k12 cybersecurity

In this episode, we discuss with our guest Parry Aftab, Cybersafety for schools, educators, and parents and what can be done to get better at this working in K12 and with children.

Protect Your School from Cybersecurity Threats

SecurityStudio helps schools ensure they’re protected against cybersecurity threats with our risk assessment and risk management software. Schedule a demo to learn how we can help.

Podcast Transcription:

[00:00:32] Ryan Cloutier: Well, welcome back everyone to the latest episode of the K 12 cybersecurity podcast. I’m your host, Ryan Cloutier. Today’s date is april 8th 2020. I’m super excited for this episode. A very good friend of mine and a very, very smart and passionate person is going to be our guest today. Our next guest is an internet privacy and security lawyer. She’s been practicing internet law starting 26 years ago and is credited with being the founder of cyber law 25 years ago, she created the world’s first cyber safety and help group eventually known as wired safety. After 25 years, that charity is being retired and a new one has been formed in its place to help keep all Children safe, private, secure and well and healthy online. The new website soon to be launched is cyber safety dot org and it is dedicated to Children and child related stakeholders. The cyber safety group is developing the cyber safety standards for the digital ecosystem, offering its cyber safety seal program of audited standards of compliance. Her cyber wellbeing programs and cyber wellness dot com are devoted to the wellness issues impacted by and related to digital engagement. Please join me in welcoming parry Aftab to the podcast. Welcome. Parry

[00:01:51] Parry Aftab: Well, thank you so much, Ryan and never sounded as good as it did when when you described it, I’m like, well I want to meet me now.

[00:02:01] Ryan Cloutier: Well I just I can’t express enough how much I appreciate working with you over the last couple of years on a topic that we really both share a deep passion for and that’s protecting our youth and and are vulnerable populations. You know, we race to adopt all this technology and um these days, especially these last couple of months, we’re learning that, you know, not all that technology is as safe as we thought it was and a lot of us are finding that we’re not even really sure how to use that technology safely. And so it’s it’s just great to have you as another ally in the fight and I just I appreciate so much uh for you taking time to be with us and and talk today. So I do have Ryan, you

[00:02:41] Parry Aftab: know, I’d love the fact that you could take the hard tech and make it look and sound easy. So those of us who aren’t techies just play one on tv uh can figure out how to make our routers work and the settings and all of the things that we didn’t know were in the boxes that we bought and stuck in our shelves.

[00:03:01] Ryan Cloutier: Well, I thank you for that, that’s something that uh you know, we at security studio and myself specifically have been working really hard to do is simplify, you know, one of the things we have come to understand over the last decades of doing this. This work is uh complexity is the enemy of cybersecurity. And so simplicity is is really the only way we see a path through to really being safe online is is we’ve got to start to simplify some of this. Um but before we kind of unpack all that, I do have a few questions for you that I want to touch on um for for myself and for the audience, you know, how do you describe and what’s the definition you would use for cyber safety and wellness.

[00:03:43] Parry Aftab: Okay, well cyber safety I called, I really mean as the human aspect of digital technology. So a lot of people who build and design technology do it because it’s cool and it’s flashy and it looks great, but they’re not thinking about how it’s going to impact the people who use it. So cyber safety includes as I define it, uh the cybersecurity, making sure that people can’t get to our kids and our kids can’t get to people they shouldn’t. Um it includes their digital life skills, understanding what to use and how to use it, how to come up with a password that’s easy to remember, but hard to guess understanding what’s right and what’s wrong online. Um making sure that they are safe from each other and cyber bullying and from older kids and adults on child sexual exploitation. It’s making sure that they are safe in the virtual and offline world impacted by the digital. There are two other terms. One is cyber wellbeing, cyber wellbeing is looking at how balanced our Children’s digital and real life are, although digital’s included in real life these days. But it’s looking at them saying, are they too much screen time? Is it affecting? Um, how they think about things? Are they too easily radicalized by people who are lying to them and fake news and all of the things that are out there? Are they falling into the wrong groups online in the same way that we might worry about them falling into those groups offline and cyber wellness is designed for medical professionals. It’s teaching them how digital is impacting the physical and mental health of their patients and things like if you have, if you’re a fan oncologist and you have women with breast cancer, letting them know where the safe chat rooms might be where they can talk to each other without getting trolled, understanding cyber harassment, understanding digital addiction, understanding uh, self harm that’s coming from this. So the real medical and mental health um, aspects that are impacted by digital. Um, and it’s a huge issue and they don’t know, they think that they tell everyone to stay safe, but they don’t realize that this is a medical, physical and emotional problem.

