According to a recent study from staffing firm OfficeTeam, the average employee admits to “wasting eight hours of work time per week” on personal tasks, 30% of which was spent on personal email.
The rampant use of smartphones and the always-on nature of the internet have blurred the lines between work and personal time, so employers shouldn’t necessarily be shocked at these statistics. But, many organizations brush aside these habits, forgetting that personal email is one of the top causes of insider threat-related data leaks.
In this week’s “Coachable Moments” post, we’re covering personal email use at work, so you can provide employees with the necessary context around how and when — if ever — it’s allowed.
Mo Personal Email, Mo Problems
The email-based insider threat is not always the textbook case of disgruntled employees sending sensitive corporate data en masse to their personal emails. For example, employees could fall victim to phishing scams on personal email while using corporate networks. Or, they could become unintentional insider threats by sending seemingly innocuous details about their work to former employees, media, or other people with not-so-great intentions of keeping that conversation private.
Regardless of how personal email is being used, it’s important to be vigilant about user activity on corporate networks. Nearly 80 percent of major companies monitor employees’ use of email, internet, and more in 2018, according to a study from the American Management Association. This stat is a steep rise from the figures in 1997, when only 35 percent of companies monitored their employees.
Rather than treating employees like they’re in a 24 hour surveillance state (which would throw the relationship between cybersecurity and insiders out of balance), take the time to explain company email policy, and detail both how and why and user activity monitoring is in place at your organization.
Make Personal Email and Internet Use Policy Clear
It may help your organization to draw a clear line in the sand around personal email usage on company devices, stating that this type of activity is never allowed. However, understanding that many employees bring personal devices and smartphones to work, the task of prohibiting personal email during work hours altogether becomes exponentially more difficult.
While responding to a group email about a rain delay for a soccer game isn’t going to get someone fired, spending hours per day on personal email or sending sensitive corporate information to personal accounts could be subject to HR review and/or disciplinary action.
No one likes to feel as if they’re being watched, so a training session on personal internet use and user activity monitoring may shed light on exactly what types of user activity could lead to an increased insider threat risk.
This session could cover the following information:
- Which activities put the company at risk
Include phishing emails, sending sensitive corporate data, and discussing business matters on personal email. Be sure the detail how user activity is monitored via corporate-owned devices and WiFi networks, so people have a clear understanding of how the policy affects their internet use at work.
- What’s anonymized through user activity monitoring
Many user activity monitoring systems collect anonymous user data regularly, so that people don’t feel as if their privacy is in violation. Explain how this type of system works, and why it’s different than having their personal identity attached to activity.
- Why is user activity monitoring in place, anyway
Rather than monitoring for monitoring sake alone, explain to your team that user activity monitoring is intended to protect them from accidentally falling victim to a cyber threat, as well as to protect the organization as a whole.
- What could result in disciplinary action
You may wish to include a member of the HR team in your session, so you can cover what types of user activity may be subject to further investigation. This type of training isn’t intended to scare users, but rather to inform them of how everyday corporate WiFi use on their own devices differs from exfiltrating sensitive data.
Key Insider Threat Management Takeaways
In conclusion, err on the side of being open and transparent about user activity monitoring with your employees, so they know what in-policy and out-of-bounds activity looks like. Chances are, if they’re well-informed, and you have visibility into user activity, your insiders will be less likely to break policy.
Considering that two out of three insider threat incidents are caused by employee or contractor mistakes, having a well-trained team that’s vigilant of their own cybersecurity best practices could protect your organization from a costly incident.