With busy work and life schedules, we often want to make things as easy and convenient as possible. You might get the urge to link your personal email to work as one of those ways to simplify. Just one inbox to check, wherever you are, and you get all the messages you need—right? But if you look at it from a security perspective, this doesn’t make things simpler but a whole lot messier instead. And it could cause some big problems for your company. Here’s why you shouldn’t forward between your work and personal email accounts.
Vulnerabilities in Transmission
Your personal email is not protected by your work’s IT security team. As much as they may love you personally, they don’t have access to any security resources connected to your personal account. Business email accounts have upgraded protection that standard personal ones do not. Typical email providers like Gmail, Yahoo, and Outlook are lacking in many important security controls. For example, personal emails from these accounts are not encrypted, so it’s never a good idea to send sensitive data through them without finding a way to encrypt it. Business email is not only encrypted but also has a number of filters in place to protect users from malicious attacks. If you link your personal email to work’s account, these safeguards won’t apply to your personal inbox. Your work information will be outside the realm of protection.
Looser Identity Controls
Identity controls like Multi-Factor Authentication are another security measure in work email that won’t be applied to personal accounts. It’s possible to set this up outside the work environment, but many people never do. If you don’t configure MFA on your personal account and your password gets compromised, the result grows from your own personal problem into your company’s as well: on top of your information, the attacker now has access to company data.
Unknown Storage Locations
When you forward your work email to your personal account, business related content will be stored on mail servers that cannot be protected by your company. Neither you nor your security team has any way of knowing where this information is stored. Any sensitive data that is communicated through work is now released into unknown server locations which can’t be monitored by your team. Unleashing your company’s information like that is a bad idea—you don’t want to become your own organization’s insider risk.
In some cases, the data you unleash might be sensitive enough to actually be a compliance violation. If you’re emailing confidential material like HIPAA data for example, you must use a HIPAA compliant email service. Typical personal email providers are not HIPAA compliant. Without important security controls like the ones mentioned above, and with no business associate agreement (BAA) in place, these emails do not meet compliance requirements. And having sensitive personally identifiable information (PII) breached could become a legal disaster.
Limited Help From Your IT Team
Even when you’re not being sued or facing a security breach, there are more mundane issues that occasionally come up with email. Maybe you’re not receiving messages you’re expecting, or someone complains that they haven’t gotten yours. These are the kinds of things employees go to their IT teams for help with—but there’s little your team can do to trace missing emails that are forwarded externally because they have no access to the mail server your personal email is hosted on. If something like this comes up, you’re out of luck and may have to ask others to re-send messages, causing delays and inconveniences.
Don’t Link Your Personal Email to Work—It’s Not Worth It
All of this goes to show that the risk involved in forwarding between work and personal email accounts outweighs any benefit of convenience. Besides, you may be able to safely put a separate app on your phone for work email, or even toggle between accounts within one app. For example, if your work uses Microsoft’s Mobile App Management (MAM), separate profiles in your Outlook app will be sandboxed so you can easily access either your business account or your personal one without compromising security. If you’re unsure, check with your security team for the best option.
And lastly, another thing that should be salient here is the lack of security in standard email. When you do use your personal account outside of work, it’s always good to be mindful of what you’re sending and stay aware of the possibility of phishing and fraud coming your way.
Wondering exactly what attackers might do to your vulnerable email account? Check out the MITRE ATT&CK and D3FEND charts that detail the kinds of techniques that malicious actors use and how to defend against them.