SecurityMetrics Podcast

The SecurityMetrics Podcast, hosted by Jen Stone (Principal Security Analyst, QSA, CISSP, CISA), will help you understand current data security and compliance trends. Each episode will feature a different security professional offering tips and security best practices.

All Episodes

SecurityMetrics Podcast

Cybersecurity for Families: A Parent-Child Guide to Online Safety | SecurityMetrics Podcast 104

September 25, 2024 • SecurityMetrics • Season 5 • Episode 16

Download the guide: https://www.cisecurity.org/insights/white-papers/from-both-sides-a-parental-guide-to-protecting-your-childs-online-activity

Are you a parent looking for guidance on how to keep kids safe online? Join us for a candid conversation with Sean Atkinson, CISO at the Center for Internet Security, and his daughter, Emma, as they discuss their journey of creating a guide designed to help families have conversations about online safety.

In this episode, you'll learn:

Why open communication is key: Discover how Sean and Emma fostered an environment of trust and understanding about online safety.
Common online dangers: Understand the risks your child may face, such as sharing personal information, cyberbullying, and meeting strangers online.
Practical tips for parents: Get actionable advice on how to set boundaries, have difficult conversations, and create a safe online space for your child.

Whether you're a new parent or a seasoned digital native, this podcast will help you start conversations and find resources to help you protect your child in the ever-evolving online world.

Request a Quote for a PCI Audit ► https://www.securitymetrics.com/pci-audit

Request a Quote for a Penetration Test ► https://www.securitymetrics.com/penetration-testing

Get the Guide to PCI DSS compliance ► https://www.securitymetrics.com/lp/pci/pci-guide

Get FREE security and compliance training ► https://academy.securitymetrics.com/

Get in touch with SecurityMetrics' Sales Team ► https://www.securitymetrics.com/contact/lets-get-you-to-the-right-place

Hello and welcome back to the SecurityMetrics podcast. My name is Jen Stone. I'm one of the principal security analysts here at SecurityMetrics. Very excited about our topic today because privacy online, especially as parents teaching our children about it, is a very important topic. And sometimes we're not quite sure how to approach it. But I have a father daughter pair to guide us through it.

Will you please introduce yourselves?

Absolutely. I'll go first. My name is Sean Atkinson. I am CSO at the Center for Internet Security. Been in the industry now. Goodness, Jen, it's over 20 years. That went by fast.

I mean. It does, doesn't it?

Oh, it certainly does. It certainly does. A blink of an eye. And, Yeah. So I've been in the industry, you know, 20 years, and it's, we were, you know, as we go into, we'll talk about the guide, but, it was really Emma who was the inspiration for the guide. So let me the Nova to Emma.

I, Emma, I'm 15 and I'm a sophomore. At a small school.

Well, welcome, both of you. Very excited to have you.

Thank you very much.

And people who maybe are not familiar with this, it's a big deal. You should go check it out. Center for Internet security. As an assessor, I'm very familiar with it. We use your products. And services that that you have out there for people all the time. It's a wonderful basically the gold standard for.

We like to think so. We like to think so again.

Absolutely.

Yeah. You know, as a as a nonprofit, we're really trying to establish that confidence in the connected world. You know, that's basically the the mission that we go by. And, you know, the CI controls the benchmarks and all that we do in that space. We want to see us contribute of right, as an element to improve security.

Absolutely.

And this, you know, as we thought about the guy, Jen, and like you mentioned, you know, about privacy and having these conversations, it was it's another one of those elements, right. This is a little bit of a different, take as it were. But hopefully there's as we get into it, there's, you'll see the value.

Yes. And so this guide, I wrote it down from both sides. A parental Guide to protecting your child's online activity. So you mentioned that it was because of Emma. Emma prompted the start of the guide. What gave you the idea? What? Get the idea to do together? I'd love to hear more about that.

No, absolutely. I'll jump in and then, I love Emma. Give her perspective as well. But it was, one day we were talking about, she was asking permission to download an app, and it was a social media app. And I said, now, you know, there's some intelligence out there. And, you know, me being a Cisco. Yeah.

