Microsoft OneDrive and Google Drive are essential services for collaborating on content, storing documents, and sharing cloud-based files. But this ease of collaboration can also lead to huge risks. It’s become so easy to share a document with anyone, instantly, that the risk of oversharing is high.
One of the most common types of oversharing relates to personal email accounts being granted access to company information.
Company documents may accidentally get created by or shared with an employee’s personal email account—a problem over half of workers admit to having. Even vendor personal emails can be added intentionally or by accident. And often, freelancers and contractors use their personal emails for work.
Personal email accounts are naturally risky. They’re designed for personal use, without any corporate oversight, and often with zero-to-minimal security practices and procedures.
While corporations have robust security practices—like mandatory 2FA and password length, age, and complexity requirements—personal account security is up to the individual.
These types of accounts may not have two-factor authentication set up. And if they do, they are less likely to use authentication apps and typically rely on the least secure method of verification using text messages.
Personal email accounts have weaker passwords and protections
According to TechRepublic, fewer than 10% of active Gmail users had enabled two-factor authentication, based on data shared by Google engineers. And although Google has worked to change this by gradually rolling out mandatory 2FA starting in late 2021, many personal email accounts outside of Google like Yahoo, Hotmail, and others still lack proper security measures.
People are also less likely to change their passwords on personal accounts, or they may use the same password for many years and across different channels. These passwords could have been compromised in data leaks but never changed. In fact, according to LastPass, which was recently breached itself, 61% of people use the same password on multiple services.
Over 80% of security breaches are due to weak or stolen passwords
Common and weak passwords are also a culprit when it comes to data leaks and access-risk incidents. LastPass notes that 81% of security breaches are due to weak or stolen passwords.
And Digital Shadows found that a whopping 24,649,096,027 account usernames and passwords have been exposed by cyber threat actors as of 2022 alone. In many instances, passwords that were hacked years ago were never changed, and many users never even realized they had been compromised.
People also practice worse security measures with their personal accounts than they would with their work emails. For example, they may share passwords with family members, even texting or messaging this sensitive information across unencrypted channels that could easily be intercepted by third parties.
Device sharing and phishing attacks remain risks
Device sharing is another concern. A 2018 SentinelOne report found that over half of employees (55%) allowed their friends or family members to use their work devices at home. That number is likely even greater today in a remote workforce, which means the potential for unauthorized access is quite high. While it is unlikely a member of one’s family will be looking at or taking organizational IP, family falling for phishing schemes while using a device remains a possibility.
Even if a personal account has 2FA enabled, phishing schemes are a risk.
For example, Cisco faced this scenario in 2022 when the personal account of an employee was compromised, and the employee had password sync enabled. The threat actor could access all of the employee’s passwords, including their Cisco VPN credentials, and was able to bypass 2FA through phishing. The attacker used a series of voice phishing attacks that pretended to be trusted organizations. They eventually convinced the employee to accept the MFA push notifications, and the attacker was able to gain access to the Cisco VPN. This caused a multitude of headaches for Cisco as they worked to swiftly remediate and communicate the attack.
Accidental oversharing with personal accounts happens everywhere
Oftentimes, employees don’t even realize the problems that can arise from sharing company information with personal accounts or with their families. But accidental oversharing with personal accounts can happen at any company or government office and may cause a wide range of legal and compliance issues.
For example, in 2017 an employee at Boeing emailed his wife a company spreadsheet, asking for help with formatting. What he didn’t know was that the spreadsheet included sensitive data on 34,000 Boeing employees, including their social security numbers, in hidden columns. What seemed like a simple, innocuous request to the employee turned into a major breach. Although the data didn’t leak, it took Boeing nearly two months to discover and contain the breach, and the incident triggered a criminal investigation.
Blocking employee access doesn’t solve the problem
Sometimes, in an attempt to stop data exfiltration after employees leave the company, companies will immediately block their access to work accounts. This was the case with Coinbase, which laid off 18% of its staff, many of whom found out when they couldn’t log in to their work email accounts. However, some companies don’t realize that even after cutting off access to work accounts, access to sensitive information in cloud collaboration platforms may persist through employees’ personal accounts.
Today, there’s a huge emphasis on the need for flexibility and agility in hybrid, remote workplaces. Employees and vendors often have access to information from any location, at any time. This is leading more people to use their personal email accounts for access to company information (by accident or on purpose) without fully understanding the risks involved or the security precautions they need to implement.
It is vital for companies to be fully aware of the risks that adding personal email accounts to cloud-based company documents brings. To receive a risk audit that will show you exactly how many and which personal accounts are accessing information in your organization, visit here.
You may have this locked down and handled already, but in our experience, 99 of 100 companies have personal accounts with access to company documents.