I am sure most of you will have seen the recent news article about the unfortunate IT person in the NHS who sent out a test email to every NHS employee in the country. In itself it was an unfortunate incident, but with the number of ‘Reply All’ emails that resulted it indicates poor judgement on the part of many employees.
In another post I wrote recently I pointed out the dangers of including multiple recipients in the ‘To’ field – the risk being in the forwarding of such emails.
As we can see ‘Reply All’ can be as lethal to security and the performance of communications systems as any external attack. In this instance because fellow employees clicked on ‘Rely All’ they created an email storm which was in effect a denial of service attack.
While we were all entertained by the social media response to it with their amusing images such as the one I’ve included in this article, it is entirely possible that the IT person was not responsible for the initial issue as it may have been a bug as has been reported. Who knows, but social media is good at delivering verdicts with little or no knowledge to hand.
The Reply All Option
I think there is a bigger lesson here and it is one that should have been learnt years ago! I remember back in the early nineties I worked for a company that used a mainframe for its email communications. Even back then I could be inundated with over 200 emails a day, 90% of which were via the ‘Reply All’ button. Most could be deleted without a second glance because they contained merely acknowledgements such as OK or a smiley face. Nevertheless I had to trawl through them all just in case someone said anything of value. In those days it wasted my time, so too in today’s email-filled world. In the NHS this same problem clearly exists and with the respondent numbers involved caused the reported catastrophe.
In spite of the passage of time, the lesson seems not to have been learnt at all. For what purpose did the NHS staff click on Reply All? There was nothing in the email to respond to.
As my previous post on dangers in email usage suggests, there is not enough training for employees in the correct use of emails. There is a natural assumption that new employees know how to use email, after all, most own smart phones and emails are nothing new! We all know about assumption, don’t we?
In the end, one person’s mistake or otherwise led to a perfect storm of emails causing a home grown denial of service attack. The single person is not to blame (let’s face it, which of us has NEVER made a mistake?), instead the culture within the NHS, or for that matter any other similar business, should be held to account – blame of an individual is neither healthy nor necessary, because we know that without the inappropriate response of large numbers of staff, this one action/error would have had a significantly lesser effect overall.
And the lesson to be learnt? Companies need to stop making assumptions and start educating people in the correct use of everyday applications such as email. Train them in the hazards and benefits of such – it will save money and time in the long run.