With employees bouncing back and forth between their home and corporate offices, personal devices end up in the workplace while company-issued devices often find their way back home. While at home, the lines can get blurred between personal and work use with devices changing hands between partners, family members or roommates.
This multi-purpose usage and shared device mentality allows security compromises at home to carry over into the office. A lone phishing email in your personal inbox could be all it takes to infect your work laptop. We sat down with James Carder, CISO of worktech leader Eptura, to talk about the risks of personal email accounts getting phished and the risk it causes to employers, common attack techniques from cybercriminals, and how organizations can protect themselves.
Q: How can using personal email accounts increase the risk of falling victim to phishing attacks?
A: The risk associated with personal email accounts is rooted primarily in the idea that many of these accounts do not carry the same protections attached to an employee email account. Most email providers offer rudimentary protection against phishing attacks – for example, they might be able to detect and label certain incoming messages as malicious, or they may automatically categorize those emails as spam.
However, the onus is left to the user to configure many of these settings, and mail applications do not make it easy for the regular user to be as secure as they would be in their corporate email. Plus, the controls on personal accounts are not as robust since corporate security controls are largely managed by administrators and enforced by policy as opposed to being managed by individual consumers.
From an enterprise perspective, those basic protections offered by mail applications are not sufficient. Businesses and their employees often face more sophisticated attacks, requiring stronger defense mechanisms, usually in the form of dedicated email security.
Q: What are some common tactics used by cybercriminals to trick individuals into giving away sensitive information through personal email accounts?
A: Phishing attacks have grown more sophisticated over the years and cybercriminals have gotten smarter with the types of messages they send. Personalization is one of the key factors – a note looks more genuine to the recipient if it greets them by name, references their work or mentions their company, boss or coworkers. One of the more common tactics we see impacting enterprises is a message that looks to be from the employee’s boss and asks them to send information or open an attachment that actually ends up exposing sensitive company information or the broader corporate network.
Attackers also capitalize on timely events as a method to phish. For example, the pandemic spurred a bout of phishing attacks relating to COVID news, statistics and treatments, as well as schemes purportedly offering government information about the illness, vaccines and protocols. When possible, attackers will tailor their efforts to topical subjects that people can relate to or want to know more about.
Q: How can a single phishing attack on a personal email account impact the overall security of a company or organization?
A: What may seem like one harmless attachment can wreak havoc on an entire organization. An unsuspecting employee clicking on a malicious download link could install malware or ransomware onto a corporate laptop and have massive consequences for the business. It sounds dramatic, but social engineering attacks like phishing scams are designed to blend into the everyday, and employees continue to fall victim to these attacks time and time again.
Checking a personal email account from a corporate system actually offers that user the benefit of the system security technologies and controls available on the corporate endpoint. On one hand, it is probably safer to check those emails on that device than on a home computer with less defenses. The gap for organizational security is that if an attack is successful on a personal email, it then puts the corporate system and company at risk as well. The blast radius is much larger than just one person and their device. Organizations of all sizes, across industries, have been struck by ransomware attacks in recent years that cost them both financially and reputationally.
Q: What measures can individuals and companies take to reduce the risk of phishing attacks via personal email accounts?
A: Ultimately, it’s a shared responsibility between the employee and the employer to protect the company from these kinds of attacks. Today’s employees are working across home offices, corporate buildings and shared workspaces, which means that businesses have to be prepared to protect their employees where they are. Organizations should have fundamental email security measures in place to detect potentially harmful messages. Additionally, they need to have sufficient monitoring and response mechanisms in place to recognize and remediate any issues that do arise.
Corporations should also incorporate user awareness training for employees that draws on their personal lives and the impact those could have on the company. Anecdotally speaking, there seems to be a higher degree of awareness when users are able to recognize the potential impact on family and home life.
Q: In light of the increase in remote work due to the pandemic, what steps should companies take to ensure the security of their employees' personal email accounts?
A: With more companies embracing flexible work styles, the lines have blurred between personal and work boundaries. Companies need to be prepared to protect themselves, regardless of where employees are working and which devices they’re using.
Implementing robust corporate security controls is an important step toward protecting employees, and the company, across locations. Enterprises need a fully integrated worktech or workforce technology to aid in protecting users whether they are in the office every day, twice a week or not at all. This allows organizations to combat security issues regardless of where they take place.
Beyond implementing necessary email security measures, there are a number of other basic IT and security hygiene controls that should be considered, ranging from endpoint protection and secure access service edge (SASE) to multi-factor authentication (MFA) and patch management. Adopting a zero-trust model, specifically a zero-trust network access (ZTNA) approach to security, enables companies to apply controls and protections to perimeters that extend beyond the corporate firewall. By assuming all events or actions are malicious until proven otherwise, organizations can establish trust for users and their devices accessing applications and resources without putting the entire organization at risk. ###