Cybersecurity…for civilians?

— This is a guest post by Barron “Keith” Bird —

They’re all around us. If you’re like me (a techie and an IT professional), then you have a lot of non-techies in your life. People like my wife and relatives. Like me, you’ve probably been pulled aside more than once to be asked a question or to help solve a problem that your non-techie friend is facing.

But just to clarify, by “non-techie,” I don’t mean “completely ignorant of technology.” I do have family members whose skill set does not rise to cutting and pasting, but that’s not who I’m referring to here. No, I mean people who are perfectly capable of surfing the web, buying stuff online, working email, doing a google search, etc. They know how to do what they want to do on a computer, but I’ve noticed (to my annoyance) that for some unfathomable reason they don’t seem to be much interested in stuff I’m interested in, like…

    • DNS SEC (they don’t know or care about what DNS is)
    • IPv4 vs. Ipv6 (they don’t know or care about what IP addresses are, or at most have a vague idea about them)
    • Why HTTPS is more secure than HTTP (what?)
    • What’s the difference between WEP and WPA (again, what?)
    • The dangers of the IoT (they don’t even know that is, even while they have 10 different “smart” devices in their home)

You get the idea. And I’ll bet if you’re a techie, your instinctual reaction on reading that list was 1) you immediately recognized everything I was talking about, and 2) a not-so-suppressed sigh and “What?! They don’t even know what DNS is???” Well, a lot of people do, but a lot more don’t.

And please don’t fall over and hit your head as I propose something radical:

They don’t need to.

They don’t need to know or care about stuff that you and I care about.

Not to keep themselves (a lot more) secure online.

They want to be able to do what they want to do online (stuff like I mentioned above), and as long as they’re able to do that, they don’t give a rip about that other stuff. We’re innately curious about things like how WPA-3 is so much better than WPA-2. They care about getting their job done (if they’re in an office) and about ordering the latest whatever on Amazon successfully. If they’re able to do that, they’re good.

How do I know this?

Well, I guess it’s time for just a little background on myself. I’ve been in IT for about 10 years now, most of that in helpdesk/desktop support. Before that, I’ve been a salesman, a customer service rep, a grocery store bagger, and a few other positions. See the pattern? In each of these jobs, I had to acquire what we call “soft skills.” And chief among these skills (in helpdesk) was being able to speak non-techie to non-techie.

And of course this spilled out in my relationships outside work. It helped with non-techies like my mom. She passed away a few years ago, but while she was here, while I was working helpdesk jobs, I provided (free) tech support to her. I remotely accessed her pc so I could set up her printer, do Windows updates, etc. I had to help her without making her feel like an idiot while I showed her (for the tenth time) how to reconnect to her printer).

I still do that for my wife, relatives, and friends.

The problem is that as I transitioned to cybersecurity, I noticed that their lack of technical knowledge spilled over into ignorance about the basics of keeping themselves (relatively) secure online and on their computers. I had to preach about and finally convince my wife and others to use a password manager instead of using the same password everywhere they went. About not using Starbucks wi-fi without a VPN. About not…clicking…that…link…in…their…email (insert teeth grinding noises here).

And if you’re in IT, especially if you’re in cyber, you know that there’s a war going on. An ongoing, ever-escalating (mostly bloodless) war in the digital world between bad guys and those fighting the bad guys professionally. Every time there’s a massive casualty (the latest data breach), it’s in the headlines.

But if this is a worldwide war, and if there are soldiers fighting it, what does that make the vast majority of people who aren’t really fighting on a daily basis, but who might get caught in the crossfire?

That’s where I got the term, which is the title of this posting and my ongoing project.

If this is comparable at all to World War 2, then think about civilians on the home front during that time. They read about the war in the papers, of course. They probably had relatives and friends who put on a uniform. But they had responsibilities as well. Think about all the war bond drives, the scrap metal drives, the ad campaigns like “Loose lips sink ships.” They never picked up a gun, but they still knew enough (and were considered responsible enough) to do their part in the war effort. They didn’t know the ins-and-outs of this or that battle or campaign or supply issue or the benefits of using this battle strategy vs. that strategy (and for good reasons they didn’t want to know), but they knew that there was a war on. In fact, that was literally a slogan: “Don’t you know there’s a war on?”

That’s what I want to see. That’s my vision. It’s a radical one, I know.

