Cybersecurity New Year’s Resolution #4: Teach someone about cybersecurity
Over the last three weeks, we’ve given you some suggestions for how to change your habits and improve your personal cybersecurity posture this year. So far, we’ve covered password managers, two-factor authentication, and phishing awareness — but for our final “Cybersecurity New Year’s Resolution”, we’re going to suggest something a little bit different. Rather than doing something to protect yourself, we’ll challenge you to teach someone else about cybersecurity and help them take steps to keep themselves safe.
Why you should do it
There are a few reasons why teaching others about digital security and privacy (and helping them take action to keep safe) is a great idea.
First of all, there’s the altruistic motivation. Let’s face it: Many people are woefully unprepared to deal with today’s cybersecurity threat landscape. And that’s not OK, because the consequences of poor security practices can range from the mildly annoying to the legitimately dangerous. So first and foremost, teaching others about how to stay safe online is a way to take care of the people in our lives, whether we’re talking about loved ones, friends, or coworkers.
Secondly, teaching is a great way to deepen your own knowledge of cybersecurity. In general, any time we have to teach something to someone, we need to make sure we understand the subject matter thoroughly. Putting on your trainer’s hat can be an opportunity to go a little deeper into the hows and whys of the best practices you’re already following.
And finally, teaching others about security creates a kind of “herd immunity” effect. In other words, the better protected the people around you are, the safer you are. To offer just one example of what we mean, think of an all-too-common scenario: ransomware infections at work. While you might know not to download strange attachments from unknown senders, that knowledge won’t help you if your co-worker falls for a phishing email and downloads ransomware. Your department’s network could go down for days or weeks, directly impacting your own work.
Time investment: Low — 15 to 30 minutes.
How to do it
In what follows, we’ll give you some suggestions for how to teach the people in your life about better security and privacy. But before we do that, here are some general suggestions for talking to people about technology:
Be patient, and explain everything
When we interviewed award-winning tech educator Michael Hartl, he had this to say about communicating with people who don’t have much of a technical background, and we think his advice is good enough to reproduce in full here:
“I definitely counsel patience, and it’s important to adopt a forgiving attitude. One thing I’ve noticed is various linguistic tells, such as the use of the phrase ‘of course’ — I can’t count the number of times I’ve heard technical people say ‘Of course…’ and then state something extremely non-obvious to non-technical people. I try to practice something along the lines of the house style of The Economist magazine, which writes things like ‘Mark Zuckerberg, CEO of Facebook’ or ‘GE, an American conglomerate’. By always explaining everything, you mitigate the risk of coming across as condescending, while also including anyone who might otherwise be confused.”
Start small, go easy
Rome wasn’t built in a day, and good cybersecurity practices aren’t going to happen overnight. If you’re talking to someone who’s never thought much about digital security before, then it doesn’t make sense to ask them to enable two-factor authentication on all of their accounts, or to start telling them about esoteric forms of malware: They’ll be overwhelmed, and less likely to take any action at all. A much better approach is to start with something simple, fast, and hands-on — something that won’t be intimidating, yet can benefit them immediately.
Don’t feel you have to know it all
If the person you’re talking to asks you a question you don’t know the answer to, don’t sweat it! It’s actually a perfect opportunity to teach a skill that’s even more important than any single bit of technical knowledge: the ability to find your own answers. If you run up against the limits of your knowledge, just search for the answer together. Show your friend, relative, or co-worker how you find answers to technical questions: which resources you use, how you formulate questions in searches, and so on. Never feel that you have to know everything in order to teach someone about computers — and remember, even professional programmers and security experts will tell you that they Google for answers to their own questions all the time!
With that in mind, we recommend starting with just one of the following 4 things:
Show them HIBP
Most people who are caught up in data breaches never even know that they’ve been affected. And that can have serious consequences, because they may go on using compromised credentials — credentials that are being sold or traded by hackers on the dark web. If they’re using the same password on multiple sites, their risk is even higher.
Have I Been Pwned is a free data breach aggregation service, and is a great way for people to see if their email address has ever been found in a breach. Introducing someone to the site is an excellent and low-pressure way to empower them to take charge of their own security — and can help to begin a conversation about data breaches, strong passwords, and the dangers of reusing passwords.
Head to the main HIBP site together, and you’ll see a place where they can type in their email address. If the email address has ever been part of a known data breach, HIBP will let you know — and will provide information about which service or services were involved in the breach. Explain that they’ll need to change their password for that service, and that if they’ve been using that same password on other sites, they should change their password for those sites as well.
Do a password check-up
Another great way to help someone improve their security is to bring up the topic of passwords: how to create good passwords, and avoid weak ones.
You could start by having a word with them about what it actually means to create the “strong, unique” passwords we always talk about: choosing passwords that are at least 8 characters long; using a mix of special characters, lower and uppercase letters, and numbers; and avoiding things like birth years, pet names, and anniversaries. If you want a refresher, check out this classic Checklist.
You might also want to show them another feature over at Have I Been Pwned: the site’s “Pwned Passwords” tool. This lets you see how many times a given password has appeared in breaches. Just type in any password that you use, and you’ll immediately see if it has ever appeared in a known data breach. If it has, note that this doesn’t mean that the password was linked to one of your own accounts. More likely than not, someone else was just using the same password: a great demonstration of how hard it is for most of us to create truly random, unique passwords!
If they do find one of their passwords here, it’s a definite reason to change it wherever they’re using it, and to never use that password again. It’s also an opportunity to start introducing them to the wonderful world of password managers!
Take a quiz
One of the biggest issues in improving the cybersecurity posture of the general public is that people, while well-intentioned, are largely unaware of the dangers they face. In other words, they don’t know what they don’t know, and that makes it awfully hard for them to take action to protect themselves!
If you’ve been following our Cybersecurity New Year’s Resolutions series, you’ve already seen our Phishing Awareness Quiz. But this might be a little advanced for our purposes here. Luckily, we also have a general knowledge quiz on our site as well, which is a great introduction to cybersecurity issues. This is something you can send to someone as a link, or show them over a cup of coffee if you’re hanging out together.
The quiz is meant to be educational, meaning that it doesn’t just tell you when you’re wrong: It offers an explanation of why a wrong answer isn’t quite right, and full information about the correct answer. It’s a gentle way in to cybersecurity topics, and a fun, low-key way to broach the subject of improving cybersecurity practices.
Listen to a podcast
If you have a coworker you carpool with, or a friend or relative you frequently find yourself driving with, another way to introduce them to security and privacy issues is by putting on your favorite security podcast the next time you’re in the car together.
Oftentimes, people are more receptive to good advice when it’s presented in a news or entertainment format — and a security-themed podcast checks both of those boxes. There are some great security podcasts out there, and many of them are aimed at a general audience, making them enjoyable and educational even for listeners without any kind of technical background.
We’re a bit biased, of course, but we’d recommend our very own Checklist Podcast as a prime example of this kind of show. The Checklist is meant to be engaging and topical, and while it sometimes delves into technical subjects, our hosts August and Ken always try to make things accessible for everyone. They do all of this with a sense of humor and a healthy sprinkling of pop culture references, which makes The Checklist a great listen even for folks who don’t usually follow tech podcasts.
Popping on The Checklist or another security podcast while you’re on the way to work or heading somewhere together is a fun way to share your interest in cybersecurity with someone who could really benefit from it. And best of all, you can let someone else do the explaining!
That takes us to the end of this year’s series of Cybersecurity New Year’s Resolutions, so there are no more “next steps” as such. But of course, learning about cybersecurity (and sharing what you know with others) is something that we should be doing all year long.