Note: This blog entry originally published by TCEA TechNotes blog. Read other awesome blog entries by the TCEA team online at www.tcea.org/blog
“Why did he click on that email attachment?” asked one technology director I spoke with recently. The click led to a ransomware attack that expanded to the business department’s server, resulting in frantic data-saving actions. For many technology directors, the problem is not the phishing or the ransomware. The real problem is their lack of influence to bring about change in the organization. Consider this problem in light of a common occurrence in education today.
In spite of knowing these things, staff continue to click on phishing links where they happily share their username and password via an insecure website, send copies of confidential documents to complete strangers, or click on ransomware that encrypts their computer, then spreads to everyone else’s. These actions by a few individual wreak havoc on the whole network, and small districts especially are overwhelmed.
The traditional response involves disciplining staff, even terminating them in severe data breaches. They should have known better, right? Oh, but wait, your district does not have a safeguarding sensitive data policy in place (many districts do not, which is why I offer this one as a start). It involves buying and issuing hardware (e.g. Chromebooks, iPads, Macbooks) that malware (e.g. ransomware) can’t work its dark magic on (YET…you just know hackers subscribe to growth mindset, right?).
It means locking down Windows computers with Active Directory policies, Deep Freeze so that technicians don’t have to spend a lot of time fixing user errors. This has been standard practice for years. Here’s a roundup of advice that should help districts who want to keep closing the gate after the livestock has made its getaway. That is, mopping up the mess after someone has been hacked, phished, taken.
CTOs and superintendents should also register to attend the upcoming May, 2017 TCEA Technology Leadership Summit, as well as pay a small fee to access the audio and notes from the 2016 Technology Leadership Summit.
But what if there was another approach, employing motivation, influence, and authority?
In their book, Influencers, the authors suggest identifying vital action(s) that can be taken. These vital actions consist of the desired behavior(s) that must change. Rather than try to change twelve or more behaviors staff exhibit, focus on one or two that will have the greatest results. For example, try encourage adoption of this behavior:
This can be as easy as sending a new email to the person who contacted you and asking, “Did you send me a file attachment that says, “burnbabyburn.exe?” Wait, you can even get more done. Walk over to the person who sent you the email attachment and ask them “Did you send me a file I didn’t ask for?” Or just call them or text them on your mobile phone. This ONE behavior change would stop 99% of the issues technology departments complain about (e.g. ransomware, viruses, malware as attachments, AND sending sensitive data to complete strangers).
When seeking to change behavior, the authors of Influencers recommend recognizing that there are six sources of influence. Often, we take into account only the first two when trying to bring about change:
While this has been a lighthearted attempt to address the challenges end users face every day, it is important to realize that changing ONE behavior can result in significant change. When you go about changing it, realize that asking people to do the right thing and training them is not going to get it done. Unleash all sources of influence to bring about the change you want.
Everything posted on Miguel Guhlin’s blogs/wikis are his personal opinion and do not necessarily represent the views of his employer(s) or its clients. Read Full Disclosure