editione1.0.0
Updated October 9, 2023Remember how we covered third-party apps and systems back in Part I? The same goes here, except now you can control it at a central level and protect your employees from any oopsies or quick (and unsafe) setups.
Third-party access to your work email comes up often and in very similar situations to your personal email. It gives an easy way to sign up and into apps and accounts, and from a security perspective it has a bunch of perks:
The work email administrators can see who has linked their work email account to third-party systems, which can help to see what third-party apps are used.
The end user doesn’t have to set up yet another unique, strong password and save it to their password manager.
That app or system’s login is now secured and managed by the work email provider, which is often a good idea, as they probably have a lot more experience and resources to build a secure login flow—more so than the third-party app owner.
It is a win-win-win! What is the harm?
It comes back to the same problem we have when it comes to third-party apps for personal email accounts—those third parties might be (or could turn) malicious. When your employees hit “allow” on giving that third-party app access to their work email, the risks include:
Apps asking for too much access, or more than you expect them to need.
Access terms that are confusing to understand, especially when an employee is focused on getting a job done.
Access terms that are difficult to translate, especially for your employees with little to no tech background.
Access that changes over time—that third party app could go from safe hands to dangerous ones.
Most work email providers give you the ability to turn on third-party restrictions by default, and it is something we recommend you do.
important Go hard now on the controls—your team is small enough to raise any blockers now. If your employees don’t use any third-party apps or accounts for work, turn off the ability to use them entirely. If they have some accounts, you could configure your work email provider to only allow those on a specific allowed list you give it. If you have gone with a larger work email provider (which we do recommend), they often have robust processes to warn you or ban third parties that are seen to be abusing their integrations.
If I can convince you with a hilarious mental picture and metaphor: picture the internet as an ocean. It is vast, and some parts of it are unsafe. Your employees sometimes need to swim. Each of them might have varying levels of swimming ability, and you don’t want to just throw all of them in the middle of the Atlantic and expect them to survive without incident. Depending on your employees, their needs, and what you expect from them, you might give them two flags to swim between (using an allowed list of third-party apps), or you might even put them in a paddling pool (disabling third-party apps entirely). Just don’t throw them a pair of floaties and expect them to survive (not configuring anything). Regardless of what controls you put in place, with a large work email provider acting as lifeguard, they will help keep an eye on them too.
The theme of this chapter has been “set it and forget it.” This step is no different. Your employees might get unsolicited emails from people trying to trick them into downloading bad attachments, clicking on links to go to bad websites, or replying back with important information. Even as a small business, these things can happen. They aren’t targeted—it is just really easy to set up an automatic script that sends the same bad email to thousands of people. It is a game of odds for an attacker: if just one person reacts, they can win big.
On the bright side, larger email providers realize this, and recognize that they are in the best position to protect people. Not all providers do this; that is why it was important at the very get-go to go with a good provider. Your Googles and Microsofts will definitely have these settings available.
Larger email providers host your mailboxes for you, which means they can also check it for any badness before letting you and your users see emails. They have some default protection already in place that will send obvious spam messages, like those about pharmaceuticals and that million dollar inheritance that you are missing out on, to the spam folder.