Decision Maker

Building a Culture of Security: You Still Allow E-Mail Attachments?

When it comes to enterprise security, you're not paranoid -- everyone is out to get you.

In last month's column, I wrote about the need for organizations of all sizes to start developing a "culture of security" where IT security must permeate and pervade everything you do. You need to assume attackers are targeting you -- because they are. You need to make sure every element of your environment takes security into consideration.

In fact, let's stop calling it security. Let's call it protection. One sign of an organization that absolutely does not care about protecting themselves, their users or their assets is an enterprise that still allows inbound e-mail attachments. I know, I know, the horror of not being able to conveniently receive a file from a customer or business partner! But admit it: E-mail has always been the easiest vector for the social engineering that leads to an attack. Users are conditioned to open e-mail attachments and at best they give only a passing consideration for the source. It's easy to spoof e-mail headers, and users are rarely sophisticated enough to dive into those headers and see if the e-mail looks legitimate.

The recent "Black Magic" exploit is a perfect example. A Windows Shortcut file -- an .LNK, that is -- shows up in an e-mail attachment and, when opened, kicks off a chain of scripts and downloads that gives a virus access to a user's Internet Explorer and Outlook data. The great viruses of yore, including "Melissa" and "ILoveYou," were vectored into organizations via e-mail attachments. They remain a threat. Ars Technica recently reported on the "Cryptowall" ransom malware that took an entire New Hampshire police department offline, all from a seemingly legitimate e-mail attachment.

When are we going to learn? The logic here is simple and straightforward: Your users are your weakest link. They simply lack the interest, time, and sophistication to protect themselves against these kinds of pervasive social engineering attacks, and they become willing, albeit unknowing, accomplices in major attacks. So you have to take the users out of the loop, at least insofar as e-mail attachments go. Users simply trust attachments too much. What's worse is that, as you start to rely more and more on cloud-based e-mail services, you lose specific control over incoming threats.

This absolutely does not mean you have to give up on exchanging files with internal users by means of e-mail, if that's what you want to do. It simply means that you need to strip all incoming attachments at the edge of your network. Scanning attachments is no longer enough: There are simply too many potentially dangerous file types, and too many ways to work around scanners' restrictions. But dropping e-mail attachments removes a critical piece of business functionality, right?

Wrong. Managed File Transfer (MFT) has been around for years, and solutions are available at a wide range of price points and functionality levels. At their simplest, they offer your external users a Web page where they can enter an employee e-mail address and "drop" files. Employees can receive a notification via e-mail, and can quickly access the files. CAPTCHA and other techniques help protect against robots, and many solutions offer easy ways to set up a database of allowed external users -- all without IT involvement, once the solution is set up. The nature of the systems makes it easier to scan and quarantine incoming files before notifying the recipient, and even if your e-mail has been outsourced, this is one piece you can hang on to.

There are other approaches and solutions, too, designed to meet a huge range of business requirements. If you're thinking, "No, only the exact capabilities of e-mail attachments will work for us," then it's because you haven't done your research into what's out there. These systems offer better tracking and auditing, too, often making them superior to attachments for organizations dealing with legal compliance.

And the bigger point is that, if you're going to have a culture of protection, you need to take a hard look at where other organizations are suffering, and take steps to make sure yours doesn't suffer in the same way. Waiting until it happens is no good.

About the Author

Don Jones is a multiple-year recipient of Microsoft’s MVP Award, and is an Author Evangelist for video training company Pluralsight. He’s the President of, and specializes in the Microsoft business technology platform. Follow Don on Twitter at @ConcentratedDon.


  • Microsoft Releases Windows 10 Version 1909

    Microsoft on Tuesday announced the release of Windows 10 version 1909, a new operating system product that's also known as the "Windows 10 November 2019 Update."

  • November Microsoft Security Bundle Addresses 75 Vulnerabilities

    Of that number, 13 vulnerabilities are rated "Critical" to patch, while 62 vulnerabilities are deemed "Important."

  • The Future of Office 365 Pricing

    With a raft of new Office 365 features in the pipeline, Microsoft also seems ready to change the way it bills its subscribers. Will it replicate Azure's pay-per-use model, or will it look like something else entirely?

  • Microsoft Offers 1 Year of Free Windows 7 Extended Security Updates to E5 Licensees

    Microsoft is offering one year of free support under its Extended Security Updates program to Windows 7 users if their organizations have E5 licensing.

comments powered by Disqus

Office 365 Watch

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.