[00:06:15] Ryan Cloutier: Well, it’s interesting you bring up that point around the physical and and health aspect. I can tell you the last few weeks I’ve been on my phone a lot more and I used to think I was on my phone a lot and actually it was brought to my attention by my my wife who said, hey you gotta put it down, like you’re just, there’s too much, you’re on the phone too much and and it’s you know, in part because of the current situation, you know, we’re here in Minnesota where to stay at home, order. Most of us now in the country are on some kind of restriction or stay at home. And so a lot of the activities that we used to do, we just can’t right now. And so we’re filling that gap with the phone. But I can tell you that when I stopped being on it as much, just even a few days ago I noticed an increase in, in my positive mood, I noticed a decrease in my stress level. Um And while I’m not a doctor and that’s not an official study uh anecdotally in my own life, I’ve definitely noticed the impact. Uh My wife has a phrase for it, she calls it the dopamine machine um and she’s she’s not wrong. Um And that that’s you know, another topic will impact another day. But I think, you know, it’s it’s just awesome that you know, as you approach this, you’re thinking about it holistically that, you know, digital is part of the physical now and we’ve entered this new era. Um, we were far ahead of entering that era, you know, before kind of the covid issue happened and now that covid happened, we’ve, we’ve just gone full, full bore off the cliff with it. So it’s going to be really important in the next coming weeks and months that we identify this stuff and kind of go back and hopefully undo maybe some of the damage if we can. And

[00:08:03] Parry Aftab: I think there’s a lot of that Ryan, I think that we need to undo the damage. I mean talking to teachers who are teaching in virtual classrooms and the blue light is affecting their vision. Um, and I’m usually on the phone all the time. I’m always digitally connected. Um, even if I run to the bathroom, you know, I’ll get 1000 emails or messages a day, even I run to the bathroom, my cell phone goes with me so I can check my lengthen messages or um, any of the feeds that I’m involved in or clients who need me or kids who need me. And the fact that we feel as though we can’t disconnect is a problem. I was talking to a life coach who did a Lincoln live with me last week as part of the, your family at home series and she said every hour, take two minutes and breathe, just breathe, put the technology down, you know, giggle um, find a funny cat video something. And all of us are living in hyper stressed mode. We’re trying to feed our family, we’re trying to parent our kids and teach them at the same time and we’re worried about doing work from home or finding work from home. We don’t know what after is going to look like, but I can assure you it’s going to be very different than before. I

[00:09:23] Ryan Cloutier: completely agree. And you know, one of the things we’re doing to try to prepare for that, we’re actually working on some things right now for some of the industries that have been impacted so that when they start to come back online, we’re not playing catch up from that day, were actually putting together things that are going to be ready to go the day they need it. So I think that’s, that’s really an important piece to understand. Is there so much work yet to be done.

[00:09:51] Parry Aftab: Uh and the good thing is we’ve got, we’re home. Um, so it may be harder and a lot of stress and we may be working with our six year old on doing their homework assignments, but we’re home and we have time to look at the priorities and figure out what’s next and pivot. Um, and I think that it’s a good time for us to pivot within our priorities

[00:10:14] Ryan Cloutier: well and speaking of priorities, you know, we’ve, we’ve seen a lot of media attention the last few weeks given to some of the remote school solutions that are out there. And um you know, the question I have is in your opinion, what can companies do better to help protect our Children and our vulnerable citizens? I feel so deeply that they they have a responsibility uh to not just their consumer, but society as a whole. And so when I see a lot of these tech companies giving big dollar amounts to to fight covid or to offset the economic burden, I’m not hearing as much about the steps they’re taking to really ensure that they are doing all they can to protect that data to protect those webcams to truly provide high quality levels of security and protection to our Children and vulnerable citizens. So in your opinion, what do you what do you think they could be doing better

