3 Big Problems with Email Attachments—File Interception, Data Leakage and Compliance

November 23, 2022 Security and Compliance, MOVEit

Did you know that an average business user sends out some 5,000 email attachments every year? That is a lot of information that can be waylaid, sent to the wrong person (or even an entire distribution group!), and passed along to others who have no right to see them.

And when businesses shoot around attachments willy-nilly, there is real trouble. “Sending an email is like sending a postcard: Everyone or every system that handles it can see and record what was written. This is not a problem obviously if the contents are nothing of interest or importance. It is a big problem, however, if the contents include sensitive data, such as banking details, network passwords or customer data,” argued TechTarget.

Doing the Email Explosion Math

Despite the younger generation being all about text and social media and the rise of instant messaging built into apps such as Microsoft Teams, email remains king of communication as an analysis by Data Driven Investor details. “Around 306 billion emails are sent and received every day. In the corporate environment, about 25% of messages carry file attachments, or 76 billion messages,” the Why We Can't Secure Our Data with Business as Usual blog noted. 

Attachments are the crux of the data leakage/breach problem. “The email attachment model of embedding a copy of a file into the message ensures that data will be duplicated. This duplicity grows exponentially when coupled with the common end-user behavior of copying (Cc, Bcc) and forwarding messages to others, even to those who will never open the embedded file,” the blog explained.

These numbers really add up. “With email attachments representing, very conservatively, around 17,000 files per worker per year, we conclude that in a 1,000-person company a staggering 17 million file copies are created every year as a result of email’s file-sharing methodology,” the blog calculates.

These attachments are wide open. “Each of those 17,000 files per user per year is readily accessible to whoever has a copy of the email, and that includes the hackers who breach the email system, backup servers, a misplaced device, PST file, etc.—whether in your organization or any organization you communicate with,” the blog said. “Furthermore, given that email attachments provide no possibility of revocation after being sent when systems are breached, valuable corporate content sent years before is still there.”

The Massive Attachment Attack Surface

The very nature of email makes attachments easy pickings. “The anonymity of attachments also facilitates their usage as a means of cyber-attack by bad actors. Commonly classified as the primary vector of attack, email and its attachments provide an ideal delivery mechanism by which to bypass company defenses and get malicious code executed on the user’s device, well behind the company’s firewalls,” the Why We Can't Secure Our Data with Business as Usual blog argued. 

The Ponemon Institute, famous for its data breach research, also focused its lens on data leakage and the vulnerability of email attachments. As reported in eWeek which cited Ponemom research, email is a huge source of data leakage, and attachments are what the bad guys are after.

In a Ponemon survey of 830 IT, security, and compliance pros, half said that improper handling of email by workers was the biggest data leak cause. Misuse is the key problem, as 69% of respondents said workers violate company security policies and too often transfer confidential data through email without sufficient security, often using personal web-based mail accounts to make the transfers.

Mistakes are another big problem, as 63% of those polled said employees sent confidential information to folks outside the workplace—by mistake! Using email on mobile devices was a concern for 70% of respondents.

Email is “such a significant tool that employees are inclined to circumvent policy and email sensitive information, so they can effectively perform their responsibilities in a timely manner,” Larry Ponemon, chairman and founder of the Ponemon Institute, told eWeek.

Osterman Research, another noted security authority, separately found that 20-25% of messages include attachments, and attachment-laden messages constitute a full 98% of all data sent by email. The result—75% of a company’s intellectual property is held in either email or related attachments. That’s your crown jewel.

Mail servers and personal folders are another risk, with 75% of your intellectual property being held in end user folders, which serve as personal file cabinets and company mail servers. Email hacks, which we will touch on later, expose all this data—one stop shopping for cybercriminals.

Lack of File and Email Safeguards

IT pros understand the issue but are not always prepared to face up to email data leakage and breach challenges. According to Ponemon, a scant 42% of administrators are confident they have the tools to secure sensitive data in email or its attachments.

Why are Attachments so Vulnerable?

We know hackers love to steal email attachments and love even more to hijack the entire email client—but they also have a shockingly easy time of it.

Email attacks are shockingly common and far too often succeed. Email isn’t just send and go, but messages and attachments get widely circulated as they are sent to multiple recipients—then forwarded, argues the US Cybersecurity and Infrastructure Security Agency (CISA). Email and file attacking malware payloads often go along for the ride, spreading infection and compromising more files.

There is an entire industry and ecosystem devoted to perfecting and promulgating email attacks. The attack software is created and then shared with hackers, some of whom launch these attacks for a fee, often via services readily available on underground markets. Got a hundred bucks or so, you can attack your personal enemy. Quadruple that, and you can go after their business.

