A note to mom about cybersecurity

I often ask myself the above question. Given my line of work in cybersecurity awareness, I guess that’s no surprise.

But it’s not just a work question. I’m not just talking about what we all want our employees to know about cybersecurity. I’m asking, what do you wish your mom, your brother, your wife, and your kids all knew about all the dubious and risky junk that floats around the Internet? What would you like your family to know so they can be more mindful of some simple things they can do to protect themselves?

I can’t count the number of times I’ve interacted with my mom; with my brother; or with my 25-year-old son and I thought to myself, “What is it that they are not getting about cybersecurity?” Or to put it another way: “What is the mental model I wish they had that would make it easier for them to be cybersecure?”

But what are the core things that I might ask my friends and family to do at home, when they travel, when they work, etc., to keep themselves secure? I wanted to put this in terms of a pledge, in simple terms that people who didn’t obsess about security and privacy could understand. And so I came up with this “Cybersecurity Pledge” that I’m going to send to my friends and family. I’ll start with my mom—but it could be addressed to anyone.

Dear Mom,

I’m glad you called me the other day about that screwy email you got. You’re darned right you should never provide your bank account info!

I can tell you’re really getting smarter and more skeptical about some of the goofy stuff that’s out there on the Internet. But as I was telling you, that’s just a start. There are a couple other areas where I’d really love to see you think about what you need to know and what you need to do to protect yourself.

Remember when I was 16 and you asked me to promise to always wear my seat belt? I’ve worn it from that point on, and I know you only asked because you love me. Well, I want you to promise me that you’ll take this “Cybersecurity Pledge.” It’s a bunch of things you can do to protect yourself and your information. They’re not hard to do, and I’m happy to talk about any parts you don’t understand. Here’s what I want you to promise (with a little explanation about what it means for you to take this pledge):

My Cybersecurity Pledge

I won’t take the bait

I know that phishing is the single easiest way for cybercriminals to get at me. So, I’ll take the time to understand the ways that malicious links and attachments are disguised, and I’ll commit myself to never clicking links or downloading files — on my computer or my phone — until I’ve taken the time to verify they are safe.

I’ll use strong passwords

I know that passwords are the most common way for me to prove that I am who I say I am when I log in to websites, apps, and systems that contain sensitive information. Therefore, I’ll use a password manager to create and store strong passwords. (Second best: I’ll use a foolproof system to create strong passphrases, and I’ll never use the same password across all my logins).

I’ll connect securely

I know that failing to use a secure Internet connection exposes my information to possible theft. So, I’ll always look at website addresses to be sure they are secure (look for https://), and I’ll only use WiFi networks that offer password protection.

I’ll keep my software up to date

I know that operating system and software makers use updates to provide important security and privacy protections, so I’ll sign up for automatic updates whenever possible. I’ll also be alert to opportunities to upgrade to more secure versions of software. I’ll also keep an eye out for signs of malware, like pop-ups, blue screens and system slowdowns.

I’ll use social media; I won’t let it use me

I know that when I use social media, I’m trading information about myself for the right to use a service — and that means I give up some control of my information. So, I’ll take full responsibility for what I share and who I share it with. I’ll learn to use any available privacy and security controls, and I’ll be very cautious about what information I disclose publicly.

I’ll only share what I have to

I know that the more personal information I disclose — on websites, on the phone, everywhere — the more I expose myself to risks, in the form of identity theft, hacking or just simple public embarrassment. Therefore, I’ll always seek to minimize the personal data I share to only that which is needed to conduct a transaction, join a service or make a purchase.

I’ll keep my eyes out for cybercrime

I know that cybercriminals can use all kinds of methods to get at me and my information, including phone calls, personal contact, etc. Therefore, I’ll be on guard for suspicious actions wherever I encounter them, and I’ll always seek to verify that attempts to get information are legitimate. If I notice something weird, I’ll report it to the right authority.

What do you think Mom? I know that there’s some stuff you might not understand in there, and we can go over what malware is and how to set privacy controls. But, you can easily Google most of that stuff. The important thing is that you recognize that you can keep yourself safe. It’s not as hard as you may think.

See you for dinner next week!

Love from your son, the cybersecurity nerd,

Tom

This is the pledge I’d ask my mom to make. I’d add a few more items for my kids and brother — something on cloud computing and working remotely. I’d also tack on some items for my colleagues at work, like how to identify and protection personal and confidential information (I’d probably remove the corny stuff for them too!). But for me, this is a good start on some things we all can do at home and at work to be more secure. Are you ready to take the pledge?