usage. They usually state that email should only be used for business correspondence and not for personal correspondence.
Is it acceptable to use your work email address to complete a transaction or should you use your personal email if you travel frequently for work?
This question — and the aftermath of not making the right choice — can create a complex situation and security risk that most employers ignore. Sadly, they have no way to manage or mitigate the risk. Consider today’s real-world business scenarios:
1st Scenario
An employee uses the company email to register on an airline’s website. This address is used to log in and book flights or other travel arrangements.
Any notifications or future flight bookings are tied to the suspended business email account. If your company auto-forwards emails to peers or managers, an identity theft risk has been created. One of the former employee’s coworkers can simply select “forgot password” and own the account. This is especially true if there are no security questions or two-factor authentication. If the same email address is used for verification, the game is over.
Recommendation: Instead of allowing employees to book travel on their own using a corporate email account, organizations should enforce the use of an approved corporate travel service. Allow and encourage individuals to book travel using personal email accounts, even if they pay with a corporate credit card. It is their account.
2nd Scenario
Some employees use personal email for group correspondence, such as school correspondence.
Consequences for security: Receivers of forwarded emails may be exposed to highly personal information, possibly in violation of FERPA, HIPAA, or other regulations.
Recommendation: Corporate email addresses should only be used for business purposes. The results can be interesting legally, especially if removing an address from a group is not simple.
Today, the lines between work and personal life are increasingly blurred, benefiting both employers and employees (more flexibility, higher productivity, etc.). Strict corporate email policies will only increase risk as employee turnover occurs and our reliance on electronic communication grows.
Organizations that support mobile devices should consider allowing personal email addresses for the same reasons. Employee termination policies must clearly define acceptable personal usage, when it is acceptable and when it is not.
3rd Scenario
Some organizations accept payments via PayPal or Apple Pay. Some employees (like marketing team members) require these to do their jobs. It is not recommended to use a user’s corporate email address. They should create a group or alias for business email addresses.
As with the first scenario, a personal account used for services can be used against an individual if they leave and cannot change their email address.
Recommendation: In these situations, a dedicated account name is preferred over an email address. Account owners can change their email addresses, but this option is risky if the account is shared. Inadequate privileged access controls and shared accounts continue to be threats to former employees.
4th Scenario
Most companies have an email schema. First initial, last name, or first name-dot-last name
What happens when an employee leaves and a new employee starts with the same name or initials? Unsolicited email from the former employee may be received by the new employee. Depending on the new employee’s role, the email may not be appropriate (e.g. PII and financials). Increasingly, names and initials will likely overlap in growing organizations.
Recommendation: Never use former employees’ email addresses for new employees. To avoid future issues, consider appending a number like “01” to new email addresses.