cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
chogan
Newcomer II

Detecting email sent to personal email accounts

I am interested in hearing how other organizations are handling the issue of detecting if an employee is sending sensitive data to their personal email addresses.  We of course have a policy against this, but have a challenge enforcing it.

 

We have DLP rules that will automatically send outbound email through our secure messaging platform if PII is detected.  These are logged and reviewed.  We are a bank, so sending documents with PII is common.

 

With a large percent of our team working from home, we have detected a few cases of employees emailing files to their personal email account with the intent to be able to print them on their home printer.  This is against policy.  We were able to detect these because their personal email addresses were obvious.  If we see an email from Joe User going to juser@yahoo.com, it’s pretty each to catch.  Our concern is the not so obvious email addresses.  If Joe User emails a document to snowleopard23@yahoo.com, we have no way to know if that is a legitimate email to a client or if that his own personal email account. Any recommendations?

 

Part 2 of this is how to handle the violators.  We are looking into a progressive penalty system, possibly starting with a suspension without pay and escalating to termination.  Something with more teeth than a sit down with senior management since they already know it is prohibited.  Any suggestions along those lines are appreciated as well.

 

NOTE: I just made up snowleopard23@yahoo.com on the fly.  My apologies if this is someone’s actual email address.

11 Replies
tmekelburg1
Community Champion


@chogan wrote:

 

With a large percent of our team working from home, we have detected a few cases of employees emailing files to their personal email account with the intent to be able to print them on their home printer.  This is against policy. 


I know you didn't ask for this advice but I'd initially start with why they are trying to print at home and if it's necessary or extremely helpful for their positions, I'd look into ways for printing securely. Or setting up the environment so everything can be done electronically. I see this as a communication failure between IT and Operations.

 

 


@chogan wrote:

I am interested in hearing how other organizations are handling the issue of detecting if an employee is sending sensitive data to their personal email addresses.  

 

We have DLP rules that will automatically send outbound email through our secure messaging platform if PII is detected.  These are logged and reviewed.  We are a bank, so sending documents with PII is common.

 


We do the same thing as you but also DLP rules for PHI data as well. Does your messaging system have an encryption feature? You might be able to set it up to auto encrypt if it detects PII data. With ours we can either prevent the email flow or choose to encrypt the message. The receiver would then log into the encryption portal to retrieve the email. I know this doesn't fix the user's behavior but at least you would know it's encrypted.  

 

For your part 2. Personally, our IT/Security department has enough to worry about. I'd recommend punting to HR for coming up with creative solutions for violators. 

 

I'm definitely interested in how others in the Community handle these scenarios.  

PuettK
Newcomer III

Depending on the mail platform there a number of things that can be accomplished.  DLP is only one of them.  Preventing SMTP relay, mail flow rules, and constant reminders on the policy are just a few.  Violations in the  banking sector should be extreme for the employee.  This is a potential violation of client confidentiality regardless of whether you are a commercial bank or credit union.  Regulator agencies could fine the bank heavily if discovered in a risk assessment or regulatory audit.     

Steve-Wilme
Advocate II

Part of this comes down to policy.  Are staff allowed limited personal use for example.  So staff they were to decide to use an employee assistance line, need to email an external pensions administrator or their doctor, what would the stance be? 

 

If your looking to prevent staff leaking data then you also have to look at uploads to file sharing sites, locking down copy and paste, connectivity, removable media, banning smartphones etc.  The worst email breaches I've encountered involved emailing the wrong recipient.  Esp. problematic if your company lawyers do it!

 

-----------------------------------------------------------
Steve Wilme CISSP-ISSAP, ISSMP MCIIS
tmekelburg1
Community Champion


@Steve-Wilme wrote:

 

If your looking to prevent staff leaking data then you also have to look at uploads to file sharing sites, locking down copy and paste, connectivity, removable media, banning smartphones etc.  The worst email breaches I've encountered involved emailing the wrong recipient.  Esp. problematic if your company lawyers do it!

 


That's a good point. If he were to setup a full tunnel to a web filtering device, i.e. Cloud or on-prem, that would lock down access to file share sites and personal email on the work mobile device. I haven't looked but I'm sure there are some GPOs that would restrict access to installing or adding additional printers on the mobile devices. 

ericgeater
Community Champion

Gotta say, @Steve-Wilme, I like what you said.  If they're on a work computer, and they have access to non-work-related or personal resources (social media, dropbox, ANYTHING OTHER THAN BANKING OR FINANCE), then the machine may not be locked down enough. No Gmail, no Yahoo mail, no FB, life sucks, get a helmet, scroll on your phone.

--
"A claim is as good as its veracity."
chogan
Newcomer II

Thank you all for the replies.

 

Printing at home is prohibited, and the very few exceptions have been issued printers and shredders.

 

Unauthorized file sharing sites and cloud drives are blocked on the web filter.

 

Our DLP rules are sending these files through our secure messaging platform.  It is normal course of business to for users to send customers and/or third parties documents through this platform.  Our issue is that the recipient could be anyone from the public at large who is doing business with us, so how can we identify employees personal email accounts vs. legitimate customer?

 

My answer so far has been that we can't, but, I am sure we are not the only ones needing to address this and wanted to see what others are doing.

 

HR, executive committee, and legal are working on formalizing the punitive aspect.  I am looking for better detection methods.  

 

 

 

chogan
Newcomer II


@ericgeater wrote:

Gotta say, @Steve-Wilme, I like what you said.  If they're on a work computer, and they have access to non-work-related or personal resources (social media, dropbox, ANYTHING OTHER THAN BANKING OR FINANCE), then the machine may not be locked down enough. No Gmail, no Yahoo mail, no FB, life sucks, get a helmet, scroll on your phone.


Those are blocked.  My issue is NOT that that they are accessing their email from their work computer, it is they are able to send email to their personal email accounts from their work email.  Yes, if it has PII it will go through our secure messaging system, but they will still receive it on their personal devices, just as any legitimate bank customer would.

 

(edited to correct omitted NOT)

chogan
Newcomer II


Correction:  My issue is NOT that that they are accessing their email from their work computer, it is

 

tmekelburg1
Community Champion

Yeah, that's a tough issue. It's a combination of culture and technical capabilities of our systems. Like I said previously, I'd first try to find out the 'Why' and try to prevent it that way rather than beating them with the proverbial stick. Beat them with the stick later if it's not possible to come up with a secure printing solution or make everything electronic so it doesn't need to be printed. Hopefully, someone else in the Community that's in a regulated industry has figured this out.  

 

Any way to restrict sending PII to only registered customers or business partners through the secure message center? All other emails that are not registered and have PII in them would fail sending.