E-mail Attachments: Misperceptions That Can Compromise Security
Organizations may be under several misunderstandings about the safety of their e-mail attachments. We explore the risks and corrective action IT can take to reduce the vulnerabilities.
E-mail has fundamentally changed the way business documents are shared, enabling near real-time collaboration, increased business efficiency, and reduced delivery time and costs. However, the same technology that makes sharing information faster and more affordable can quickly turn into a security and compliance nightmare. The sharing (via e-mail) of confidential information -- including personally identifiable information, personal health information, intellectual property, and M&A information -- is coming under increasing scrutiny by IT and security personnel charged with securing enterprise data.
Microsoft’s launch of Exchange Server 2010 introduced some welcome information protection and control features that monitor sensitive content in e-mail messages and control accidental and unauthorized distribution. Highlights of those features include transport protection, role-based access control, and integrated archiving.
Despite the clear benefits these features provide, such controls are virtually useless in protecting and controlling the bulk of data on e-mail systems that resides not in e-mail messages but in files attached to e-mail messages. E-mail attachments account for approximately 70 percent of e-mail volume, representing a huge security threat.
Are organizations aware of the security risks from e-mail attachments? Generally not. The reasons for this apparent lack of concern stems from a few key misconceptions.
Misconception #1: E-mail attachments are limited to 10MB; therefore, the risk of a data breach from file transfer is minimal.
With Exchange best practices limiting e-mail attachments to 10 MB, enterprises and government agencies are, in fact, at heightened risk for a data security breach. Business users are notorious for finding IT workarounds. If a business document cannot be attached to an e-mail message because it is too large, users can be quite resourceful in finding a workaround -- and security is not always uppermost in their minds.
Misconception #2: FTP is available; therefore, the risk of a data breach from file transfer is minimal.
Too often, companies assume that because they offer FTP as a means to share files that their data is safe. The reality is that FTP servers are unsecure and leave data exposed. Additionally, the complexities associated with FTP -- including the time delays when filling out a request form and waiting for the IT department to set up a new FTP account -- make P2P and other non-secure, non-compliant workarounds much more appealing and very dangerous alternatives. At the end of the day, employees’ number-one priority is getting their job done. If an easy-to-use solution for sharing large file attachments is not available, they will get creative. Security and compliance are often afterthoughts.
Misconception #3: We haven’t experienced a security breach from unsecure file transfer, so the risk of a data breach from file transfer is minimal.
Companies face an ever-growing number of IT-related security issues and information security compliance requirements. Through the course of security audits, companies are being made aware of the urgent need to address vulnerabilities related to data transfer. Unfortunately for many, the issue of how to securely exchange large file attachments does not become a priority until a security audit has failed, or worse -- when they’ve experienced a data breach.
If you have identified or suspect security deficiencies in how data is being transferred via large file attachments in your organization, it is time to take action. To protect business-critical documents that are transferred both within and outside of the e-mail system, a solution that allows large file attachments to be shared securely is vital. When choosing a solution, look for the following features:
- Integrated e-mail and file transfer security features: Security features such as content awareness, encryption, comprehensive tracking and reporting and archiving should encompass e-mail messages and e-mail file attachments that contain the bulk of the sensitive information. A solution for transferring large files should provide integration with e-mail via a plug-in so that file attachments are sent securely at all times to satisfy compliance requirements and to reduce the risk of a data breach at the file-transfer source.
- Policy-based content awareness of large file transfers: The ability to set automated security policies for data in motion and conduct content analysis of each attached file is essential for ensuring compliance with corporate data security guidelines. The solution should be able to block or quarantine files if the content (within the file) does not meet corporate security policies.
- Disk and file-transfer encryption: Encrypting user files before storing them on a disk eliminates risk at the file-transfer source. Seamless client-side encryption of file attachments before they are sent, along with transparent logging and reporting, provides increased confidence and protection. Whether operating in the cloud or on-premise, disk and file-transfer encryption helps organizations maintain compliance by ensuring confidential files remains secure during transfer or in the event of a loss, theft, or security breach.
- Business record retention: Protection and retention of electronic business records is vital in the event of corporate litigation. Technology advances now provide the ability to continuously monitor large file attachments when they are sent outside of the e-mail network to determine those that meet the criteria for archiving. Look for a solution that allows capturing and replicating of files subject to corporate archival policies.
Paula Skokowski is the chief marketing officer for Accellion, Inc., a secure managed file-transfer solution provider. Ms. Skokowski received a BA and MA Honors in Engineering Science from Oxford University and an MS in Robotics from UC Berkeley. She has served as advisor on Teradata’s Ecommerce Board of Advisors, director for the ComputerWorld Smithsonian Awards Program, and executive director to the LonMark Interoperability Association. You can contact the author at firstname.lastname@example.org.