Are Personal Email Accounts Accessing Your Company Data?
Personal account access is one of the biggest data exfiltration risks a company faces—and one of the most hidden.
The current state of personal account access is precarious and affects organizations of all sizes. Every person who interacts with a company using cloud collaboration tools like Google Workspace and Microsoft OneDrive could have added their personal account or someone else’s.
This risk extends to company information stored within personal accounts.
Accidental creation of company documents using personal accounts happens frequently, especially in cases where employees or other third parties are using a personal profile instead of a company profile.
It’s also common for employees to store work credentials on their personal profiles, leaving company passwords exposed to potential phishing schemes and ransomware attacks, like the attack faced by Cisco in 2022.
IT and Security teams often don’t have visibility into their organization’s personal account exposure. Once sensitive information has made its way into an employee or third party’s personal email account, it moves beyond the scope and control of the IT and Security team. Even if the sharing was accidental, there’s no way of knowing whether the account’s security measures meet the organization’s standards.
And while the instinct may be to lock down and deny all personal account sharing, the issue ends up compounding. Employees and vendors find workarounds to share information. Suddenly, hundreds and thousands of company documents are shared with and created by personal accounts instead of company accounts, exposing the company to even more risk.
As remote work rises, so do risks from personal accounts
With the rise of cloud collaboration and remote work, risks associated with personal account access will only continue to increase.
Over half of employees (52%) say that they or a coworker have accidentally added their personal account to company documents. That doesn’t count intentional personal account sharing, which would push the 52% even higher.
According to a 2022 study, more than half (56%) of employees in the US use their personal accounts on collaboration and chat tools like OneDrive, Google Drive, Dropbox, and WhatsApp to share company documents. They do this to make sharing more efficient, and they use their personal accounts regardless of whether or not company policies allow it.
Many of these employees (32%) are using their personal accounts to share company documents despite being aware of company policies against this type of personal account sharing.
The number of employees that use personal file-sharing applications to share company documents is even higher globally, where nearly two-thirds (63%) of employees say they do this.
Half of employees admit to accidentally creating a company document with their personal account
Employees are actively creating company documents meant only for their company accounts using their personal accounts. Half of employees admit that they’ve accidentally created a company document using their personal account.
When employees accidentally create company documents using their personal accounts, these documents become virtually invisible to IT teams yet pose even more risk because security procedures are often more lax for personal accounts.
That’s partly why personal account access can persist long after employees leave a company. When asked, “Have you ever left a company but could still access company documents in Google/Microsoft/Box/Dropbox?”, over 35% said yes, while 27% said they never checked.
This sets companies up for a myriad of security and compliance issues.
For example, if a former employee was offboarded but still has access to company information through their personal account, their offboarding hasn’t actually been completed in a way that satisfies security or compliance protocols.
While most personal account access is the result of accidental sharing, intentional data exfiltration is more common than we’d like to think.
Forty-five percent of employees admit to taking documents from their employer before leaving
In fact, 45% of employees admit to taking documents from a former employer before leaving. And nearly 10% preferred not to say whether they did or not. Personal accounts are one of the ways employees can either take company information or continue to gain access to it. Although some of these instances are benign, they can still cause major repercussions for companies.
Employee and former employee access isn’t the only risk related to personal accounts. Vendors and other third parties can add their personal accounts to hundreds and even thousands of documents, with access often going unnoticed.
Vendor offboarding processes are typically less robust than employee offboarding workflows, which means personal account access from these partners often persists for years.
Most personal accounts are added by accident or without malicious intent, but that doesn’t mean there’s any less risk. The biggest problem we find with personal account access is a lack of visibility into which personal accounts have access to what cloud-based company data. Without visibility into what personal account access exists, IT and Security teams aren’t able to remediate the problems.
Although personal account access is a major but often overlooked issue, there are ways organizations can keep their company files safe and secure. To learn more about these methods, read the full brief where we lay out all the risks related to personal account access and how to control this type of access.