Reply To All

replytoall_imageAccidents Can Happen, But We Need To Learn From Them.

Despite all the technological advancements of the last few centuries the scientists and engineers of this world have yet to crack the ‘if only I could turn back time by 30 seconds’ that is often needed once you have incorrectly addressed an email.

Despite all the technological advancements of the last few centuries the scientists and engineers of this world have yet to crack the ‘if only I could turn back time by 30 seconds’ that is often needed once you have incorrectly addressed an email.

If that technology had been available, then the National Health Service (NHS) staff member who this week inadvertently sent an email to all 840,000 staff members would have been its biggest fan. As members of NHS staff then “replied to all” they further exacerbated the issue and the email system quickly ground to a halt after no doubt frustrating tens of thousands of hard working individuals in the process.

Any organisation that has a global staff email list that can be accessed by anybody, even accidentally, needs to swiftly review its email usage policies. As a former IT Manager, I often witnessed how such lists were wildly used for the most menial of messages; lost umbrellas, missing office furniture, requests for lifts to and from work, clogged up the Inboxes of everyone. When such messages are sent out to thousands of people, who in turn open and read them, the sheer loss of productivity is a compelling argument enough to apply some restrictive managerial guidelines. Used accidentally, it just cries out that there is a most basic lack of IT awareness within an organisation.

In my previous work life, I often would stress that email is a tool that, despite its many positive virtues, can also have a destructive effect on an organisation if not used properly. I would recommend that all staff required training on its technical use and its use within approved operating guidelines in a vain attempt to ensure that company confidential information was not ‘accidentally’ distributed across the entire workforce. In this instance, I failed and inane messages continued to propagate.

What if the accidental email within the NHS had not been an accident? But had been a disgruntled employee blowing the whistle on a company matter that they didn’t agree with? What if that email had successfully forwarded a variant of malware, that had slipped though the cyber net, to all users? What if that email contained imagery or messaging that caused deep offence? This clogging up of the NHS email system could have considerably more damaging and companies would be wise to use this example as a stark warning on what could have happened.

As the numbers of victims from cybercrime continues to rise, as does the losses sustained by those victims, such apparent small loop holes that can be triggered even accidentally simply have no place in a modern IT environment. As a company develops a cyber culture all policies on how IT is designed, implemented and utilised requires careful and open minded review and discussion. They have to put themselves in the mind of a cybercriminal, be that an external or as in this case an internal threat, and attempt to predict how they may inflict criminal damage for gain or disruption on them. Such a flaw as a ‘send to all’ mailing list should have even the most liberal minded cyber specialists waving a red flag with such vigour that you could be excused for thinking that they were attempting some sort of military inspired coup!

The spectre of cybercrime changes everything. Just because email has been used in a certain way for the last decade or so, does not mean it can continue to be used in that way any longer. It poses a threat; a threat that staff must be trained to understand, to recognise and to prevent from occurring. They need to have confidence in their own technical ability to use these powerful tools effectively and safely, supported by and guided by their technical teams of choice.

I confidently predict that in years to come future generations will look back on the way in which companies insecurely and naïvely use email in the early part of this century with the same shock that we often have when viewing working practises in the past. I’m old enough to remember when people could openly still smoke at their desks in an office at any time. To the millennials that concept understandably looks positively primitive – and it was! However, at some point in time legislation had to ban such practises and companies had to adhere to them.

Policies and procedures for acceptable IT use require rethinking in this new cybercrime ridden world. Accidents like this highlight how far many organisations still have to go to close off vulnerabilities within their IT systems that could be advantageous to a criminal. I just hope for the sake of the NHS that a similar accident in the future will not prove to be much, much worse.

Share: Share on FacebookTweet about this on TwitterShare on Google+Share on LinkedInPin on PinterestEmail this to someone