The Scourge of Attachments

By Allen Bernard

(Back to article)

You've trained your employees not to open unsolicited email attachments. You've told them time and again that opening attachments can have a devastating effect on the network. Yet, this problem is still so pervasive at many companies it is the main cause of network infections.

So, the ongoing question is: What can be done about it?

Training, according to the experts, is only the tip of the proverbial iceberg. After an employee has been trained in proper email protocols and made aware of the company's policies on opening attachments, your job is done, right? Well, not really.

Training is just the first step, said Ronald Jacobs, a professor of workforce education at The Ohio State University in Columbus, Ohio and author of Structured On The Job Training.

"It's obviously not a problem that training can solve," said Jacobs. "Training is designed for where there is a lack of knowledge and skills."

In the case of email attachments, the knowledge is generally there and it requires almost no skill to open an attachment, so training will have limited results.

According to Dawn Snyder, a certified performance technologist and principal of Dawn Snyder & Associates in Columbus, the attachment scourge is a performance issue. People either don't remember, are too busy, don't care or are of the "it-can't-happen-to-me" mindset when it comes to email attachments.

"There are a number of reasons when behaviors like that persist," said Snyder. "One is that the correct thing to do has not been communicated. Another is people are inundated with all kinds of messages about their technologies and so some of them they don't feel are pertinent to them. So they are choosing to ignore that message because they don't believe the consequence applies to them or the possibility of a consequence, like the one they've heard about."

Provided your company actually has taken the steps to inform employees that attachments are verboten, then addressing the other issues -- too busy, don't care, can't happen to me -- requires an institutional and systems approach. Policies need to be continually communicated (institutionalization) and systematically enforced to be effective.

Yet, enforcing email policies often falls into the same category as the no-phone-calls-at-work policies most companies have in place. So long as people don't abuse their phone privileges by calling Beijing to chat with a friend, rarely is the policy enforced to any degree. And since both email and the telephone are such common communications tools, people tend to become lax when it comes to email issues as well, said Snyder.

"'I'm not the problem" is a common refrain, said Snyder, "'this thing comes from my mom and she got it from her Bridge partner.'"

Email is like safety, said Jacobs. People kill or injure themselves all the time on the job even though they've been trained not to. This is why institutionalizing performance is key to preventing or changing bad behaviors, he said.

"If you can determine it's in fact a knowledge gap," agreed Patricia Galagan, vice president of content for the American Society for Training and Development in Alexandria, Va. "That people don't know about whatever the problem is, then training would be appropriate. But if it turned out the problem was something else -- environment, something in the way they were being managed ... Then you could train them fairly well and they would never get it. So, training is not always appropriate for all problems. So, maybe that's what's going on here."

To figure out where performance problems lie you have to approach the problem systematicaly, she said. Is there a communication problem? A workflow problem? Or are people just so busy they don't take the time to think? Or maybe it's a combination of the three.

While technology solutions, like not letting attachments through to end users, could be one approach to solving the problem, it rarely can tackle and solve the problem on its own, said Snyder. Often, relying solely on technology to solve the problem just leads to more or different problems.

What's better is to use technology while working proactively towards user buy-in, said Jacobs. And to get buy-in you need to institutionalize the process.

Feedback mechanisms, job performance guides, manager follow-up, consequence training on the effects of viruses on the business and its bottom line or, even better, employee bonuses; "[a]ll those types of things provide for a system of information going through people so they clearly understand, in concrete terms, what the likely outcome is going to be if they do this behavior," he said.