Help Please, Trying to Convince Company Mixing Personal and Corporate Email is Bad Practice

[DrB0b]

Hello All,
So I have worked for three separate family owned companies from very small to medium size and they all used their business email account for personal emails. I was able to convince two of them that it is horrible practice to do so because you are signing up for every service known to man and getting that email put on all sorts of SPAM and dark web lists that outside actors will attack. I was able to set up gmail accounts for the last place I was at for the owners so they could do all personal communications and web signups for that account to alleviate the SPAM/viruses that would follow poor use of their corporate email accounts.

My Google-foo seems to be lacking this morning because I was only able to find two sites that dealt with this issue but both did say it was bad practice. Another said it was a good idea due to the password complexities associated with business email accounts and the spam/virus blocking they tend to offer. I'm looking for any sites, articles, posts, or your opinions on why this is indeed a bad idea. If I am on the wrong side of this, please let me know. The main reason I am looking for this info is that we are sitting behind a Barracuda Essentials Cloud spam filter and the owners are complaining when a password reset email for some random site gets caught in quarantine or they do not get an email from some foreign guy they met at a trade show until I kick it out of quarantine.

I know we have a lot of high end techs here from fairly large companies so I am especially interested to hear your take. The owners here keep saying that Amazon's Jeff Bezos never has to wait on someone to kick an email out for him, which I honestly believe because I'm sure he knows how to use the quarantine system.........

Learning - A never ending quest for knowledge usually attained by being thrown in a situation and told to fix it NOW.

 

[johnherman]

2 words: Hillary Clinton

==================================
advanced cognitive capabilities and other marketing buzzwords explained with sarcastic simplicity

 

[DrB0b]

So that would be in favor of using business email for all types of email, personal and business related?

Learning - A never ending quest for knowledge usually attained by being thrown in a situation and told to fix it NOW.

 

[DrB0b]

To elaborate, I believe that personal emails belong in a personal email provider, i.e. Gmail, Yahoo, etc. Business related emails belong in your business domain email.

I do not need your Amazon order for a back scratcher coming through on your business email nor do I care that you signed up for some sketchy anti-vaxxing site that is only in http. Your email is being added to thousands of SPAM and virus targeted lists when doing so. Why would you want to throw the additional attack vector at your business email?

Perhaps I am thinking of this one sided......

Learning - A never ending quest for knowledge usually attained by being thrown in a situation and told to fix it NOW.

 

[DrB0b]

I'm honestly shocked by the lack of opinions on this one. Maybe I am making a bigger deal of this than it should be. Just looking at it from a risk/reward situation for private business I do not see the benefit. Government is obviously its own hairy creature.....

Learning - A never ending quest for knowledge usually attained by being thrown in a situation and told to fix it NOW.

 

[spamjim]

johnherman is succinctly correct. Hillary Clinton is probably the best known example of the political issues with mixing email accounts. (The US federal government is more to blame for allowing classified information to be exchanged by email. Has that gaping security hole been addressed?)

On a less-federal and less-political level, mixing personal and work email is still bad. If you're suspected of a crime at home and you use your work computer to check home email, the legal system can search/subpoena the work computer...and vice versa.

It sounds like your main concern is just preventing spam. The problem is that even if I use fakeymcfakefake@gmail.com address 99% of the time for throwaway registrations on web sites, my 1% use of spamjim@myemployer.com email address is still exposed to the public and can still fall onto spam lists and user database dumps (haveibeenpwned.com).

Email sucks. There's nothing that changes that.

 

[DrB0b]

Thanks for the reply SpamJim. So my main concern is the amount of phishing and virus link laden emails that we receive. I know that once an email account is out loose on the web there is no real way to reign it back in but I feel pretty confident that if you used your work email account for work related things only and didnt advertise it, that account will receive far less spam/phishing/virus emails than one used for personal and business alike. I know that is more of a perfect world scenario but since I deal with spam/virus/phishing email prevention on a day to day basis I feel like it isnt taken as seriously as it should be.

Again, maybe its the boots on the ground mentality and I am over shooting it here but I think you could mitigate a large number of attacks by simply using your email address correctly in the first place.

Learning - A never ending quest for knowledge usually attained by being thrown in a situation and told to fix it NOW.

 

[spamjim]

So you're filtering your company email from spam/virus/phishing but encouraging the use of separate gmail accounts you cannot filter. That's contrary to your security goal.

Ideally, you'd...
[ul]
[li]block the popular mail domains (gmail/hotmail/etc) so that people are not using personal email that might carry malware and bugaboos into the business.[/li]
[li]train employees to use advertisement and script blockers in their browsers.[/li]
[li]do everything you can to move your employees off of email, by moving business transactions/communications to a web based management system. (what's google's, facebook's, and amazon's email address?)[/li]
[li]give employees access to their email quarantine so that they can release held messages that they were expecting.[/li]
[li]use a system that allows the employee to release the single email or to permit all future messages from the sender.[/li]
[/ul]

 

[johnherman]

Following on spamjim's comments.....many of the companies for whom I worked or consulted have a policy that the corporate e-mail was not to be used for personal business. In fact, the entire corporate workstation, network, servers, etc. and all its software are reserved for corporate activities only. This is similar to the policy from decades ago that the corporate telephone is not to be used to conduct personal business. Common sense says that sometimes exceptions are allowed and necessary (in exceptional circumstances).

Employees wishing to do personal business on pseudo-company time (such as breaks and lunch) should be doing so on their own devices. Using personal devices on company time is also a violation, ethically if not explicitly spelled out in a policy. Whether the corporation will allow these public devices on their WIFI network is a matter of policy as well, with bandwidth, security, and other concerns. When I worked as a NSA contractor, they pretty much did not allow any personal materials into the office. If you did want to bring in, for instance, a CD of tunes to listen to, it became property of NSA and would never be allowed to leave the building. Personal devices were to be left behind in your vehicle, as they were not permitted inside. You could go out to your car on lunch break and check e-mail or access the web.

==================================
advanced cognitive capabilities and other marketing buzzwords explained with sarcastic simplicity

 

[DrB0b]

@spamjim - So we have all personal email locked out of our network. You cannot physically access gmail, yahoo, etc. Smartphones, tablets, laptops, etc are not allowed during working hours unless given to you by the company. We do have a separate wifi network that people can use on break or lunch with their personal devices which is not restricted so they can access those email sites and do whatever. We have company policy stating you are not allowed to use those during business hours and being caught with them will result in punishment of some sort. All employees are using script/ad blocking with FF and Chrome. I do not want to allow each user to pick through their quarantine as then you are relying on their knowledge to decide if it is a legit PO that came in or a fake one. You can teach and test all you like but the second that the bad guys invent a new method via email and someone clicks on it, we are down for a few days while we recover. If I am going through the quarantine with a trained eye, I will likely spot that attack and stop it from ever happening. Thus being my dilemma.

"do everything you can to move your employees off of email, by moving business transactions/communications to a web based management system. (what's google's, facebook's, and amazon's email address?)"
In a perfect world yes but email transactions is likely 80% of the communication utilized. We would need some sort of CRM capable of doing so. If you have a suggestion I am all ears.

@- Johnherman, I agree with those policies.

@- fortworthclearinternet - thanks for coming out???

Learning - A never ending quest for knowledge usually attained by being thrown in a situation and told to fix it NOW.