Cloud collaboration tools, like Microsoft OneDrive or Google Drive, make sharing company files extremely easy. Almost instantly, employees can add someone to the document through their email address. Or they can send them a link, granting access to company data.
These tools save time and make collaboration convenient. However, they also lead to cybersecurity risks. One persistent problem we’ve found is when employees and third parties like vendors create or share company documents with their personal email accounts.
Personal email accounts are less secure than employees’ work accounts but are still added by accident (or even on purpose) to company files. Various types of personal accounts exist and can be misused in the workplace.
It is vital to be aware of the distinct scenarios that cause problems for organizations, their customers, and employees alike.
We’ll go over four common security issues with personal accounts, as well as examine ways to avoid them.
Common Personal Account Access Scenarios
Scenario 1: Employees adding the wrong email accounts
Marc on the Sales team is adding Clara to a Google document. He clicks the sharing modal and quickly starts typing in her name. He selects the first option and adds Clara. However, he doesn’t realize that he’s added her personal email account rather than her work account.
This simple scenario happens more often than you think. It’s not uncommon for employee personal accounts to accidentally have access to thousands and even tens of thousands of documents. This can take loads of time to clear up, and many IT and Security teams don’t even realize the problem exists.
This issue also affects shared drives and folders. For example, if a personal account gets added to a folder or a shared drive, they would then gain permissions to everything in that folder or drive. This can take lots of time for admins to identify and even longer for them to fix.
Scenario 2: Employees creating documents on personal accounts
As we mentioned, people accidentally create documents on their personal accounts and then share them with the company all the time.
This typically happens when an employee signs into the wrong profile, uses their work computer for their personal life, or because they started creating documents before the company had an established process and set of policies. For example, early employees at a company may create documents on their personal accounts and still own them five years later.
We’ve found that the more company documents an employee creates on their personal account, the more likely they are to be storing company passwords using their personal account, too.
The security risks for this scenario are huge as without the proper solution there is zero visibility into these types of documents, both while someone is employed at the company or when they leave. They aren’t searchable using administrative consoles like in Google or Microsoft, and often, these documents have public links. These public links can allow anyone on the internet to gain access, and the company would never know.
When employees leave a company, these documents become hidden risk vectors. Valuable company IP can be deleted, copied, and more accounts can be added to the documents, without IT teams even realizing it. The company’s sensitive IP just walked out the door.
Scenario 3: Vendors using personal emails
Here’s a scenario where this can happen: a consulting company adds a personal account to tens of thousands of extremely confidential documents because they claim they don’t have a company OneDrive or Google Workspace account. This type of behavior poses a massive security risk as the vendor could turn off personal account two-factor authentication at any time without anyone knowing. If external parties have poor password practices on their personal accounts, company data is at much higher risk.
This access can continue even after vendors stop working with a company. For example, a former freelancer, vendor, or contractor may still access company data via their personal account even after being officially offboarded. Most tools do not give visibility into personal account access, and even the best vendor offboarding practices typically don’t catch these personal accounts and revoke access.
This leads to increased vulnerability for a company. For example, a vendor could use the information later either with a competitor or to create a competing product or service.
Scenario 4: Personal accounts used to take company data
Personal accounts can be used to steal company data after an employee leaves.
And in 2019, Motorola accused Hytera, a Chinese rival, of misappropriating their trade secrets. They claimed Hytera hired three engineers away from Motorola’s Malaysian office and then those engineers stole thousands of confidential company documents containing trade secrets and source code.
Whether you’re an admin, employee, or contractor, it’s important to understand how personal accounts can be compromised—both accidentally and on purpose. Exploring these scenarios helps companies gain a better sense of how personal account access can result in security issues for everyone involved.
Companies need to consider how to best address each potential personal account access scenario. A strong solution should identify all personal accounts with company document access, enable users to easily identify risky scenarios, and then take appropriate remediation actions. To find out how many personal accounts are accessing your company data, get a free risk audit.