Do you know how frustrating it is to send an e-mail to someone and have it rejected because it is too large? My latest e-book, "Windows 7 Unveiled," comes in at 11MB. In my mind, that is nothing in terms of size, but it is constantly getting blocked by incoming and outgoing e-mail limitations. The limits imposed (typically 10MB) are not large enough to accommodate the needs of the modern user. I know that the reason for the limitation is to keep a lid on network bandwidth and storage concerns on the e-mail server. But there's a security breach risk created by the limitation.
Joe User wants to send an 11MB file but is blockied due to the e-mail policy that prevents large file attachments. Joe User becomes creative and finds a P2P file-sharing alternative. Or maybe he puts in on a USB drive or a CD, or he uses an FTP product. Is Joe User concerned about the security of that file (which may be personal -- or may be sensitive company information)? Not at all. Joe User is concerned about getting his job done or meeting a deadline (or sending out his new e-book). Unfortunately files sent via P2P, IM, CDs, or FTP are a data breach waiting to happen.
[ Keep up with security trends and strategies with InfoWorld's weekly Security Central newsletter.]
Corporations and government agencies alike have made headline news for exposing sensitive information using unsecure file transfer. President Obama's new helicopter plans were exposed because of P2P file-sharing software. For corporations, the financial consequences of a data breach can be significant. Recently, three HSBC firms were fined more than $4.9 million by the U.K.'s Financial Services Authority for failing to protect customers' confidential information. The blame for the failures is being placed on the lack of training in the firms because large amounts of unencrypted data were sent to third parties.
As an IT administrator or a decision maker for the security elements of your organization, you need to find ways to plug up the gaping hole that is created by a restrictive e-mail policy. That isn't to say you should alter the policy. You raise it to 15MB, and a user comes along with a 20MB file. Raise it to 20MB, someone will want to send a 50MB PowerPoint with lots of pictures. A line has to be drawn. But if you have an attachment-heavy company (where users typically need to send, for example, CAD drawings, MPEG files, or tech specifications, and so forth), you have to prevent the creative, sharing minds from forming a security hole. E-mail security needs to include consideration of file transfer security.