The Risks of Personal Email and Browsing
Personal email and web browsing activities can do more than just violate policy. They also increase phishing susceptibility, according to a recent article on the Proofpoint blog.
“Email is so well suited to attacks that personal webmail, and personal browsing more generally, is now joining corporate email as a major source of compromised accounts and endpoints,” author Mark Guntrip advises. While corporate email gets much of the attention from infosec professionals, employees can also “fall for a phishing attack through their personal webmail on their corporate laptop, which all too often is accessed off the corporate network and its security controls.”
The article notes that organizations can use technical controls to mitigate the risks inherent in employees’ personal browsing and email activities: Proofpoint’s web isolation solution is designed to prevent malicious content from infecting or impacting corporate devices and to protect end users from known phishing sites.
But what if you don’t (or can’t) apply these technical controls? And what about activities like social sharing and extending device access to family and friends? The surest path to better cyber hygiene and improved security postures is to change employee behaviors. Effective security awareness training is essential for teaching users how to safely manage their email, post to social media, browse the internet, and so on.
Instilling Good Habits, Establishing Boundaries
Some overlap between business and personal technology use may be unavoidable. All the more reason why end users need to understand your organization’s security policy, and be trained to apply cybersecurity best practices — particularly when using corporate devices outside the office. This will help to instill more secure behaviors in your end users — even if they do break the rules regarding personal use.
With that said, one boundary should be made crystal clear, both in policy and in direct training: End users should not lend their employer-issued laptops or smartphones to anyone — including coworkers, family members, and friends — unless authorized by your IT team.
As our User Risk Report shows, many people are all too comfortable with using work devices for personal activities. This propensity is just one of many poor end-user habits that can increase risk for your organization. Interactive, engaging security awareness training is essential to establishing boundaries, instilling good habits, and helping end users understand the reasoning behind your security policies.