Anyone who has a swimming pool – or a neighbor with a pool – is probably familiar with the term “attractive nuisance” under US tort law. In layman’s terms, an attractive nuisance is something that may attract children but could potentially harm them. If a child is harmed, the owner of the attractive nuisance may be held liable.
I do not think that employees are children or childlike – but I wonder if email is the corporate equivalent of an attractive nuisance. When employees click on links in emails from unknown parties, even when security awareness training advises otherwise, is it due to the same curiosity that drives a child to sneak onto a construction site or climb a neighbor’s fence to gain access to a pool? Whether click-happy email behavior stems from curiosity or inattentiveness, the prevalence of phishing or social engineering attacks on email tips the scales away from “attractive” and more toward “potential” nuisance.
The use of emails as a favored vector for disseminating malware puts a spotlight on the ubiquitous platform that email runs on, Exchange Server. Server security and availability are primary considerations. In its Microsoft Exchange Server 2016 Audit/Assurance Program, ISACA has addressed these areas through providing configuration and deployment tests, role-based access control, performance, logging, and backup and recovery. The purpose of the audit program is to assist IT auditors in their assessments of deployments of Microsoft Exchange Server 2016.
Email exploitation is generally included when organizations expend time and resources on creating a culture of security. These efforts frequently start with an information security training program. While this is a great start, there appears to be a disconnect between information security training and user behavior. Therefore, creating a culture of security should include an assessment of training effectiveness, such as the use of phishing simulations. Additionally, security can be supported by frequent reinforcement of best practices in “tapas fashion” rather than “firehose fashion.” That is, present smaller periodic training segments rather than a longer annual session that may offer too much information at one time for some users.
Reliance on email is firmly institutionalized. It’s convenient. By extension, reliance on Microsoft Servers to support email and other Outlook functions, such as meeting scheduling, creation of task lists and contact records, continues to require significant efforts to ensure availability and security of sensitive information communicated through and stored by email. In this environment, coupling Exchange Server security and a culture of security go a long way toward ensuring email does not become a security nuisance.