Decision Maker

Building a Culture of Security: You Still Allow E-Mail Attachments?

When it comes to enterprise security, you're not paranoid -- everyone is out to get you.

In last month's column, I wrote about the need for organizations of all sizes to start developing a "culture of security" where IT security must permeate and pervade everything you do. You need to assume attackers are targeting you -- because they are. You need to make sure every element of your environment takes security into consideration.

In fact, let's stop calling it security. Let's call it protection. One sign of an organization that absolutely does not care about protecting themselves, their users or their assets is an enterprise that still allows inbound e-mail attachments. I know, I know, the horror of not being able to conveniently receive a file from a customer or business partner! But admit it: E-mail has always been the easiest vector for the social engineering that leads to an attack. Users are conditioned to open e-mail attachments and at best they give only a passing consideration for the source. It's easy to spoof e-mail headers, and users are rarely sophisticated enough to dive into those headers and see if the e-mail looks legitimate.

The recent "Black Magic" exploit is a perfect example. A Windows Shortcut file -- an .LNK, that is -- shows up in an e-mail attachment and, when opened, kicks off a chain of scripts and downloads that gives a virus access to a user's Internet Explorer and Outlook data. The great viruses of yore, including "Melissa" and "ILoveYou," were vectored into organizations via e-mail attachments. They remain a threat. Ars Technica recently reported on the "Cryptowall" ransom malware that took an entire New Hampshire police department offline, all from a seemingly legitimate e-mail attachment.

When are we going to learn? The logic here is simple and straightforward: Your users are your weakest link. They simply lack the interest, time, and sophistication to protect themselves against these kinds of pervasive social engineering attacks, and they become willing, albeit unknowing, accomplices in major attacks. So you have to take the users out of the loop, at least insofar as e-mail attachments go. Users simply trust attachments too much. What's worse is that, as you start to rely more and more on cloud-based e-mail services, you lose specific control over incoming threats.

This absolutely does not mean you have to give up on exchanging files with internal users by means of e-mail, if that's what you want to do. It simply means that you need to strip all incoming attachments at the edge of your network. Scanning attachments is no longer enough: There are simply too many potentially dangerous file types, and too many ways to work around scanners' restrictions. But dropping e-mail attachments removes a critical piece of business functionality, right?

Wrong. Managed File Transfer (MFT) has been around for years, and solutions are available at a wide range of price points and functionality levels. At their simplest, they offer your external users a Web page where they can enter an employee e-mail address and "drop" files. Employees can receive a notification via e-mail, and can quickly access the files. CAPTCHA and other techniques help protect against robots, and many solutions offer easy ways to set up a database of allowed external users -- all without IT involvement, once the solution is set up. The nature of the systems makes it easier to scan and quarantine incoming files before notifying the recipient, and even if your e-mail has been outsourced, this is one piece you can hang on to.

There are other approaches and solutions, too, designed to meet a huge range of business requirements. If you're thinking, "No, only the exact capabilities of e-mail attachments will work for us," then it's because you haven't done your research into what's out there. These systems offer better tracking and auditing, too, often making them superior to attachments for organizations dealing with legal compliance.

And the bigger point is that, if you're going to have a culture of protection, you need to take a hard look at where other organizations are suffering, and take steps to make sure yours doesn't suffer in the same way. Waiting until it happens is no good.

About the Author

Don Jones is a multiple-year recipient of Microsoft’s MVP Award, and is an Author Evangelist for video training company Pluralsight. He’s the President of, and specializes in the Microsoft business technology platform. Follow Don on Twitter at @ConcentratedDon.


  • Microsoft Dynamics 365: Why It May Not Be What You Think

    For starters, the cloud-based CRM/ERP software has some surprising integrations with PowerApps, Microsoft's low-code developer environment.

  • Microsoft 365 Insider Test Program Emerges for Organizations

    Microsoft has started a new Microsoft 365 Insider Program for organizations to test its software, but the program's name and scope could be changing.

  • IT Pros: Don't Forget To Protect Your Personal Security

    Don't be the IT pro who spends way too many hours each day keeping their users secure only to neglect their own home networks. Brien describes the two steps he took to avoid this trap.

  • Microsoft Edge Browser Shifting to Open Source Chromium Platform

    Microsoft plans to align its Microsoft Edge browser production efforts with the open source Chromium Web platform for the desktop version of the browser, the company announced on Thursday.

comments powered by Disqus
Most   Popular

Office 365 Watch

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.