Insights: Article

The Risks of Employee Emails and Social Media

By Rich McRae

January 11, 2019

Is a social media account, such as LinkedIn, a personal account? Does your financial institution’s Acceptable Use policy address the use of social media for work-related business? What about other external accounts that require a basic profile and email address, such as Facebook, Twitter, travel reservation/membership rewards accounts, etc.? In completing IT reviews, we have advised financial institutions to establish policy and procedures to address any employee-created accounts set up with external service providers. Some have taken the recommendation so far as to prohibit access to such accounts from bank workstations and networks.

For the purpose of this discussion, externally created accounts (Facebook, LinkedIn, Twitter, etc.) are considered personal accounts. Here’s why:

  • The employee creates the accounts without information technology support assistance or administration.
  • Risk to the financial institution is increased when an employee uses their work email address for personal/ non-bank managed application accounts.
  • External accounts are often the basis for a phishing campaign, and since the account is tied to the employee’s email address through the bank’s domain, the incoming phishing email may look and feel more correct, appearing legitimate. If an employee clicks the link and logs in, now the hacker has intercepted login credentials or can trigger malware installation on the work computer. 
  • Passwords to external accounts often go unchanged and might be used across multiple systems. If LinkedIn gets breached (again), the password for that account, along with the work email (used as the username for that account) will provide access to any other account where the employee has used the same credentials.

We advise financial institutions to consider the risk of intermingling personal accounts with bank-administered systems. Any external system accounts should also be identified on the user access authorization form. Management can reduce risk to the bank by encouraging employees to keep personal accounts separate from their work-related digital profiles. Best practice is to prohibit combining personal account use with work email addresses, and to also disable use of personal email accounts through email filtering.

Cybersecurity Risk Assessment

We are pleased to offer this risk assessment to assist your financial institution in measuring inherent risk and cybersecurity maturity. This questionnaire is designed to help your organization understand baseline requirements for mitigating cybersecurity risks and evaluate additional controls as your organization matures in size and complexity.

Latest Insights

February 26, 2019
The time between now and the implementation date should be used wisely. Eide Bailly sat down with Jody Eddy, cashier/controller at Reliance Bank in Faribault, Minn., to ask how her bank has been working through its CECL model.
February 22, 2019
If you’ve spent at least $500K on a building purchase, construction or renovation, you could be sitting on a huge tax benefit.
February 8, 2019
Community banks suffer from many IT issues, from cybersecurity and software patching to system backups and regulatory concerns. But one of the biggest cyber issues is not realizing there’s a problem.
January 31, 2019
The push for the passage of bill S.2155, the Economic Growth, Regulatory Relief, and Consumer Protection Act, was inspiring—so many in the industry joined together to right the perceived wrongs of the Dodd Frank Act.
January 30, 2019
What are the pros and cons of banks considering a switch to a C corporation? We talked to Justin Horst, CFO of Pinnacle Bancorp Inc. of Nebraska, the second largest S corporation financial holding company in the United States, to talk about what his…
January 30, 2019
Steadily increasing interest rate risk reviews offer a view into current trends related to IRR management. Here are some common enhancements to consider.