You see, (to translate from WW2 to the modern world), I think that non-techies can do a lot to make themselves much more secure as they do their normal business online. And they shouldn’t need the knowledge that would make them qualified to work at a helpdesk to do so. Furthermore, as my personal experience with my (seriously non-techie) wife tells me, as soon as we get into the stuff that you and I care about (e.g. what’s the difference between static and dynamic IPs), their eyes glaze over and they tune us out. But I still have an overriding passion to help keep the most vulnerable people more secure. People like my mom.

So that’s why, around early 2019, I started doing live presentations of what I called “Cybersecurity for Seniors.” I had about 20-30 seniors at my church come and watch and interact as I talked about very basic security concepts that they could easily grasp if they knew enough to do stuff as my mom did. Stuff like: “Why do I need a Password Manager and how to use it?” or “What are some ways to spot a malicious email?” or “Why do I need to keep my Windows machine updated?” They were incredibly popular. Although my mom passed away several years ago, I kept people like her in mind while I was doing this, although my presentations were totally applicable to all non-techies, not just seniors.

And then Covid hit, so of course, my presentations to seniors came to a screeching halt. As an alternative, I started a YouTube channel called “Cybersecurity for Civilians,” or “CSC 101.” I took my presentations and expanded on them. They were no longer even theoretically just for seniors; they were now for “civilians,” people who know the basics of using a computer but not really enough to keep themselves even minimally secure. I kept adding onto them until I now have 30+ videos on my channel,[1]all of them in this vein (although I had to get a little bit into IP addresses when I got into how to harden your router, the technical details was minimal).

Presenting on YouTube wasn’t my ideal choice. I’m fully aware that my target audience (non-techies) is not going to be going to YouTube all that often, and the people who would be more likely to go onto YouTube might know a lot of this stuff anyway. Maybe that’s why I haven’t gotten too many subscribers or views yet. I know it’s not the most polished production out there, so there’s that. And I’m also fully aware that I’m still kind of a beginner in this field. I have a degree in Cyber and about a dozen certs, but not a lot of experience. But I don’t think I need all that much experience to do what I’m doing. I’m not trying to teach a course to fellow professionals. I’m not nearly experienced in that. But with my helpdesk experience, I think I know how to speak with non-techies in a way so they understand what they need to know, and I have the “soft skills” which (quite frankly) a lot of IT professionals–both in and out of cyber–lack.

To be fair, I have seen some of what I’ve been trying to do. Both Mike Myers (who’s trained thousands of IT pros on how to pass certification tests)[2] and Troy Hunt (a rep for Veronis, a security firm)[3] have put out YT series which are trying to teach the basics to non-techies. I’m sure there are others I just haven’t seen or heard about yet.

But I haven’t seen too many people doing what I want to see. I have a dream of lots more cybersecurity evangelists out there, reaching out to non-techies with the stuff that keeps them more secure without going into the technical details which will quickly lose them. I’m trying to think of better ways to reach them besides YouTube, and I’m certainly open to suggestions 1) on how to do this, and 2) on other resources who are doing anything remotely resembling this work, which I consider to be vital and a real lacuna in our world.

So, where do we go from here? To paraphrase Ghandi, if you’re a cyber professional, or even just in IT, you might want to ask yourself, “How can I be the change I want to see?”

About The Author

Barron “Keith” Bird has been in cybersecurity for about two years, been in IT for almost 10, and considers it a point of pride that he can speak “non-techie.” His passion is to help keep the most vulnerable out there more secure in an increasingly insecure world. He’s currently on the security team for a Texas state agency. 

LinkedIn: https://www.linkedin.com/in/keith-bird/

[1] Playlist: https://www.youtube.com/watch?v=_7AUwgk8LH0&list=PL8If5YQcpuULVra555OmGwl3VOks14-6K

 

[2] https://www.youtube.com/watch?v=4ngMybl1wzY&list=PLZbV1DvnT4i_h7P7krw6uxiox-vlhDasv&t=0s

 

[3] https://www.youtube.com/watch?v=bToocxcmyqQ&list=PLYEr6kVanyrPu1qZ5g6iOr0v4ImpOOCSH&t=0s

 


Become a Patron!

Follow me on Twitter

[instagram-feed]

Member of The Internet Defense League