Implementing NIST 800-171 to Manage & Measure Cybersecurity Efforts Read more
It can be tempting to use your familiar, personal email account to send and receive emails for your professional life – but you shouldn’t take the risk.
Using your personal email to communicate for business purposes isn’t a good idea. It can expose you to a number of legal and other liabilities. And, to be honest, it doesn’t look very professional, does it? Read on to learn more about the legal and security implications of conducting business on your personal email account.
Every so often, a client of ours will check with us about using their personal email to do business.
While there is a range of implications that come with doing so (legal, reputational, etc.), usually the question is asked to double check about how it could affect their cybersecurity.
Regardless of why a user may be asking the question, the answer is that it is never advisable to use a personal email account for business purposes. Period.
But if you’d like more detail as to why and, specifically, if you’d like to understand what risks you may be taking right now if you’re already using a personal email account at work, then keep reading.
Legal implications and data integrity
The first risk, and likely one of the most severe, is that when you use your personal email account for work (or, allow your employees to do so), then you’re adding a number of uncontrollable variables into how your business data is accessed and where it is stored.
In an ideal situation, in which everyone at your business is using approved, professional business email accounts on a verified client, then you (or, more likely, your IT department or outsourced Leesburg, FL IT services company) know where your data is.
Especially in the age of cloud computing, when all data is stored “offsite” and accessed remotely in one way or another, you may assume that your data’s “location” isn’t very important – can’t you just access it the same way no matter where it is?
It’s not that simple.
When working with a professional cloud-based IT environment, your IT people should know where your data is stored, and that it’s being stored properly in secure and backed up data centers. Even though your data isn’t hosted onsite (or not entirely onsite, depending on the size of your business) it is still accounted for.
When you factor in personal email, all those assurances go out the window. Your IT team won’t be able to confidently track where your data is being kept, and how well it is being maintained. Depending on the personal email accounts your staff members use, this data may not be backed up.
Furthermore, in the event of legal proceedings, personal emails are often not discoverable, meaning that it wouldn’t be possible to externally scan users emails (e.g. Google specifically prohibits this for Gmail accounts).
And lastly, don’t forget about compliance. Depending on the business sector in which you operate (finance, healthcare, government contracting) you may be subject to compliance regulations that strictly state how data is stored and accessed. Personal email accounts are woefully ill-suited to meet compliance standards.
Security implications and data protection
This one should be obvious – personal email does not have the same cybersecurity measures as their professional counterparts.
In order to properly secure a business’ email accounts, a number of protections must be put in place:
Can you guarantee that your employees’ email accounts have all the same protections in place?
If one of your staff members is targeted by a cybercriminal or has their personal email address added to a mass phishing campaign, they are much less prepared to defend against it than a robust, professional email client would be.
It’s then only a matter of the personal email account being compromised for a cybercriminal to access any and all private business information that has been sent and received on that account. Given that it’s a personal email and not one managed by an IT department, it’s much less likely that you would be able to wipe its contents, or remotely log it out and reset the login info.
Staff changes and data continuity
Here’s a scenario to consider: what happens when you have to terminate an employee, but they had been using their personal email to conduct business on your behalf?
You can’t remove their access to their own email, and so, when they leave your business, (perhaps not on the best terms), and will continue to have copies of what is potentially private and valuable business information.
They continue to have contact info for your current employees, clients, and other business contacts – and may even be contacted by your clients that may not have been aware of their termination (let’s be honest – you don’t always want to spread the word that you had to fire someone).
By allowing your employees to use their personal email now, you surrender control of a great deal of business data in the future. While it would be nice to assume that your current staff members will always be with you, and if they do leave, that it will be on good terms – but it’s not likely. And you shouldn’t risk your data and your business betting on it.
Professional and reputational implications
While it may not involve legal, compliance, or security implications, this risk could very well affect your bottom line.
Let’s call a spade a spade – using a personal email for work doesn’t look very good, does it?
It’s the same line of thinking that suggests that using a .org domain for your business isn’t a good idea either.
It just makes you look cheap – like you wouldn’t spring for a specific domain that matches the name of your business.
If a potential client gets in touch with you over the phone or in person, and then later follows up on email and gets a reply from something like firstname.lastname@example.org, they probably won’t think very highly of your business, will they?
That’s four solid reasons why you shouldn’t be using your personal email at work, but there’s actually one more – it’s completely unnecessary.
Getting a business email account has never been easier. Virtually any service provider will be able to offer secondary accounts that can be personalized with a business-specific domain. Furthermore, any IT services company worth their salt can set it up for you.
Don’t cut corners and try to save a buck when it comes to your business’ email. Beyond the many serious risks to which it can expose you, it also just makes you look bad.