Those two things *are* actually related – keeping track of schedules while managing a project is pretty important. While I have managed to keep track of my schedule in planning the project of my upcoming Project Management class, I have still been surprised by the passage of time. The class starts tomorrow!! I’m finalizing content uploads and getting ready to start interacting with folks in the class. It’s not too late to sign up, though, if you want to brush up on one of the Top 7 Most In Demand Tech Skills of 2013 with me in a low-pressure and supportive environment!
Time will also fly by between now and my next real-world workshop – to be held in Maryland – on the use of the Getting Things Done time management theory in libraries on the 19th of February. I’m putting the finishing touches on that workshop too. Fortunately, nothing big (like, say, my 40th birthday on Feb 3rd or an upgrade of the ILS that I help to manage and 40+ libraries rely on that is happening the weekend of the 9th and 10th) will be happening soon… Also, I can’t forget that I’m writing a book on Evaluating Cloud Services for Libraries that will be due to my publisher in April. Between all of those activities – the class, the birthday party at my best friend’s house, the upgrade weekend, the book and the workshop, February will be an interesting month. It’s a good thing it’s so short!!
The Connections conference started with a keynote from SANS about securing the human part of your network. Lance started talking about his background in Info Security, honeypots and work with Sun Microsystems (starting originally with work in tanks in the military). “the simplest way to steal your password is to ask for it – the simplest way to infect your computer is to ask you to do it”. Technology has been very well secured – its MUCH easier to get the human users to do the work for the bad guys. The change began in August 2004 – when Service Pack 2 was release for XP with the firewall being turned on by default. This started the drop of technology based hacking and began the era of human hacking. The human OS – you have Windows, Linux and human OS’s in your network. We’ve done nothing to secure that human OS (my note: why training is so very important – it’s updating and patching the human OS in your network).
90% of malware requires human interaction (Symantec)
100% of successful APT attacks compromised the human (Mandiant)
Humans have to click a link, install a program, insert a USB stick or interact in some way to make the malware work.
Humans are bad at judging risk – we overestimate visual risks (lions and tigers, as opposed to something we can’t see) and overestimate risks when we aren’t in control (flying as opposed to driving).
“If it’s on the news, it’s probably really safe, because it almost never happens – or else it wouldn’t be news”
Social engineering – we surf and feel like we are in control (and the hack is silent and not visual at all), we underestimate the risks of getting hacked because of those two factors. You check into your hotel room, get a call from front desk to clarify a problem with your card, you give them your card number, they’ve hacked you. (real problem at Disney World resorts)
Some worms now check keyboard settings before they send out their phishy emails so that they can send out a virus email to your friends in the language that you usually use (if your keyboard is set to Spanish, they send the spanish version of the bad email to your contacts, in order to increase the likelihood that your friends will click on the link in the email).
Many trojans disguise themselves as anti-virus programs so that you not only infect yourself, but you pay $100 or so for the privilege of doing so.
Twitter and Facebook make malicious social engineering attacks easy – Twitter bots search for keywords and respond to any tweet using that keyword with a “discount” link for that particular item.
Goals of Awareness training – compliance and changing behavior. Lance concentrates on changing behavior (more powerful than mindless compliance).
The Plan: who, what and how? Who do you target for training? (employees, admin staff especially, management, IT staff (privileged access to lots of resources – make sure they don’t post router configs (for example) on public listservs, use the same password for servers that they use for their Facebook account) What do you train about? (You are the target, social engineering, email and IM, browsers, etc.). Teach people that it’s not all just about protecting the organization, it’s about protecting the employee. How to train? Use imagery, videos, newsletters – make it as fun as marketing is these days. He showed an example video that promotes security awareness (social engineering, specifically).
SANS has a video awareness library – info in handouts. Newsletters are like patches – they have to be done regularly or people forget.
Inoculation – used to measure end user awareness, used to get their attention and reinforce training. Launch a phishing email of your own (benign, of course) and see who clicked and how many were fooled. Keep doing it as your awareness campaign continues and see how the numbers go down. Start with basic email and work up to targeted emails to test users.
Presentation and newsletters that can be redistributed are available on Lance’s blog.
Last week, David Lee King posted a note on his blog about your boss being you and it got me thinking about staff training and the “will to learn” by library staff. I like to think of myself as fairly self-motivated. I learned HTML, XHTML, CSS and PHP without taking any classes – just reading some books and playing. I have picked up on the social networking stuff without doing any formal training, too. I actually like taking classes (that aren’t even for credit…) and learning new things without anyone standing over me requiring that I do so. I still – even with those things in the positive corner – don’t think I spend enough time and effort keeping up and learning new things. I feel behind at times and am occasionally rather down on myself about what little I know (though I have moments of validation – I had a MORENet tech come in to see what I was doing wrong with our firewall and he couldn’t figure it out either, I felt a bit better about my networking skills after that, such as they are…). For staff members who don’t take the initiative to stay current on basic skills, though, how much more lost must they feel?
This year, I’ve asked the department heads to take a quick look around their departments and send me a list of the skills (computer-based, generally, but I’ll take anything and see what I can do about it) that they feel their departments need to work on in 2011. Armed with those lists and some excellent core competency lists that I have
stolen borrowed from libraries and librarians across the country, I’ll be focusing on getting staff up to speed on the things that they and their managers feel they need to work on. What I’ll also be working on this year, though, is to really stress to people that these skills are not “extra” work – being able to manipulate a Word document or understanding how to edit a patron’s record in our automation software is not stuff that “might be nice” for staff to know. These are core skills that will make them better employees – here and elsewhere – and that it’s stuff they should probably devote some brain power to. Hopefully, the training this year will not only provide some hard skills in these areas but it will also give staff the motivation to learn some things on their own, without someone standing over them with either a stick or a carrot.
Regan Harper is presenting on converting face-to-face training into a web-based environment. The idea is to take face2face training that we give for LITA and adapt it for online environments.
- 2 tips fof online – 1)give less of it & 2) organize into small units
- planning – is the topic good for online? synchronous or asynchronous? what do I need to change to make it work?
- breaking into chunks is important – end each session with a complete thought
- make sure attendees know your tech people – put tech support # for the tool up for them, for example
- keep it simple!!!!
- delivery – set ground rules, use appropriate pacing (slow!), appeal to all learning styles
- “be as engaging as you can, without being annoying”
- keep visuals moving – not just animations, but use highlight/pen/pencil tools to add movement to the screen
- ask lots of questions of the audience – keep ‘em involved
- gesticulate – wildly – it will be reflected in your voice – be dramatic