Is it okay to ever use a personal e-mail address for business, or send business e-mails to my personal e-mail address?
The short answer is ‘No!’ This is because it opens your business up to security, legal and professional risks that may lose you customers and can damage your reputation.
All businesses have the capability to access their emails on all sorts of equipment, smartphones, tablets, PCs and laptops (the latter two through the use of a secure VPN back to the business itself. So, there is no reason to resort to personal e-mail accounts for business use.
However, there are far greater risks to the business in terms of Security, Legal Compliance and Business Reputation that should be enough to deter employees from using such risky methods in the corporate environment.
What are the security risks of using a personal account for business?
Personal email accounts exist outside of the IT department’s control, therefore, they are not subject to backup, archiving, security or governance so using them for business purposes, is a clear violation of compliance regulations. Furthermore, as they are beyond the bounds of the IT department’s control there is no guarantee that e-mails are secure or will remain free of any viruses.
If e-mails held in personal accounts are not back-up there is a loss of auditable trails and opens the business and employees up to losing important information that the business must, by law retain as business evidence of good business practices – this opens the company up to suspicions of fraud.
Employees sending e-mails to their personal e-mail addresses can not guarantee the security of their e-mails, particularly if they use systems such as Hotmail and Gmail, which are notoriously vulnerable e-mail systems and have been hacked on many occasions. How would it look if you lost company information because of a data breach in an employee’s personal e-mail account? It would damage you reputation and may result in lawsuits.
Whilst you may have appropriate antivirus protection in place, can the same be said of employees on home computers? Typically, the answer is no, either because the antivirus has not been kept up to date or the type being used is not as effective as those used within the business. If an employee sends an e-mail to a client from their home system it could be infected by a virus (that you have not been able to control) and the reputation of the company is impacted.
And since personal emails are not stored on company servers, discovery for DPA/GDPR and Freedom of Information requests are seriously compromised presenting legal risks to your organization.
If you would like to learn more about ISO 27001, we do have a 2 part Podcast series discussing the journey to certification. Listen HERE.