That I'm aware of. I said that that's probably not going to be the best one. And so we started having a conversation about why. And I thought that was reasonable to answer that question, not just to know. It was about opening communication and trying to educate. And this is where, you know, the guide came in and so we had this one conversation.

And then the thought was, well, I bet other parents are having this conversation, and I bet that maybe they're not in positions like I am or aware of certain information. And we then, started strategizing and we built out ten scenarios and then it became 20, and yeah, then ultimately we just started writing. We finished the summer, on the summer vacation.

But anyway, wise from both sides, I think that was an important question.

Yeah. From both sides is definitely important, because it was important to me that he didn't just say no and elaborated on why it was a no, and I felt like it was important that other kids knew why it's important to stay safe online.

Oh, so, so not just, why you're getting told no, but why staying safe online is an important concept in general. Yeah, absolutely. I have to agree with you. I, just a personal aside, one of the things that I also do involves, an aerial competition with children. And so explaining to the, the adults, the coaches and the parents why they should maybe consider using a stage name, why they should, protect how much of the information about their child they put out there when they're very excited about what the child's achieving?

That's a difficult conversation. And finding the right balance is hard. So I think that your guide is going to maybe help guide that conversation a little bit.

Well, we hope so. I mean, ultimately the guide is not supposed to be prescriptive in a lot of cases, right? The way we had written it was there's different contexts. The type of communication that you'll have with children at different ages. So we've reflected that in some of the scenarios. So from both sides and reflected in the guide is we have a scenario of a child in a certain situation.

And then there's advice and then there's parental advice. And then that helps you know navigate these conversations. And it's, you know, ones we've had I'll just tell you scenario ten was the genesis of this. This was the social media app one. So it was, you know, we interjected some of, our conversations, into it as well.

And hopefully it brings to light just, an approach. And I think it is so much about communication. But, you know, one of the things, Jen, that we've, we've done, reflectively, this is between, me and Emma over time is at different ages. There's different conversations, right. You know, as you know, from, younger when they first get a device and, you know, you kind of, when you see ten or younger getting devices and it's okay.

What controls are in play. I'm not just provided the device and away we go. And then it's, you know, there's certain dangers in that space. There's a responsibility, Gen. Right. In that area.

Absolutely. So the guide lists 20 topics and it is company like you said by example scenarios, advice to the child, potential consequences of the scenario if the advice isn't followed and advice to parents. So how did you decide on this approach to talking about online security?

What. Go ahead. Why why did we structure it that way?

Well, we structured it that way. So people had a reference point of where like conversation starters with their child to see how to navigate difficult conversations about cyber security.

Absolutely. Yeah. We did it that way. Jen. To Emma's point, because there's certain topics that are they're tricky, right? The inappropriate content one is, is a huge one.

That is a hard one for very, very difficult kids. And then you get it together and you have to have this very uncomfortable conversation. Yeah. It's nice to have a guide for.

It's nice to have the guidance. And I think it's also nice that, the way we try to present it is, that it's, you know, in a lot of cases of shared experience because in some cases, gen, you know, that the phone is kind of this watershed moment. It's one of the things I reflect is it's kind of like the decision, the discussion.

Sorry. On the birds and the bees, in a lot of cases because ultimately, you know, unfettered access to the internet is has consequences. And we need to one educate the parents at the same time as we're also educating, children.

Right. So I'd like to share a few of the topics that you cover so that listeners can kind of get a feel for the and information that we're talking about. And I want to start with the first topic, dangers of sharing personal information online. Why did you feel it was important to for this one to be number one?

We felt like it was important for that one to be the first one, because it's almost like you'd think it was almost obvious. Like I hear some people say like, oh, I'd never give my information that, out on the internet. But there social engineering tactics that people can use that definitely gain you trust and make you give that information away without you necessarily knowing that.

Yeah.

Hugely important. I mean, that's one of the fears in a lot of cases. Gen. Right, that there's who is behind the other screen. And it's a very, very tricky landscape. And it was one of the awareness elements that I first started talking to more about and why we said, look, if we're going to say anything, just one thing out of this, this is the immediate need that we want to see, because ultimately it's about protection and it's about awareness.

