What happens when individuals use personal accounts such Hotmail, Gmail or Yahoo for business-related emails?

Personal email accounts are not subjected to security backup or archiving as they exist outside of the IT department’s control, hence using them for business purposes, is a clear infringement of compliance regulations , apart from the innate risks associated with it.

What are the valid risks of using a personal account for business?

Allowing employees to use personal email accounts to conduct business means that your company’s business information is being stored on mail servers outside of your control, anywhere in the world.  And a personal email account is not covered by your company’s security policies. Your employee may have agreed to Gmail’s Terms and Conditions (which allow for email content searches), but your company didn’t.

You may have a good data privacy policy in place—but personal email accounts can bypass it with one click of the “Send” button.

Personal emails are not discoverable

Google for example prohibits external scanning of users’ emails , meaning the company will have to instruct the user to scan his or her email themselves and runs a big risk. If an employee is using personal email accounts to send business related email using a company device, it doesn’t necessarily mean the organization has the right to search those emails

There is also a corporate risk to be considered

There are a number of other ways in which using personal accounts for business purposes generates corporate risk.  Allowing employees to use personal email for work poses serious risks of IP theft, losing company privacy or violating customer privacy, and disrupting network operations due to exploits which can be implemented on computers not secured by your internal policies.

Using personal email compromises company secrets and potentially exposes company correspondence to uncontrolled mining and searching.  Virtually all personal accounts can be subject to legal (and in some cases questionable) collection and searching by various security agencies.

Continuity can be a big issue – what if this employee leaves the company?  Those emails leave with that individual – along with any relevant information, making future searches more challenging.

It’s not just email that is the problem. Employees might use a personal email address to set up any number of functions critical to your company’s day to day operations, for example web hosting accounts or purchasing domains.   The employee’s personal email address then becomes the owner of the account so if that employee leaves, you may have a difficult time taking ownership of the assets they setup on the company’s behalf.

The solution might be obvious but companies still need to reinforce it

First and foremost, setting strict policies against the use of personal email for business is the only course of action but despite all the reasons why company business should only be done through company email, users will still take the path of least resistance and use whatever email is most straightforward for them.

Companies can be proactive and ensure that remote or field employees can easily access company email systems using their own devices.  Webmail interfaces are easy to set-up, and any compliance capture will see and preserve those mails even when sent from a home pc, laptop, smartphone or tablet.

Logix Infosecurity offers a number of Messaging & Collaboration along with Security Solutions to help organizations centralize and control their business data and minimize corporate and legal risk.