Why You Should Take Inventory Of Your Client's Email Accounts

More than 80 percent of breaches involving attacks against web applications are due to stolen credentials. Minimize your client's risk by sunsetting their inactive and non-maintained email accounts. 

  • August 9, 2023 | Author: Allison Bergamo
Learn More about this topic

Article Key

On the heels of The Great Resignation and companies “rightsizing” their workforces, your clients’ IT teams may be taking inventory of their technology assets including laptops and mobile devices. Adding email and other accounts to their list may be a good idea. Recent research has found that inactive and non-maintained accounts pose significant security risks. 

For example, your client’s summer intern may set up a Google Workspace account to store and share company documents. When the intern moves on to a “real job,” with another company, that account may be abandoned. The next intern who inherits that account can’t log into it because they don’t have access to the username or password. So, they set up a new Google account—and abandon it once their internship is complete. 

All these inactive accounts add up, creating account churn in which newer accounts take the place of existing accounts. The older accounts aren’t deleted. Instead, they become unused, forgotten—and a security risk. According to Google, inactive accounts that haven’t been accessed for extended periods of time are more likely to be compromised. These accounts often rely on old or reused passwords and haven’t been set up with two-factor authentication (2FA). They are also not monitored as closely. 

According to the Verizon 2022 Data Breach Investigation Report, more than 80 percent of breaches involving attacks against web applications are due to stolen credentials. Expect to see cybercriminals focus more on credential abuse to access data and systems, facilitate identity theft and more. This trend has also created a demand for access broker services—a fancy term for criminal groups that sell stolen access credentials. 

Google recently announced that it is updating its inactive policy for Google Accounts to two years. If a personal account hasn’t been used or signed into for at least two years, Google may delete the account and its contents. This includes content within Google Workspace (Gmail, Docs, Drive, Meet and Calendar) and Google Photos. 

According to Google, these new rules will be effective no earlier than December 2023. In the meantime, now is a good time to conduct a thorough inventory of your client’s accounts. Train them on how to update credentials and add 2FA to the existing accounts that are still needed while sunsetting the rest. 

Need guidance in setting up Zero Trust policies within your client’s organizations? Fortinet’s 2023 Zero Trust Report dives into the successes and challenges organizations can face when implementing zero-trust strategies. Get your copy.

Related Content