Hey, [Insert Family/Friend Name Here], Let’s Talk About Online Security
August 11, 2020
Security
2020 keeps on proving the old adage, “It gets worse before it gets better.” We still seem to be in the “worse” stage. If you’ve been paying attention to the news—and I don’t blame you if you’ve been taking a break for sanity’s sake—you might have noticed (in addition to the reports about the pandemic and social issues) hacks and general security breaches have been ramping up. The enforced rush to remote work environments has left gaps attackers were all too willing to exploit. The recent breaches of Twitter, Garmin, and Drizly (along with hacks of some dating apps back in May) have proven any business can be a target, no matter how unassuming they might be. To my mind, it’s time to revisit the online security conversation. No, not with our companies or coworkers (although we should revisit it with them, too), but with our kids, parents, grandparents, friends, or even the strangers you’re trying to connect with in the “How does dating work right now?” world.
What I’m saying is, let’s normalize the security conversation.
Though things like online shopping, gaming, dating, streaming, and the like aren’t new, the traffic has clearly increased with the advent of these “What else are we going to do?” times. Many things can be done “anonymously” online—either with an anonymous username or a created username with nothing to do with you personally—which gives the illusion of true anonymity. People feel more comfortable sharing things about their lives or themselves when they think it can’t be linked to them. Most applications still require information—real, actual, “this is YOU” information—to set up an account, and even though it may not be obvious to run-of-the-mill users, this data is pretty much available to anyone who wants it, as these recent attacks on alcohol delivery sites, fitness tracker sites, and social media sites have shown. After all, the data is kept somewhere, and someone with the right skills can obtain it.
When talking to non-IT folks about online security, you have to make it relatable. Oftentimes, I’ve heard things like, “I’m not important, so no one will bother trying to get my information” or “I have no money and no credit, why would someone bother with my identity?” or “I’m just a kid, some scary hacker person isn’t going to be interested in me” (OK, that last one is definitely not word-for-word). The point is, many people feel secure because they’re just “ordinary, normal people” and not a CEO of a company, a politician, or whatever role they think is “important.” In my life, I break this down into two parties of conversation: adults and kids. They participate in the online world differently and have vastly different life experiences, so the conversation should be different.
My son is 10, and recently, (“finally,” in his eyes) I’ve allowed him to play games online. Sometimes, parenting is hard—I want to give him the freedom to grow and learn and have a good time, but I also want him to be safe. In the lead up to more exposure online, we’ve had many conversations about safety and caution, and I plan to rehash these often as time goes on. I only allow him to play online with people he knows in real life; I don’t feel he’s developed the capacity to tell a good person from a potentially bad person yet (and even as adults, we’re sometimes fooled), so I have to approve every person he plays online with. Over the past couple years, it’s become necessary through schoolwork to allow him access to the internet, but it’s always with my assistance. I explain the things I do and WHY I do things that way. I want him to learn the reasons so he can be wary on his own. Kids push the boundaries of parental control all the time; it’s natural as they grow. As the internet grows and changes, so should our safety practices. When I was a kid, it was concern over AOL instant messaging and the age-old a/s/l in chat rooms (and rightfully so). Recently, I read an article on Wired regarding underage kids on Twitch and the predators finding them there. I like to keep an eye out so I can educate myself (and him) about new online dangers. The pandemic has advanced the amount of gaming he does and the amount of time he spends online. He’s constantly looking to download things (from skins for Minecraft to new games), so we have conversations to ensure he’s downloading from a reputable source and to show him how to check files using antivirus tools. Though he still has to get my approval for new downloads, I know honesty may not always win out—I can’t always watch him like a hawk, and kids can be impatient when they’re excited. So I try to teach him what I can and emphasize it often, even to the point where I get eye rolls and “I know, Mom” rebuttals. My son doesn’t have a phone, and I plan on sticking to this path as long as possible. This means I don’t have to worry about phone apps and mobile security, but if you do, I suggest making it a normal topic of conversation. The more normal it is for kids to actively converse on topics of safety and security, the more it’ll become a subconscious effort to protect themselves online.
For adults—I’m mostly thinking of my mom, here—you can take a vastly different approach. They’ve seen the apps asking if they want to turn on two-factor authentication and may have heard about the Target breach a few years ago, so they have some real exposure. I often find myself asking my mom about what she’s downloaded on her phone, whether she’s leaving apps open, and if I can check her settings. She’s not tech-savvy at all and finds herself manually writing things down, using the same password in multiple apps, and leaving apps open on her phone, though she’s still conscious enough of issues to rant about the smart speaker in the house and cover her webcam. I find the semi-aware adult to be much more of a risk, as they take one of two routes for each issue: the “I don’t need to worry about that because I’m not important/wealthy/whatever enough to be of interest” route or the conspiracy-laden route, and there’s no telling which way they’ll go. These latest breaches at Drizly and Garmin can be used to prove to these skeptical adults that any data is data someone wants.
Now is a good time to have these conversations—well, it’s always been a good time for them—because of the forced circumstances. People are reconnecting online after years of not talking (I had a conversation yesterday with a friend from high school I haven’t spoken to in at least seven years), which leaves a vulnerability for phishers and attackers to impersonate someone you once knew. The amount of publicly available information about a person would shock many people, and all of it can be used to ingratiate a person into your life so they can ask for money or for more information they can use or sell. So have the cautionary conversations, make sure people who aren’t in IT are aware of the tactics they can use to be more secure, and raise awareness that these breaches aren’t isolated incidents. With the upcoming election and current civic turmoil, I expect we’ll continue to see a rise in malicious activity, so we should all stay on our toes.