Author: Morey Haber, CTO, BeyondTrust
As part of onboarding, new hires typically sign an employee handbook which includes policies and guidelines for acceptable information technology usage. Within the details, are often policy restrictions regarding unacceptable usage for email. Typically, these policies state that email should only be used for official company business correspondence, and not for personal communications.
If you travel frequently for work, or are responsible for purchasing merchandise or services for your employer, is it acceptable to use your work email address, or should you use your personal email to complete the transaction?
This question, and the aftermath of your departure from an organization, can create a complicated situation and security risk that most employers are completely ignoring. And, unfortunately, they have no way to manage or mitigate the potential risk. Consider these real-life scenarios that organizations are facing today:
Using corporate email accounts as login for travel services
An employee creates an account on an airline’s website using the corporate email address. This address is used for authentication into the service and to book flights or other travel arrangements.
Potential security implications
After their employment is finished, any notifications or future bookings for flights are tied to the suspended business email account. If your organization auto-forwards the email to a peer or a manager, then an identity theft threat vector has now been created. A co-worker now receiving the former employee’s emails can simply select “Forgot password” and own the former employee’s account. This is especially true if the account is not further protected by security questions or additional two factor authentication. If verification is tied back to the same email address, then it is game over once they have a confirmation link.
Recommendation
The most security-conscious way to handle this scenario is for an organization to enforce the use of an approved corporate travel service for booking flights, hotels, cars, etc. in lieu of allowing employees to book travel on their own and using a corporate email account. If the business permits bookings outside of a corporate service, allow and recommend individuals to use their personal email accounts for booking travel—even if they pay with a corporate credit card. After all, it is their account.
Email address formats
Most organizations have an email address schema. Typical formats include first initial last name or first name dot last name.
Potential security implications
What happens when an employee leaves the organization and a new employee starts with the same name or initial combination? The new employee potentially receives all email of the former employee even if it not slated for them. Depending on the new employee’s role, the email may not be remotely appropriate (such as when PII and financials are involved) for them to receive. Organizations that continue to grow will have a higher statistical likelihood of overlap for names and initials.
Recommendation
Organizations should never reuse email addresses from former employees for new personnel. Consider adding numbers like “01” to the end of new email addresses to avoid this problem in the future.
Using corporate email accounts for payment gateways
Some organizations allow for the purchase of merchandise and services through common payment platforms, like PayPal or Apple Pay. These are necessary for some employees (such as marketing team members) to perform their job functions. However, none of these platforms should be set up with a user’s corporate email address. If they need to use a business email address, create a group or alias for these services.
Potential security implications
Just as with the air travel example in the first scenario, a personal account used for services can be leveraged against the individual if they leave and have no access to change their email address.
Recommendation
For these types of situations, it is recommended to use a dedicated account name for authentication, as opposed to an email address. This option allows the account owner to change the email address, but does present additional risk if the account is shared. Former employees using shared accounts for payment services underscore the ongoing risk of inadequate privileged access controls and the threats of shared accounts.
Using corporate accounts for personal email
Some employees use personal email for group-based personal correspondence, such as for their children’s school.
Potential security implications
Once an employee departs the organization, the receiver of forwarded email is now potentially exposed to highly personal information, and potentially in violation of some local regulations.
Recommendation
Corporate email addresses should always remain strictly delegated to business usage—and never for personal communications. The results can present some interesting legal ramifications, especially if removal of the address from a group is not trivial.
Today, the boundaries of work and personal spheres continue to blend and blur—providing benefits (work flexibility, higher productivity, etc.) for both employers and employees—but not without cyber risks. Completely strict policies of corporate email usage will only introduce more risk as employee turnover occurs and our dependence on electronic communication continues.
Organizations have embraced policies like Bring Your Own Device (BYOD) for mobile device support and should consider allowing personal emails addresses for exactly the same reasons. Acceptable email usage policies need to clearly state when personal usage is acceptable, should be implemented, and when it creates unnecessary risk due to employee termination.