Although tools like Microsoft OneDrive and Google Drive help employees seamlessly collaborate on the cloud, sharing misconfigurations can lead to data breaches.
Sharing documents has become as easy as sending a link.
While this quickens collaboration and helps employees save time, there’s also a huge problem of oversharing. Accounts that shouldn’t have access to company documents can gain access, leading to a heightened risk of breaches where company data can be exfiltrated.
One of the largest risk vectors we see is when employees create or share company files with their personal email accounts. The problem of personal account sharing is rampant in organizations of all sizes and across industries. And this access can persist for months or even years, without IT teams knowing.
But current and former employees aren’t the only people accessing company data using their personal accounts.
Vendors—whether current or old—and contractors and freelancers can access cloud-based information inadvertently or willfully with their personal accounts.
Companies should be aware of the multiple types of personal accounts, what information they have access to, and their subsequent risks. We’ve outlined the major types of personal accounts below:
Personal Accounts of Current Employees
Employees may share company information with their or other employees’ personal accounts. They can also accidentally create company documents with their personal accounts and then share them with a wider audience within the company.
In some cases, it’s a simple mistake on the part of the employee. Or the intent isn’t malicious. For example, sharing with their own personal account enables the employee to do their work from a personal device or while traveling.
Although most instances are accidental or the result of innocent sharing meant to facilitate work, employees may also share documents with their personal email accounts with the harmful intent of exfiltrating company information. For example, taking customer information or IP for personal gains.
Employee personal accounts can also be used to store credentials for their work accounts. Take, for example, an employee who is signed into Google Chrome through their personal account instead of through their work account. All passwords they use for work get saved to that personal account, making it a vector for potential phishing and ransomware attacks.
Personal Accounts of Former Employees
Typically offboarding processes are designed to remove an outgoing employee’s access to company information by deactivating the employee’s work accounts. However, offboarding processes leave one key risk exposed: outgoing employee access to company information through their personal accounts.
This access can persist for months and even years after an employee has left a company. In rare cases of malicious intent, former employees can use this hidden access to take confidential information.
Personal Accounts of Vendors and Partners
Often, to facilitate collaboration, companies will share documents with external vendors and other partners.
Just like employees, vendors and partners may add their personal accounts or the personal accounts of their coworkers by accident.
They may even receive permission to use their personal accounts because they use different collaboration tools than the organization they are collaborating with. For example, one organization uses Google Workspace as its primary document repository, and its vendor uses OneDrive and doesn’t have a Google Workspace account.
In these types of scenarios, personal accounts can get access to thousands of documents containing confidential information, like detailed financial documents, legal information like agreements, or evidence used in compliance audits.
This type of sharing presents high levels of access risks, especially since vendor and partner personal accounts might not have the same compliance and security standards as the company.
Both current and former vendors and partners may have access to sensitive company information through their personal accounts long after the official contract with them ends.
Personal Accounts of Freelancers and Contractors
Freelancers, contractors, and temporary workers are also permitted access to company information to complete their work. They frequently use personal accounts when they aren’t furnished with company email accounts.
As part of their work, they not only have company documents shared with them. They are also creating a multitude of documents through their personal accounts.
These workers are usually not subject to the same rigorous security training as full-time employees. Additionally, their personal email accounts do not have the same protections set up as the company they are servicing.
Freelancers and contractors often end up leaving or ending their contracts without making sure the ownership of documents has been transferred to someone in the company. Additionally, documents that were shared with their personal accounts are typically not cleaned up as part of offboarding.
Both current and former contractors and other temporary workers can maintain access to company information through their personal accounts for months, or even years.
Other Unauthorized Personal Accounts
For many companies with valuable IP, this scenario happens all the time. Suddenly a random Gmail account requests access to a confidential or executive-owned document. Yet no one knows who the account belongs to, and how exactly they got the document link.
Most of the time it’s not a huge deal. The owner of the document rejects the request. But sometimes the request is approved. And suddenly, a threat actor has access to confidential company information.
Another scenario can exist where an account is breached—whether a personal or work account—and it then shares documents with personal accounts.
While both scenarios are less common than employee or vendor access, these unauthorized personal accounts can pose a higher level of risk since they are owned by malicious actors.
The use of personal accounts to access company information introduces a host of risks to organizations. However, gaining visibility and control over personal account access can be extremely difficult. Powerful admin tools will reduce risk, offering the ability to quickly fix issues and efficiently automate the process. To gain visibility into your company’s risks from personal accounts, visit here.