And you know that the tactics that you mentioned, and we went over this, Jen and I was, you know, it's you don't want to go into too much of the fiction, right? You know that, like, we're going through scenarios and movies and things of that nature, but it's not far away from the fact that there are persons that over time will gain that trust.

And a little bit of information I give here, oh, I didn't give all of my information. I just told them the town I lived in. Yeah. And then the, you know, 3 or 4 conversations. Well, then I told them the street, oh where I'm near in terms of a geographic location and that's built up over time. And that's the techniques that, you know, we referenced, right.

As part of what we had discussed.

And I'm glad that you mentioned fishing, because some of these fishing techniques, people use, and I'm sure you've seen it, are so, you don't even realize somebody is trying to get you to give them something like, you know, the, the this or that quizzes where there's a list on one side of a preference and a list on another, like cats versus dogs.

And they go through and circle them right. Well, you can get a lot of information about a person from that, you know, and and the more that they do, the more you can find out what their dog's name is and their mother's maiden name. And what is their favorite color. And all of these kind of security questions that we use to protect things.

And you think you're just fooling around with your friends, right.

And so one of the areas that we also mentioned, Jen, that I think is important in that spaces, you know, sometimes there's enticements to fill out those quizzes and give that type of information. And it ultimately is said if it's too good to be true, you know, let's start thinking a little bit of strictly and trying to think in that way.

But that's honestly Jen, that's quite mature thinking. And you know, when you're putting eight, nine, ten year olds with that type of device and trying to make those types of decisions, you know, again, Ms. 15, I have no idea how that I mean, it's just gone by in a flash, right? You want them to remain kids forever.

But you know, the adage of, children are maturing way faster than we ever were with these. This type of technology is, I think in some cases, you know, obviously, I'm a technologist. I love the technology, but it's it's a shame that that innocence necessarily can be lost if we're not utilizing the technology judiciously and then also providing, necessarily, oversight and assistance in these spaces.

So let's look at some of the advice that you actually give to parents, starting with sticking with that first topic, the cert scenarios written in a way that both parents and, and children can understand and recognize what's happening there. And then you cover some of the advice that you give, maybe dive into that.

Sure. Yeah. From the parent piece, it's, you know, it kind of seems simple, but we, you know, we wanted to outline it. This open dialog. But I think it's so important that children feel like they can bring certain situations and certain issues to bear, as it were, and in some cases, right. There's, you know, we've seen with friends and others that there's kind of a closing off, that there's an embarrassment element.

There's an oh, you know, I think I did something wrong. I'm going to see if it just goes away and I'm not going to say anything. And it's trying to create that open dialog and one of the elements, obviously is educating on risks. It's going through these scenarios. What are the consequences, Jen, when we share this information and you know, some of the other scenarios that we've put in here.

And one of the things we've warned about is this it has a consequence, not just today but in the future, right, that the internet has persistence and we've got to be very, very careful about what we're doing. And, you know, we hit some of those elements as well just to look at what, what we should be doing with this responsibility.

Right. And I do feel that it's on both sides. That's why literally, it's named from both sides is that we've there's all accountability across the board. Right. Just the unboxing and unsealing and charging of a device and handing it off, literally starts us on the journey of, of these, advice, you know, so the online interactions, what can we do to supervise in that space?

The other thing I realize, Jen, is, you know, is, writing this through and we, you know, we've we've jokingly talked about that Emma is going to write a guide to help grandparents because she's, you know, she has technical expertise to help, my parents, my wife's parents in the space. And it's I think there's something in that, too, that we could, go down that path.

I would see a guide for grandparents because the targeting of our older population in some of these phishing traps, they don't. That's not the world they came from. They don't expect that there's people out there that are maliciously going to try and and get their last dime from them.

Absolutely. I mean, you see it all the time, and it's so unfortunate because it it's you know, in a lot of cases, it's done from such a good place that they're trying to, you know, they get, your, your child or someone you know, from Facebook's, well, your Facebook profile. This person needs money. They're in a, in a foreign country, they're traveling.

You need to wire the money and you know, they don't verify. They react. Right. Because it's an emergency. Yeah. And it's so hard to see that this is this continues. And the problem is, Jen, without the education, it's going to continue because it's profitable from that perspective, right, from the attacker, from this mindset. And it's, the it's where we, we thought there's there's, a case to be made in that area to provide, grandparents, and, senior citizens, access to information like this and guidance.