The People Problem—Human Email Error

You’ve heard tales of someone (maybe it was you) sending a nasty email to a co-worker, only to find it went to your boss—or your entire department or company. These mistakes happen more than you might think, with some recent findings reporting that a third of people asked confess they’ve accidentally sent mail to the wrong person. If the email has sensitive information, that right there is a breach.

In the financial sector, laden with sensitive personal and financial data, email missteps continue wreaking havoc according to the esteemed 2021 Verizon Data Breach Investigations Report. The “sending of emails to the wrong people, represents a whopping 55% of all Error-based breaches (and 13% of all breaches for the year),” Verizon found.

Mail Sent to Wrong Person

Email sent to the wrong person(s) is particularly painful for some highly regulated industries. According to the UK’s Information Commission Office, which protects information rights, “misdirected emails accounted for 20% more reported incidents than phishing attacks. The ICO’s Data Security Incident Trends Report further argues that ‘data emailed to incorrect recipient’ was the leading cause of non-cyber-related security incidents for businesses in the finance, insurance and credit sectors.”

Problems with misdirected email are so bad the American Bar Association (AMA) has a rule to address it. “Lawyers sometimes receive a document or electronically stored information that was mistakenly sent or produced by opposing parties or their lawyers. A document or electronically stored information is inadvertently sent when it is accidentally transmitted, such as when an email or letter is misaddressed or a document or electronically stored information is accidentally included with information that was intentionally transmitted,” the ABA explained. “If a lawyer knows or reasonably should know that such a document or electronically stored information was sent inadvertently, then this Rule requires the lawyer to promptly notify the sender in order to permit that person to take protective measures.”  

For File Transfers the Easy Way Out is Not Usually the Best Solution

Email is always the easy route for file sharing, as many of us literally live in our email application during the workday—which in these days of remote work often turns into the work night. “Sharing sensitive or confidential files with other people can be a challenge. Email is typically the most convenient option. But by default, email is not secure. On their own, your emails are neither encrypted nor authenticated in any manner, which means that people beyond you and the recipient can potentially access and read them,” argues TechRepublic in its Many People Using Email to Share Files Despite Lack of Security blog.

TechRepublic referred to a UK/US-based survey of file sharing practices which found that 58% of US respondents and 56% of UK-based users rely on email as their most prevalent method of sharing files. Meanwhile, 35% use cloud services for file sharing. Just 10% use an actual file transfer service.

Getting hit with a data breach does point folks in the right direction, the survey found. 39% of users in the US and 32% in the UK who haven't fallen victim to hackers do nothing to protect their files. Once struck, those numbers are roughly halved to 16% in the US and 19% in the UK.

Email and File Encryption

Regulated industries have rules for encrypting data sent by email and, to avoid fines and reputation-crushing bad publicity, tend to adopt some encryption solutions. However, encryption for regulated and non-regulated organizations is far from what it should be. “While regulatory compliance remains the biggest driver for deploying email encryption, 84 percent of survey respondents said they don’t know what information needs to be encrypted. Of the organizations without email encryption, more than half, or 67 percent, were unaware there are regulations governing how sensitive information should be sent over email,” the eWeek story said.

The COVID Factor

The Human Factor 2021 Report found that COVID and remote work increased the vulnerability of email, in particular privilege attacks. Data leakage likewise rose, with the sending of sensitive files and wanton file copying as key culprits.  

Email Chokes on Large Files

While email is wildly popular for sending files, there are serious limits. How many times have you had to use DropBox or something of its ilk for a file too big for your mail client to handle? Depending on your provider, client and IT configuration, email chokes on large files such as those larger than 25MB.

Many Understand the Problem—but Haven’t Solved it

Companies themselves tend to understand email risk but haven’t adopted a better solution. A recent email security report demonstrates the fear. “More than two-thirds (70%) consider it likely (39%), extremely likely (26%) or even inevitable (5%) that an email-borne attack will damage their business sometime during 2021,” found the State of Email Security Report (SOES). “This is up sharply from 2020, when only 59% of SOES survey respondents felt that was the case. Even more significantly, at those companies where the use of email rose during the past 12 months, the portion of respondents who saw an email-based attack as likely or inevitable rocketed to three-out-of-four (75%).”

Email is Unreliable

Email isn't always reliable. How many times has your message been bounced back or stuck in the junk mail folder? What if you key in the wrong address? Now someone you don't even know has those unannounced company financials and may well send them off to the competition. Moreover, email for file transfers is not scalable at all, and these days more and more email clients have file size limitations so you can't send larger files anyway. And how do you ensure your email and the attachment go to the recipient? Do you really rely upon return receipts? When was the last time that ever worked?

Email Not the Answer—the Legal Example

Lawyers have serious attorney/client privilege and other privacy issues, but still simply email confidential files and documents around and rarely encrypt them. To boot, far too few employ a secure file transfer solution such as Managed File Transfer (MFT) software. The 2019 ABA TECHREPORT  analyzed how small law firms and solo practitioners handle document and record management, and whether they apply software to this use. Solo practitioners rarely used such software solutions, with only 37% saying that they did so. The story at small firms was better but not good enough, as only 55% of these organizations use file transfer or record management software. 

