sss78 - Fotolia

Should an enterprise BYOD strategy allow the use of Gmail?

Using personal Gmail accounts for business purposes is not a secure enterprise BYOD strategy. Expert Matthew Pascucci discusses why companies should avoid implementing this tactic.

I read that one enterprise BYOD strategy includes the use of Gmail accounts; companies have their employees set...

up Gmail accounts for business communications. Is it a good idea to create separate, work-focused accounts like this? Are there scenarios in which this could be a useful strategy?

Creating separate accounts for business use on a third-party platform can be risky, but it depends on the context.

Google offers organizations the ability to host their mail on its platform, and it also offers additional features to manage these accounts -- though these features are not part of Google's free service. There are privacy concerns regarding enterprise use of Google business accounts, but organizations that have their employees use personal Gmail accounts for business purposes is a separate matter.

This enterprise BYOD strategy is a risky idea. Using a free service outside of the organization's control and making it the recommended communication method is dangerous. The organization will have no control over the data being sent or the security policy wrapped around the communications. There is no data loss prevention applied to what's being sent, there's no web filtering or antiphishing protection, and the forensic data and logging of the email are lost.

Essentially, creating a separate personal account as part of an enterprise BYOD strategy actually severely limits BYOD security, and organizations should avoid doing it.

However, if an organization decides to go ahead with this strategy, there are ways to limit the risk.

When employees use personal Gmail accounts to communicate business-related information, be sure everything is encrypted; this includes email, attachments and instant messages. There are plug-ins that can be used to encrypt the content of emails and the content of your Google chats, such as Mailvelope or Pidgin. This will keep the data encrypted and help reduce the risk of data being eavesdropped on or viewed by others for whom it wasn't intended.

However, this doesn't fulfill the need for policy control in an enterprise BYOD strategy. If your employees use Google's business accounts for email, at least attempt to use its mobile device management to control the apps on mobile devices, enforce passwords, create profiles, and wipe the device or account if the device is lost.

Not using the business version of Gmail means your organization loses out on all these features and opens itself up to additional risk. Using the business version of Gmail still involves some risk because the personal and business accounts in Gmail and Google Drive will be open for the enterprise and could be used to leak data. Utilizing cloud access security brokers, like Netskope, Forcepoint and others, enables businesses to differentiate between sanctioned business accounts and personal accounts and create policies within these SaaS applications.

The only situation in which to use a Gmail account to communicate business information is during a breach of a corporate email server. It might be part of an organization's incident response plan to get off its network during a disaster and to communicate out of band, since the network and systems can no longer be trusted. I've personally seen this happen, but it should be used to protect incident handlers during an active incident, not as a policy going forward as part of your enterprise BYOD strategy.

Ask the expert:
Want to ask Matt Pascucci a question about security? Submit your question now via email. (All questions are anonymous.)

Next Steps

Learn about the maturation of mobile security strategies with BYOD

Find out whether IT should guarantee BYOD privacy for employees

Discover how Apple's iOS management protocol needs to get better for BYOD

This was last published in September 2017

Dig Deeper on Network security