Skip to main content

The dark side of sending work emails ‘home’

The dark side of sending work emails ‘home’
(Image credit: Pexels)

In the last four years, the number of remote working jobs has more than doubled, as employers acknowledge the need to change traditional working practices. In fact, it’s expected that 50% of the UK workforce will work remotely by 2020, further blurring the lines between home and the office.

This shift has huge benefits; improving people’s work-life balance, increasing employee productivity and boosting employee retention rates. However, it does also pose a problem for one very important aspect of business - data security

Data security is at a greater risk as staff are more likely to send important and, even, confidential company information to personal email accounts, with the usual intention of working on documents at home. 

Worryingly, many are completely unaware how risky these actions are. According to tech firm Probrand, nearly two-thirds of UK employees have forwarded customer emails to their personal email accounts and 84% of them did not feel they were doing anything wrong.

So what are the risks with sending work home? And who are the workers you need to be wary of? 

About the author

Cai Thomas is a Customer Success Manager at cybersecurity company Tessian.

#1: The 24/7 worker

While a number of the emails sent ‘home’ contain non-sensitive information, like travel arrangements, cinema tickets or food recipes, we’ve seen that around 10-15% of emails sent to personal accounts contain company sensitive information. 

We’ve all been there; it’s late on a Friday, that Monday deadline is looming, and the employee thinks to themselves, “I’ll just have to finish this document at home over the weekend”. So they send the document to their own, or their partner’s, personal freemail account.

However, this can have devastating consequences for the company’s reputation and it could destroy customers’ trust in the business. The problem is that by sending emails ‘home’, the information the messages contain now sits in an environment that is not secured by the company, leaving the data vulnerable to cybercriminals.

It’s also important to note that this simple act of sending work home means your company is now at risk of breaching data protection regulations, like GDPR, due to the fact that you, as the Data Controller, no longer have oversight as to where the data is held. 

Boeing, for example, faced scrutiny after an employee shared a spreadsheet containing the personal information of 36,000 co-workers with his spouse, simply because she was better at Excel formatting than him. The incident sparked an internal security investigation and was brought to the attention of the Washington state Attorney General and other officials in California because employee data had left the control of the company. 

#2: The leaver

We often see a spike in data exfiltration during an employee’s notice period. Workers know they’re not supposed to, but the temptation to take information that will give them an advantage in their new role is hard to ignore. As such, we see people sending company IP and client data to personal accounts prior to moving to another employer. This happens most frequently in industries such as financial services, legal, healthcare and recruitment, where a person’s client base and network is king. 

The task of manually monitoring suspicious ‘leaver’ behavior over email has become incredibly challenging for IT staff, due to the increased employee churn rate year on year. A study by LinkedIn found that young workers now switch jobs four times in their first 10 years after graduation. However, by not putting a stop to this act, companies could face losing their competitive advantage as well as their clients’ business due to leaked secrets, strategy and IP. 

#3: The malicious insider

This is where employees steal data from their company for personal or financial gain. Despite being less common, the threat of the ‘malicious insider’ is something businesses have come up against more frequently in the past few years. Employees will typically steal confidential company secrets and/or client data with the intention of selling it on the dark web or handing it over to a competitor to damage their current company. 

Just last year, Bupa fell victim to this crime after the personal data of 500,000 customers was sold on the dark web while audit firm SRBC and Co.’s reputation was tarnished after its client’s earnings estimation was maliciously leaked over email. 

An intelligent solution for a flexible workforce

There can be no denying that monitoring all employee email behavior is an arduous task for IT and compliance teams to undertake. With the average employee sending and receiving 124 emails a day, and with daily email traffic increasing 5% year on year, deciphering data exfiltration within email logs is like finding a needle in a haystack. 

To help tackle the problem of data being leaked to unauthorized accounts, some organisations opt to simply blacklist all freemail domains. However, this can impede productivity and is usually ineffective given that many clients, small businesses and contractors use freemail accounts, as do prospective applicants looking for jobs at the company. 

Filtering with machine learning

Businesses, then, need a more intelligent approach to data exfiltration - one that can look at the emails each employee has sent and received in the past, in order to identify non-business contacts with whom each employee interacts with. 

Machine learning, for example, can evolve to understand the differences between authorized and unauthorized  freemail accounts, and it can analyse email content to determine whether it is sensitive or non-sensitive. By doing so, machine learning can make an accurate prediction as to whether an employee is exfiltrating data and acting against company policies. 

There will always be reasons for people to bend the rules and leak data outside of their organisation - maliciously or for convenience. The consequences for doing so, though, could be devastating for any company; huge fines, loss of competitive advantage and a damaged reputation. So as more businesses adopt remote working practices, it’s important that technologies are place to ensure company sensitive data is secure and not at risk of ‘being sent home’.

 

Cai Thomas is a Customer Success Manager at cybersecurity company Tessian.