The sad fact is that email, as insecure as it is, remains the predominant way confidential files are shared. “While clients demand a simple way to work together, it is essential that electronic communication does not lead to security risks: i.e. someone other than the client or privileged third party obtaining confidential documents,” argued an article on LegalITProfessionals.com. “While this may seem obvious, a recent study of law firms’ file sharing processes revealed that a minority of law firms are using security technology to protect electronic communications: email encryption (22%), password protected documents (14%), use a secure file sharing site (13%).” 

Knowing email is insecure, 75% of firms simply apply statements of confidentiality rather than truly secure their files. “A study by LexisNexis finds that file sharing is an integral part of a law firm’s day-to-day operations. Yet, while firms are keenly aware of the consequences of IT security risks, unencrypted emails, which are merely reinforced by a statement of confidentiality, remains the primary line of defense when sharing confidential files,” the article on LegalITProfessionals.com reported.

Encrypting files is critical to security, but too few understand this or know how to encrypt. “The (LexisNexis) survey, however, also revealed that while nine in 10 law firms use email for business purposes, only about one in four encrypt those communications. Lastly, when law firms were asked if other employees were using free file sharing services, about one-third said 'yes,' another third said 'no,' and the final third were 'unsure,'” the LegalITProfessionals.com article reported.

A Better Way for All: Managed File Transfer (MFT) 

You may think you're on the leading edge because you downloaded a free version of Dropbox or another file sharing software solution. While a step up from email, free file sharing software is not a secure or efficient approach. You need a solution specially built to securely transfer files. And because you have so many files to transfer, such a solution must allow these transfers to be efficient and trackable. Imagine if you could automate these transfers? Well, you can. 

Here are key features your file transfer solution should have, all of which are available in a good Managed File Transfer (MFT) product. 

Encryption: If your emails and attachments are not encrypted, they are sitting ducks. “File transfer encryption (such as SFTP encryption) is an essential security measure that prevents outsiders from being able to read or understand the data that is being transferred. This protects the information from potential hackers. When data is encrypted, the information gets manipulated into an unidentifiable format while in transit, and once it reaches its destination, the data becomes readable again. This way, the data is only accessible by those it is intended for,” argued The Importance of File Transfer Encryption blog.

The best answer is a solution that encrypts these files for you—by default. 

Easy to Use: No one will use a managed file transfer system, regardless of how safe it is, unless it is easy to use. That means it should be deployable on premises or in the cloud so end users always have access. And it should be straightforward for the end user to transfer files and easy for IT or internal computer experts to set up these transfers. 

It is even better if it is integrated with the email systems your employees are already using to share files, albeit unsafely. Here, Microsoft Outlook is the most used email application in the business world, so integration with that is critical. 

Auditable: What happens if a business partner says they never got the file you sent? Through auditing you'll know the precise path that file followed and whether it was indeed received. If there was a hiccup somewhere, it is easy to resend the file. Part of this system is notification on either end, so you (the sending party) and your recipient are both told what happened. 

Automation: If I asked you how many files your firm deals with on a given day you'd run out of hands before you counted the first hour. Manually transferring all these files is a nightmare and mistakes are surely made. Automate these transfers so certain types of transfers and transfers to specific parties are done with the click of a mouse. 

Manage Data: Managed File Transfer (MFT) offers safe, efficient file transfer as a business process—now employees and IT can manage file transfers confidentially by tracking data movement. 

Visibility: Managed File Transfer (MFT) provides visibility into your firm’s data activities, such as the files themselves, data events, who sent and received the files, transfer policies and processes, notifications, and offers a look back via logging and audits. 

Secure Managed File Transfer (MFT) Software Keeps the Confidential 

Many data breaches occur when files are moved within your organization or to partners and other firms with a vested interest. With MOVEit Managed File Transfer (MFT) from Progress, you can establish secure collaboration and automated file transfers of sensitive personal data. These files are not only moved safely, but they also include encryption and activity tracking to ensure compliance with your policies and compliance rules.  

By default, all files sent outside the firm should be handled in a secure and trackable way—which is MFT.  

With MOVEit Managed File Transfer, you no longer rely upon your employees emailing personal data to other employees, outside entities, or using insecure file sharing services.

With Secure MFT Software, you eliminate user error, and can track and report the details of every file transfer. 

Doug Barney

Doug Barney was the founding editor of Redmond Magazine, Redmond Channel Partner, Redmond Developer News and Virtualization Review. Doug also served as Executive Editor of Network World, Editor in Chief of AmigaWorld, and Editor in Chief of Network Computing.

Read next Email Unsafe for Transferring Sensitive Files: How COVID Made it Worse