We all need to understand that using your work address outside of your work network can be a risk and this scenario could develop into leaking sensitive company data.
For sole traders and freelancers, it may be harder to separate your work email address when using your personal devices. So it’s even more important that your devices take advantage of face-id and pin access. In addition, ensure your online accounts are secured using strong passwords and multi-factor authentication.
By utilising work email accounts for your personal accounts (such as social media), your business is exposed to another route for attackers, especially as you don’t have control over basic things like password quality and multi-factor authentication. In addition, it means your personal life is linked to this work account, offering valuable information for someone to target that individual or your business.
Scenario: Your Facebook Page is Hacked
You're an employee who uses your work email address to sign up for a new Facebook account. You're looking to document some upcoming holidays and capture memories of your children to share with your family.
Unfortunately, on your Facebook account, you've used a weak password, and you didn't turn on two-factor authentication (2FA). The account was hacked, with your personal information, conversations and images leaked onto the dark web.
What is the risk to the employee?
Personal information on the dark web - other criminals may attempt to take advantage of social engineering techniques to perform further attacks.
Time cost - you will need to contact existing internal/external contacts to inform them of your change of email address or even the attack itself.
Loss of Job / Breach of contract / Reputational damage - this data breach could result in the termination of your employment.
What is the potential risk to the employer?
Spoofing - cyber attackers may use the breached work email address and pose as the employee to contact clients, partners or other work colleagues.
Sensitive data exposure - Information relevant to company projects/campaigns could now be available on the dark web.
Harmful PR / Reputational damage - With a data breach, the company could face headlines in the local/national media, which could strain essential business relationships and affect the company's confidence with customers, investors and other stakeholders.
GDPR / Data breach reporting to the ICO - the company will now be liable to report this breach to the ICO, with potential consequences being a substantial financial penalty.
Leaked images of the work environment showing the technologies/equipment used by the company - put the company at risk of potential cyber attackers exploiting vulnerabilities in the leaked technology.
Time cost - your IT department will then have to set up a new email account for you. Employees should also undertake further security awareness training to improve their cyber resilience.
What should you do to mitigate the impact of this incident?
Report this incident to the relevant department of your employer - it’s crucial an incident like this isn’t ignored, or the consequences could be magnified.
Review your other accounts for potential data breaches and remove/delete any non-work related accounts using your work email address. (Check Haveibeenpwned to see if your email or phone has been caught in a cyber breach).
Change any passwords that involve your work address to mitigate the risk of these accounts also being compromised.
If your business wants to strengthen your resilience to online crime, talk to us about training your staff today. Our membership and training packages are designed and delivered by cyber experts with the most up-to-date information in an ever-changing cyber landscape.
In addition, Security Awareness Training is a great way to prevent and mitigate the risk of cyber attackers tricking or scamming your staff.
