Insights: Article

The Risks of Employee Emails and Social Media

By Rich McRae

January 11, 2019

Is a social media account, such as LinkedIn, a personal account? Does your financial institution’s Acceptable Use policy address the use of social media for work-related business? What about other external accounts that require a basic profile and email address, such as Facebook, Twitter, travel reservation/membership rewards accounts, etc.? In completing IT reviews, we have advised financial institutions to establish policy and procedures to address any employee-

created accounts set up with external service providers. Some have taken the recommendation so far as to prohibit access to such accounts from non-bank workstations and networks.

For the purpose of this discussion, externally created accounts (Facebook, LinkedIn, Twitter, etc.) are considered personal accounts. Here’s why:

  • The employee creates the accounts without information technology support assistance or administration.
  • Risk to the financial institution is increased when an employee uses their work email address for personal/ non-bank managed application accounts.
  • External accounts are often the basis for a phishing campaign, and since the account is tied to the employee’s email address through the bank’s domain, the incoming phishing email may look and feel more correct, appearing legitimate. If an employee clicks the link and logs in, now the hacker has intercepted login credentials or can trigger malware installation on the work computer. 
  • Passwords to external accounts often go unchanged and might be used across multiple systems. If LinkedIn gets breached (again), the password for that account, along with the work email (used as the username for that ac- count) will provide access to any other account where the employee has used the same credentials.

We advise financial institutions to consider the risk of intermingling personal accounts with bank-administered systems. Any external system accounts should also be identified on the user access authorization form. Management can reduce risk to the bank by encouraging employees to keep personal accounts separate from their work-related digital profiles. Best practice is to prohibit combining personal account use with work email addresses, and to also disable use of personal email accounts through email filtering.

Cybersecurity Risk Assessment

We are pleased to offer this risk assessment to assist your financial institution in measuring inherent risk and cybersecurity maturity. This questionnaire is designed to help your organization understand baseline requirements for mitigating cybersecurity risks and evaluate additional controls as your organization matures in size and complexity.

Latest Insights

January 3, 2019
The 2018-2019 Pocket Tax Guide provides a quick view of tax updates, current rates and new tax law summaries for business, estate, general and individuals. It has been designed to be compact and folded into a pocket sized pamphlet.
December 19, 2018
This newsletter's topics include: Conversation with Don Coffin, Common Problems for Community Banks, Working through CECL, Financial Institutions Continue to Be a Target of Embezzlers, Customer/Enhanced Due Diligence and more!
October 7, 2018
When negotiating mergers or acquisitions, due diligence serves as an in-depth review of the target bank organization—both its operations and its people. Much of due diligence involves a review of the quality of the assets to be acquired, but it also…
October 1, 2018
Mergers and acquisitions among community banks are continuing at a rapid pace. There are many reasons for these transactions: to increase market share, to complete part of a growth strategy, to gain economies of scale, and to attempt to better…
September 18, 2018
Get ahead of tax season with the Eide Bailly Tax Planning Guide. A supplemental strategy guide to help guide year-end and make the tax laws work for you.
August 13, 2018
In this time of constant change and business disruptions, the cost of a breakdown in even one internal control in a high-risk area has the potential to be quite significant. Think about the potential impact of a control not functioning as intended…