Right. The next topic, I have a question that's more for Emma. Because it it talks about restricting access online. And I just wanted to ask you, do you have restrictions in your online access? Was that kind of, how did that feel to be told? You cannot you are not permitted to access certain.

Well, I guess I have to sort of think of it as less of a punishment and more of like we're trying to keep you safe, sort of a thing. And like I do have like a private private accounts on all the social media I have. And I'm just come from a perspective, like trying to understand that it's less.

Yeah, I can see how if you get these things restricted without the conversation, it would completely feel like you were being punished. It would completely feel like nobody understands you and wants to listen to you. And, I was 15 a very long time ago, but I still remember how it felt when I got told no, when I felt like I could make my own decisions.

How did these how do you think your father was able to create the right feeling between the two of you? That he could have these conversations?

Well, he definitely like, as a cybersecurity professional, like definitely had a, like a conversation with me and was definitely open to me, like bringing a point home of like, why? Maybe I shouldn't have those restrictions. But he definitely, like, reasoned with me and we came to a conclusion about it.

I think that that, is going to be really critical for a lot of parents is being willing to listen, patient and hear your side on.

Absolutely.

Sean, from your perspective, some of these were adult topics that you had to have with your child.

Yeah.

How how do you start down that path of of dealing with some really uncomfortable and unsavory topics in order to protect your child?

Yeah. You know, one of the things that is a technique that I had used and we go through it in terms of some of the parental advice is, scenario analysis is what I really call it, but it's laying out a story in a lot of cases. And, you know, we can see why, you know, in the scenarios we've used different names, representative Lee, in order and different ages, because I do think there is, certain requirements at certain ages where we, you know, try to reveal information, such as what we're describing here.

Some of the harder ones, though, Jen was honestly, just being frank, just being open, sitting down. I just want to have a conversation with you about these things. You know, these are some of the elements that we see online. There are persons that will look to, befriend you and they will look to get your information.

And potentially they would want to meet you in person and their intentions, while it may seem very good, to for their benefit only and it's a detriment to you, it's, it's really a risk to you, your well-being and trying to, you know, gently go through that path. This is not just a a no. And it's because someone's going to, you know, kidnap you, right?

That that's a little bit too rough, I feel. But again, that's contextual. That's that's a way I communicate with Emma. And again, this is why the guide is not prescriptive. It's more about the communication and the relationship that you have in the space with your child, the way you communicate. You know, we have to contextualize it. Why?

We're not prescriptive in terms of the advice that we're giving, is that it helps you structure an approach. And in some cases, you know, we've seen, elements in the space of where it may just be, we're going to have to have a frank conversation, right. The, and again, I'll use this term, the scared straight, as it were, in terms of we need to cut this activity out because it leads to these consequences, or it's more of, you know, going through the scenario and, exemplifying things that you see on TV as well.

Now, ultimately, Jen, one of the things that I've also seen is, let's say we're watching the news and a new story comes up where there's, you know, a threat to a child or, we've seen, you know, criminal activity in the space, trying to abstract that story and apply it to certain scenarios for protection. In this case, that's going to help now, create a narrative.

And I really, you know, try and stress this open communication because it's I want one of my big things is I want questions I don't want it to be oh okay, dad thanks. And it's questioning to understand. Right. It's not just the, what I'll call that the, the shoulder shrug and wall to walk away. And we're not really necessarily learn anything.

And that's why it's a dialog. It's not just dictation of these rules, is that we want to get into an approach where we can have, a frank conversation, and I think ultimately we have to, also understand that in these scenarios, it's I think a lot of cases, it's hard for the parents to hear as well, especially when we get into the cyberbullying piece.

One, we want to protect our children, but two, if they're the antagonist, we've got to have some conversations about this, right? Because we may hear this from school, we may hear this from other parents. And we've got to, you know, follow the rules, as it were, of what I'll call good data citizenship. Or digital citizenship. Sorry.

