The typical company culture of today is less of a strict clock-in/clock-out mentality than in years past. Company expectations on methods of work have morphed over the years, and employees checking personal email or performing some personal business on “company time” is often ignored or overlooked as long as it doesn’t interfere with the employees’ job performance.
The risks in today’s connected world are also significantly different than they were even 10 years ago. While employees may have checked personal emails or performed other personal business on occasion then as they do now, the risks of those activities when utilizing corporate resources today have increased dramatically. Web-based email services, such as Gmail and Yahoo, create additional holes in the security perimeter that many companies take such pains to protect. Malicious actors are well aware of these “attack vectors” and look for any opportunity to exploit them.
File-sharing services, such as Google Drive, DropBox and personal OneDrive folders, also pose significant risk to the corporate network. The additional layering effect of file-sharing service — such as multiple shares of a potentially malicious file through a chain of services — create an additional layer of complexity and risk.
It’s Not Just an Email
Corporate email systems have robust security technologies to monitor email, such as highly customized spam filters, attachment sandbox checking and URL sandboxing to name a few. Accessing web-based email bypasses most of these corporate security protections.
Users may download malicious attachments or click on phishing links from personal web-based emails that allow malware to enter the corporate network. These transfers occur from the personal email service directly to the corporate computer on a secured channel using HTTPS, so corporate firewalls and email filters are not able to scan and filter the attachments as they are being downloaded onto a computer tied directly to the network.
Downloaded files from an email or file-sharing service or links clicked from emails could contain malicious code that exposes the corporate network to a ransomware attack or other malware that could cripple the corporate network and bring business to a halt, significantly impacting patient care in a healthcare organization.
Personal email could also be used (either intentionally or unintentionally) in the execution of official company business. This could bypass any Data Loss Prevention (DLP) logic that may be in place and lead to possible exposure or leaks of sensitive company information, intellectual property and even Protected Health Information (PHI) or Personally Identifiable Information (PII) – exposure a corporate email filtering platform would be more apt to identify and stop. There are also potential legal ramifications of corporate business being conducted over personal email services, even if unintentionally.
Best Practices
Access to personal web-based email and file-sharing services on corporate devices should be prohibited by company policy and blocked by corporate firewalls. If required, access should be allowed only on an exception basis. One example: Utilization of web-based email services required for a third-party contractor to exchange information with their parent corporation.
A risk-based approach should be used to determine the business need to allow access. There must be clear and concise policies and procedures for granting access to web-based email and file-sharing services. Procedural controls like signed Acceptable Use Policies, along with robust awareness training on the risks associated with using these services, will foster a culture of mutual acceptance for these restrictions.
Technical controls can be leveraged to restrict access to web-based email and file-sharing services. For example, next generation firewalls and Active Directory (AD) groups can enforce role-based, exception-only access to these services when required. Anyone not in this group will be blocked from accessing such services. Some firewalls will also allow granular controls to prevent uploading files to file-sharing sites via application level controls.
These measures may see draconian, but there are fairly simple solutions to satisfy employee needs. The prevalence and extensive use of personal devices in today’s culture, connected either via cellular networks with liberal data plans or even via the corporate guest network, provides a clear and simple path for employees to conduct needed personal business using their own devices without significantly exposing the corporate network to the inadvertent download of malware/ransomware from non-company-controlled environments.