itb-nz logo
Story image

Employees using corporate emails for private purposes putting companies at risk

 A new study has revealed 40% of all corporate email breaches occurred on websites used for personal purposes.

Employees using corporate emails for private purposes are putting companies at risk, it says.

Researchers from NordVPN Teams analysed global breach activity and looked at over 1.7 million email breaches that affected the worlds largest enterprises across different sectors. The research revealed that people tend to use their corporate emails for registrations regardless of whether the registration is for corporate or personal purposes. It also shows the technology and education sectors are the most affected by data breaches.

Company emails in the US and Europe are widely used on entertainment and media sites. Interestingly, the top list includes dating, gaming, last-minute travel deal websites, and restaurant booking platforms. In fact, almost 40% of all breaches occurred on websites that were used for personal purposes. 

The data also revealed which sectors were the most breached. The technology industry was the most exposed, accounting for almost 20% of all corporate email breaches. Education and health sectors came in second and third at 13.3% and 12.9%, respectively.

Credential theft has been on the rise in recent years. According to the 2020 Verizon Data Breach Investigations Report, more than 80% of hacks are the result of credential theft (most of which is enabled by successful phishing attempts). Credential theft is a growing industry within the cybercriminal ecosystem for the trade and direct use of compromised login-password credentials.

The theft of a single password could compromise an entire database that is not properly protected. Experts warn that employees are making companies more vulnerable to cyber attacks.

"Using company email addresses for personal use puts businesses at risk," says Juta Gurinaviciute, chief technology officer at NordVPN Teams.

"If those email credentials are compromised, companies might fall victim to account hijacking when hackers have both the email address and password of an email account," he says.

"They're then able to change the password and take over the account."

In terms of enterprise security, the most widely used and most easily compromised are login-password credentials, posing a significant amount of risk to any organisation.

Data shows that of all email breaches, only 9% of passwords involved were unique.

Despite the heightened awareness of security implications, many users still continue to reuse passwords and rarely, if ever, change them. 

According to a survey done by NordPass, 63% of respondents admitted reusing their passwords across their accounts. If that reused password gets leaked as part of a data breach, hackers may then have the key to the corporate network too no matter how complex the phrase is.

"Google has been working on helping people to proactively create better passwords with Password Checkup," says Gurinaviciute.

"The tool checks logins against a database of 4 billion leaked credentials, recognising if the password typed matches the one that's been leaked. 

"Password managers like NordPass also offer the possibility to check if your password has been compromised in data breaches," he says. 

"The problem is that it is impossible to apply company security policy to websites that the company does not have control over, and this makes companies vulnerable to attacks," says Gurinaviciute.

"Educating employees on security is crucial, and companies should invest in regular employee security training, explaining the possible risk scenarios."