“Why did he click on that email attachment?” asked one technology director I spoke with recently. The click led to a ransomware attack that expanded to the business department’s server, resulting in frantic data-saving actions. For many technology directors, the problem is not the phishing or the ransomware. The real problem is their lack of influence to bring about change in the organization. Consider this problem in light of a common occurrence in education today.
Note: This blog entry originally published by TCEA TechNotes blog. Read other awesome blog entries by the TCEA team online at www.tcea.org/blog
Knowing vs Doing
What is Known:
- Hackers, phishers, and scammers want our personally-identifiable information. They can sell it for $10 or more on the darknet, where illegal transactions happen (think “Silk Road“).
- Bad people send out emails to educators. These emails appear legitimate. They invite district staff to surrender their username and password and then send decrypted sensitive data and/or ransomware that use staff’s machines as a beachhead to infect the rest of the network.
- Staff know NOT to fall for these traps, but do so anyways.
What is Done:
In spite of knowing these things, staff continue to click on phishing links where they happily share their username and password via an insecure website, send copies of confidential documents to complete strangers, or click on ransomware that encrypts their computer, then spreads to everyone else’s. These actions by a few individual wreak havoc on the whole network, and small districts especially are overwhelmed.
The Traditional Response
The traditional response involves disciplining staff, even terminating them in severe data breaches. They should have known better, right? Oh, but wait, your district does not have a safeguarding sensitive data policy in place (many districts do not, which is why I offer this one as a start
). It involves buying and issuing hardware (e.g. Chromebooks, iPads, Macbooks) that malware (e.g. ransomware) can’t work its dark magic on (YET…you just know hackers subscribe to growth mindset, right?).
It means locking down Windows computers with Active Directory policies, Deep Freeze so that technicians don’t have to spend a lot of time fixing user errors. This has been standard practice for years. Here’s a roundup of advice that should help districts who want to keep closing the gate after the livestock has made its getaway. That is, mopping up the mess after someone has been hacked, phished, taken.
TCEA’s Roundup of Ideas for Safeguarding Sensitive Data
But what if there was another approach, employing motivation, influence, and authority?
A Fresh Approach: Influence
In their book, Influencers
, the authors suggest identifying vital action(s) that can be taken. These vital actions consist of the desired behavior(s) that must change. Rather than try to change twelve or more behaviors staff exhibit, focus on one or two that will have the greatest results. For example, try encourage adoption of this behavior:
Assume emails with attachments are suspect, so verify the source of the email. This can be as easy as sending a new email to the person who contacted you and asking, “Did you send me a file attachment that says, “burnbabyburn.exe?” Wait, you can even get more done. Walk over to the person who sent you the email attachment and ask them “Did you send me a file I didn’t ask for?” Or just call them or text them on your mobile phone. This ONE behavior change would stop 99% of the issues technology departments complain about (e.g. ransomware, viruses, malware as attachments, AND sending sensitive data to complete strangers).
When seeking to change behavior, the authors of Influencers
recommend recognizing that there are six sources of influence
. Often, we take into account only the first two when trying to bring about change:
Source 1 – Personal Motivation
- Make the undesirable, desirable.
- Example – Do you really care if your computers gets infected with malware and you lose data? It’s not that big a deal, after all. A technician will come fix it eventually and most of your work is done on paper anyways. Instead, you must passionately care about protecting your data and that of your students. If someone tried to take one of your students hostage, you wouldn’t be so passive.
Source 2 – Personal Ability
- Surpass your limits.
- Example – Do you have the skills and knowledge to know when you’ve encountered an email that is intended to do you and yours harm? You probably have an idea that you shouldn’t click on bad emails. Learn what you need to be better on guard.
Source 3 – Social Motivation
- Harness peer pressure.
- Example – Do others on your team or your department really care about email and email attachments? Maybe they go through their spam folder looking for problematic emails because they need a break? What if everyone on your team was motivated to help each other NOT open spam emails with attachments or to practice the desired behavior?
Source 4 – Social Ability
- Find strength in numbers.
- Example – Who could you speak to in the district who could help you obtain the knowledge or resources you need? Maybe there’s a SafeSchools or EduHero eCourse you can take or a free ebook you can read.
Source 5 – Structural Motivation
- Design rewards and accountability.
- Example – When you check your email, are there a ton of emails waiting for you, so that you despair about getting through all of them and just click on anything? Maybe you can adopt Inbox Zero strategies so that email isn’t so overwhelming. Avoid sharing your confidential data (username and password) anywhere online since it can be so easily taken.
Source 6 – Structural Ability
- Change the environment.
- Example – Maybe your district could adopt a different communications medium that isn’t susceptible to malware email attachments, like Slack or Microsoft Yammer or Teams.
While this has been a lighthearted attempt to address the challenges end users face every day, it is important to realize that changing ONE behavior can result in significant change. When you go about changing it, realize that asking people to do the right thing and training them is not going to get it done. Unleash all sources of influence to bring about the change you want.
Everything posted on Miguel Guhlin’s blogs/wikis are his personal opinion and do not necessarily represent the views of his employer(s) or its clients. Read Full Disclosure