The Risks of Employee Emails and Social Media

January 2019 | Article

By Rich McRae

Is a social media account, such as LinkedIn, a personal account? Does your financial institution’s Acceptable Use policy address the use of social media for work-related business? What about other external accounts that require a basic profile and email address, such as Facebook, Twitter, travel reservation/membership rewards accounts, etc.? In completing IT reviews, we have advised financial institutions to establish policy and procedures to address any employee-created accounts set up with external service providers. Some have taken the recommendation so far as to prohibit access to such accounts from bank workstations and networks.

For the purpose of this discussion, externally created accounts (Facebook, LinkedIn, Twitter, etc.) are considered personal accounts. Here’s why:

  • The employee creates the accounts without information technology support assistance or administration.
  • Risk to the financial institution is increased when an employee uses their work email address for personal/ non-bank managed application accounts.
  • External accounts are often the basis for a phishing campaign, and since the account is tied to the employee’s email address through the bank’s domain, the incoming phishing email may look and feel more correct, appearing legitimate. If an employee clicks the link and logs in, now the hacker has intercepted login credentials or can trigger malware installation on the work computer. 
  • Passwords to external accounts often go unchanged and might be used across multiple systems. If LinkedIn gets breached (again), the password for that account, along with the work email (used as the username for that account) will provide access to any other account where the employee has used the same credentials.

We advise financial institutions to consider the risk of intermingling personal accounts with bank-administered systems. Any external system accounts should also be identified on the user access authorization form. Management can reduce risk to the bank by encouraging employees to keep personal accounts separate from their work-related digital profiles. Best practice is to prohibit combining personal account use with work email addresses, and to also disable use of personal email accounts through email filtering.

Cybersecurity Risk Assessment

We are pleased to offer this risk assessment to assist your financial institution in measuring inherent risk and cybersecurity maturity. This questionnaire is designed to help your organization understand baseline requirements for mitigating cybersecurity risks and evaluate additional controls as your organization matures in size and complexity.

Stay current on your favorite topics

SUBSCRIBE

Learn More

See what more we can bring to organizations just like yours.

Financial Institutions