Personal email makes for a big business risk
I’ve been writing a lot on LinkedIn lately about personal email communication. For me, it’s been on the decline and turned into something more functional around my consumer lifecycle. I don’t use it for emailing my friends anymore. Instead, it is just used for bill paying and finding sales for sites I frequent.
Something has emerged lately around personal email accounts related to business though, and it is proving to be a complex issue for compliance officers. Personal email accounts seem to be on the rise for conducting work in the shadows. Let’s take a look at two high profile cases.
When Hillary Clinton was Secretary of State, she chose to use her own personal email server for communications. Now, I’m going to stay away from political bombs and focus on the real risk here. Her own email server wasn’t subject to the same security, monitoring and retention policies as a system that was designed for sensitive emails.
In another case, the Chancellor of the University of Illinois was caught using her own personal email to hide scathing and disparaging emails. The University had a request subject to the Freedom of Information Act that would have appeared had she been using University email, but also she apparently seemed to admit what she was up to in a discovered email.
This risk of data loss or personal email use are real threats that companies have a hard time mitigating. There’s not too much you can do to protect against someone intentionally trying to hide what they’re doing, but you can take some steps beyond end user education to try and prevent it.
A great place to start that’s been around forever in Exchange, is auto-forwarding. Outlook allows users to configure rules that will auto-forward every message to another account. Turn this feature off. Sure, they can still manually forward messages, but you’ve just made it a little harder for them to manage it.
Design a good records management policy around specific content types and outline the repositories for certain types of data and where they can reside. Supplement the policy with a rights management solution, like Azure Rights Management. This allows IT to automatically protect content conditionally and also gives the end users the power to protect data themselves. Here’s an example:
Mark needs to email a spreadsheet of potential salary adjustments to managers. He can protect the data with an Azure Rights Management template so that only the managers can view the spreadsheet and the content expires on the day the salary adjustments go live.
Using this records management policy, you could also use Exchange Online’s archiving feature to automatically archive the entire mailbox or just certain emails that meet a specific criteria. Users won’t even see what you’re doing, but you can ensure the data that legally needs to be kept is kept. Did I not mention yet that you should check with legal on all this? It is probably a good idea.
To further protect your content through Exchange, you can layer on a Data Loss Prevention strategy that looks for certain patterns of data, and takes an action. For example, you can put a policy in place that no emails can be sent externally with Social Security numbers in it. Best of all, there are reporting tools you can use to see who is trying to take such actions.
One particular challenge is having multiple email accounts on a mobile device. With ActiveSync, you can copy and paste between email programs. You can supplement what ActiveSync does though with Mobile Device Management through Windows Intune. With the right policies in place, you can allow your corporate data to be segregated from personal data on a device. This means no more copy and paste between corporate apps and personal apps.
All in all, there are technologies to help you mitigate the risk of data loss and compliance issues. It’s probably best to take steps to implement user education and a strict policy against using personal emails for work. As is evident by the recent news articles, personal email can become a thorn in your side and a well-defined strategy will keep your business protected.
Visit www.ArrayaSolutions.com to find out more about the solutions your organization can use to ensure the security of its email environment or to reach out to one of our Account Executives. Remember to follow Arraya on Twitter @ArrayaSolutions to keep on top of the latest company news and insights.