Yeah. That allows us then to be, you know, utilizing these tools. One, you want the creativity, right? You know, I think back to when I was a child, Jen, a long time ago when I was 15 as well, is I can't imagine having this vast wealth of knowledge, creativity at my fingertips today. I, you know, I say, you kids are so lucky to have this.

But with that, you know, access comes this again, this element of responsibility. And it has to be seen from both sides.

I think in a lot of ways, some of us, we didn't have the internet when I was a kid. We we I was 15 when we got, our first computer was an apple to Eve, and it was the first one in our entire town. So looking at the access to information that you, Emma, you and your peers have, it's so much vaster than what we had.

And in some ways, we can't comprehend the some of the stressors on you as a result of that. And so I think listening and and trying to comprehend what you're dealing with is, it creates a two way street on this conversation.

Oh, it certainly does. Right. I mean, that's we have to have that conversation talk about where we what we talked about not having fear, necessarily creating fear of devices, but responsibility.

Yeah, definitely leaning away from like talking about it and like trying to have like scare tactics almost and like saying, well, this situation can happen, but here's how to prevent it and here's how to be responsible and trustworthy with a device.

Yeah, I like that approach because if you have knowledge about something, you can make better decisions.

Yes.

So do you have a favorite topic in the guide, something that each of you, that you really enjoyed working out and figuring out how to explain to others?

Yeah, mine was well, mine was number ten because that was the originator. That, really helped, kind of set the tone, as it were, for what we were trying to do with the guide. And it was the first thing we talked about. And so ten always has kind of a place because we took, Emma and we changed the scenario to Ella, that we changed the M's to L's.

And so it was just kind of our thing that we had with, with them. What was yours?

Yeah, I definitely have to say number ten as well, because I feel like I apply that most, in my, like, digital life, I guess, like the think before you post like definitely is a thing that I go through.

Yeah. That's something that, adults I think would benefit from more as well.

Absolutely right.

Absolutely right. Taking taking.

Take that email back and I wish I could.

Think about it. Okay. So I think we've we've talked about that. Why why you create it and then how to approach the difficult topics. Are there any last pieces of advice that you would like to offer? And along these, these lines?

Yeah, for me, it's okay if I go for sure. I got wonderful. So, one of the things for me is, 14 hits home because that's one of the what I'm going to call Jen, that one of the nightmare scenarios, one of the things that scares me, and that's the risk of meeting strangers online, kind of putting that out there, as you know.

And again, just for parents, as you're reading through, you know, some of the scenarios, there's going to be things that hit home that are going to be. Yeah. For, for, my particular child, this particular context, my own fears and issues with, you know, online, utility generation, content management, things of that nature. It is, these are going to be, some important elements.

But also.

And was one of the things we had also discussed was the, this is going to be 15. And so that's, rules on the online gaming and chat room because I think it's very difficult, gen, for, a child. And this is why I, you know, we mentioned that the scare tactics, because if a child's not going to be able to utilize or have fear of utilizing an electronic device, I mean, it's, I mean, it's the ability in this day and age, right?

I mean, school, everything that's, you know, your kind of your social life is all fixated around devices. And so we wanted to set those rules, but.

And. Yeah. And so adding to my dad's point, he said yesterday that the internet is written in ink rather than pencil. So which I thought, really.

That's a great of very that's. Yeah, I think I.

Spotted it from.

Social.

Network, but.

Once it's there it is there. Yes. Emma.

Yes it is.

If you could give your peers friends at school. Whatever. A piece of advice. What would the number one topic be that you'd like to them to know?

I definitely think, speaking with strangers online is something that I've seen all too often. Really? Which I think they should be mindful of that, that like not, they don't necessarily look like they have their avatar or like they aren't necessarily who they claim to be. So that's definitely something I need my people of my age to know.

That's a great comment. Well, this has been a really great conversation, I appreciate it. We'll make sure that we put links to the guide in, in the notes for the, the podcast, and I hope to talk to you again in the future.

Absolutely. Yeah. An absolute pleasure. Thank you so much for the opportunity.

Yeah. Thank you so.

Much. Thank you.

Thanks for watching. To watch more episodes of Security Metrics Podcast, click on the box on the left. If you prefer to listen to this podcast. It's available on all your favorite podcast platforms. See you on the slopes.