by Alexis Panagides and Faquiry Diaz Cala
With the ongoing cyber security crises, highlighted by rampant malware, daily announcements of major breaches, and increasing sophistication and ruthlessness of cybercriminals, companies are wisely abandoning the most widespread and least secure file sharing technology on the planet, the email attachment.
March 23, 2020 Microsoft warned of a computer attack that grants remote machine access.[1] For several weeks there was no fix available. A month after the Microsoft incident, cybersecurity firm, ZecOps, announced that a specially crafted email can be sent to the iPhone’s native email application, granting remote access to those devices. [2] As of this writing, a new and dangerous Excel file is making the news. [3] These incidents share a commonality, namely, all are carried out by the most venerable and ubiquitous file sharing technology on the Internet, namely, the email attachment.
Developed at a time when color television was beginning to overtake black and white, the early 1970s, email attachments are woefully unprepared for the brutal realities of today’s Internet. Devoid of native protections, imbued with viral duplication, untraceable and universally used, it has long been the darling of bad actors, both state or privateer. Given increased risks and costs of breaches, organizations are looking for new strategies and technologies to eliminate the unwanted challenge.
We are beginning to see the end of the 50 year old email attachment - a trend suddenly accelerated by the new remote workforce reality of the COVID-19 pandemic.
Increasingly, mxHero has been working with companies to completely eliminate the use of email attachments in favor of secure file sharing links. We believe that we are at the beginning of the end of the 50 year old email attachment.
5 main reasons the email attachment is now dying:
1. File duplication (data exposure & loss)
Email was architected at a time when network and computer infrastructure was fragile. As a result, email was designed to be copied at every moment. We often think email is "delivered", as though it went from the sender's possession to the recipient's, a metaphor of physical mail. The reality is that email is copied. When Sara sends an email attachment to Alice and Jim, multiple copies of that file will be created — one copy in the Sara’s email (outbox), two copies for the message received (inbox) by Alice and Jim, plus two more files as Alice and Jim view or save those files to their computers. Today, with users having multiple devices, the typical duplication of files sent through email needs to encompass additional copies on mobile phones, home computers, etc. Finally, emails and their files will be duplicated throughout the delivery process by the supporting email infrastructure, like redundant email servers and archives — creating yet more copies for each sender and recipient. The end result is a massive distribution of files that by some estimates represents more than 55,000 file duplicates per user per year [4]. For a company with 1,000 employees, this means a stunning 57 million files cast inside and outside of the organization over the course of a year. The industry jargon for this phenomenon is data sprawl, and with email it is done at an epic scale.
2. Files sent through email are too vulnerable
At the time of its inception, the early 1970s, security was not a design consideration, as a result, email is simply a structured text file devoid of any security features. Although several attempts at securing email were made during the intervening 50 years (e.g. PGP, S/MIME), none were sufficiently adopted and today an email is very similar to how it has always been — completely unprotected. As a result, if someone possess an email, they have access to all of its content.
Email's combination of zero content protection with rampant self duplication creates an insurmountable security nightmare. Not only are sensitive files spread across multiple systems, devices and recipients, they are also completely vulnerable. When an email system, user account or archive is breached, it is a threat to the organization and to everyone they have communicated with.
Email's combination of zero content protection with rampant self duplication creates an insurmountable security nightmare
3. Attachments are too dangerous
Attachments continue to be used as a key vector of attack because they allow cybercriminals to deliver malicious code directly to the end user, getting behind the organization’s firewalls. From behind the firewall, the malicious code can attack the user’s devices and leverage its internal position to expand across the organization. Unlike malicious links that need to reach out to a point of origin through corporate defenses that are continuously being monitored and logged, the virus that is deployed from an email attachment is prepared to covertly work alone and wreak havoc from the inside.
4. Attachments are inefficient
Email attachments are an incredibly inefficient means of data transfer which creates unneeded costs in terms of storage, network usage and productivity loss. Because email is text based, it encodes the binary file data using a text encoding. This text encoding inflates the original file size by around 37%. [5] In other words, a 10mb Word doc becomes a 13.7mb email attachment. The result is network and email storage systems need to allocate 37% more space for every file sent or received through email. This inefficiency is made all the worse by the aforementioned data sprawl. Not only is each email attachment 37% larger than it needs to be, it is duplicated nearly ten times (10x). [4]
For many, the email storage problem has been mitigated by leveraging the scale economies of cloud email services like Office 365 or GSuite, but another impediment to productivity is email’s 10mb size limitation legacy imposed either by the sender's or recipient’s email service.
5. The alternative to email attachments already exists
The Rampant data sprawl, total lack of security, and severe inefficiencies have been recognized for decades, why are organizations only now moving off of the aging technology? Up until the last several years, if you wanted to send a file through email, there really was no alternative. In recent years an alternative has become mainstream, namely, cloud storage (e.g. Box, Egnyte, Google Drive, MS OneDrive etc.). Indeed, the genesis of cloud storage was to overcome the file size limitations of email attachment. Since then the technology has blossomed into AI powered content management platforms. [6] Purpose built for secure file sharing, as easy to use as copy & paste, the modern replacement of the email attachment has arrived. In one fell swoop, the use of cloud storage mitigates: 1) file duplication by always pointing back to a single source; 2) content insecurity by enabling total control of content access while providing strong encryption during delivery; 3) risks from malicious files by providing secure preview of content away from user devices; and 4) inefficiency by transmitting files in their native binary formats.
Overcoming the Adoption Challenge
Of course, any technology is only effective if it is used. CIOs are constantly challenged by long held user habits, and few are longer held than email attachments. The good news is that the ability to use cloud storage links in email is becoming part and parcel of the most popular email applications, namely, Microsoft Outlook and Google Gmail. For even greater automation, technologies like mxHero’s Mail2Cloud platform transform email attachments into cloud storage links (Box, Egnyte, Google Drive, MS OneDrive, etc.) while requiring no end user involvement or software.
At mxHero we are seeing an increasing number of organizations looking to replace email attachments with cloud storage links. It is this growth and the reasons driving it, that point to the inevitability of the demise of email attachments. Given the immensity of email (4 billion users), the impact of this change will be widespread and profound, impacting everything from the core infrastructure underpinning our global data to the mobile experience of nearly every user. Like many advances, moving away from email attachments is an advance for the better. Here’s a toast to a more secure, efficient and productive future!
Sources