[00:11:14] Parry Aftab: everything? Um so none of us can argue that the masks and the gloves and the ventilators are the priority. We’re talking about lives here. Um and medical professionals who are putting their lives on the line need these things. So I understand why all of the companies are trying to provide these things, but the only one I’ve heard that’s talking about anything in this space is brad smith from Microsoft and he’s talking about their air band which provides access and rural areas where there’s no connectivity and I have a house in Prince Edward Island Canada, my husband’s Canadian and it’s on the beach and um you know unless you can put your cell phone on the back of one of the eagles, you’re not going to get reception. And they’re the large areas in the United States where there is no access because it’s too rural so they’re putting money into that to help the kids who are being schooled at home. But the providers a a lot of these tools are not interoperable. So the schools haven’t thought about it in most cases the very expensive private schools have but most of them haven’t and you can’t just adopt The distance learning programmes that higher EDS using because with K- 12 you need socialization. The only way these kids are going to get through this in one piece is if they can talk to their friends and their classmates so that they are not so isolated, it’s not the best way I want them to socialist but we have to build socialization within it. Um and there are very complex laws that address what can be shared by students, what schools can do consent. Schools can give in lieu of the parent. So a law in the United States called coppa, the Children’s Online privacy protection act that I helped write 20 years ago um says that you need consent from parents for certain uses of data collection of data which includes even nice use of pictures that the kids are giving you um and there’s an exemption for schools? So a lot of the providers are tricking teachers into giving consent so they won’t have to get consent from the parents. So a lot of teachers are adopting apps and games and interactive digital tools in their classrooms without asking anybody there C. T. O. S. Of their network security or their principles and the net the apps, games and and offerings now can escape the scrutiny that the law would have given them. So they need to be safe. If you’re you’ve got a virtual classroom setup, you want to make sure that you are gatekeeping. So only the people who should be in our in and if somebody gets in who shouldn’t be there, that you could get them out, you want to make sure that any pictures or videos the kids are sharing in these classes can’t be shared outside of the classes and that their controls in place. Do you want to make sure that Children who have special needs or Children who are complex and they’re under in their learning skills or the kids who don’t speak english as a primary language or don’t have the digital life skills that they are getting the support they need. And if guidance counselors and mental health professionals are working with kids that that is the most secure of all settings and no one’s going to take those conversations and do a transcript and sell it to advertisers? So we have to look at everything. Is it safe? Is it secure? Is it uh compliant with the laws? Is it private? And last does it provide for the well being of all of the stakeholders from teachers to the students to the teachers AIDS. So we have to look at this with all of us in the room, you know, Ryan, I’ve come to you over the years for answers because you’re practical and you see it your apparent and you you care and that allows you to see more deeply than some people who have the same certifications you do, but not the same heart. So we’re pulling together people with heart who know it or practical on the ground, know how it works and they’re experts at the same time saying who what do you think we need to have their and that will be a seal and certification program and hopefully launched within the next six weeks.

[00:15:52] Ryan Cloutier: That’s awesome. You know, as I was thinking about that question when I wrote it um one dream if you will that I’ve always had is that there’s somebody mandate that all end user license agreements are wrote in play in english

[00:16:09] Parry Aftab: and

[00:16:11] Ryan Cloutier: you know, there can be the legalese and I respect and appreciate the legal profession and why

[00:16:18] Parry Aftab: it’s okay you don’t have to be nice to because I’m a lawyer whenever lawyers have

[00:16:22] Ryan Cloutier: their place. Right, But and I appreciate that. But what what I’d love to see is the top 10 this, you know, kind of kind of similar to what G D. P are made folks do for data collection disclosure right? In really common, easy to understand human speak. What are you doing with this? Who are you involved with? When are you going to notify me when you have a problem? Because let’s just be real. Every vendor in the world at some point we’ll have a security issue, every human in the world if they continue to use the internet and computers will have some kind of security issue they have to address. And so I’m very interested in as that develops as that certification develops. Um really kind of may be nudging them to say we need a common speak version of your privacy policy, feel free to keep your legalese but then we need a second one that that’s actually understood,

[00:17:16] Parry Aftab: you know, Ryan years ago I’ve been in this field for 26 years and many, many years ago we tried to design what we called a short form privacy policy that would give you the big four, you know, this is who we are, this is what we collect this is who will share it with this is what you can do about it, you know, sort of four points with seals that would have different colors so that kids would know if it’s an okay site because it had the right things on these and they failed and they failed because users didn’t demand better. Um, so I’d be on Good Morning America that today’s show or whatever and I would say we need to do this and the Facebooks and googles and others on the, you know, of the world would say parry is making a lot of noise, Let’s look and see what’s going to happen. And none of the users would rise up. They were saying, oh, it’s terrible. We don’t understand what it is. I’ll click accept anyway. And if it includes the, you know, their firstborn child, they won’t know it until somebody comes for the kids. And so we haven’t been able to get people to demand better and short and to look anyway. Um, so that’s something that we really need to emphasis and maybe the kids are the ones who do that for the family in the same way they got us to stop smoking and wear seatbelts.

[00:18:36] Ryan Cloutier: Yeah, and I think you’re right and that actually touches on a key part of my passion and why I do what I do and take time to, to try to simplify and break down and make this stuff as easy as I can possibly make it is because I’m of the opinion, most people don’t understand their risk and if they truly understood the risk that, that they were putting their family at, they wouldn’t do it. But let’s be honest, I mean you go online and try to learn anything about cybersecurity and A, you’re going to fall asleep or B you’re going to be so lost in technical mumbo jumbo and acronyms that you know, I don’t know heads or tails sometimes when I read some of these documents and, and you know, I work in this business and I’m telling you some people just don’t know how to clearly communicate. So I love that. I think that’s something, you know, I’m excited to continue to help to, to promote that and work with you to try to create that, how to guide, which actually kind of segues me to my next question here, one of the top five things that every parent guardian or caregiver should know about digital safety, about private actions, they can take it home

[00:19:49] Parry Aftab: um in connection with the kids in

[00:19:52] Ryan Cloutier: connection with the kids.

[00:19:53] Parry Aftab: Okay. So the first thing is you are the parent. So I start all of my events and conferences with this, I make the parents put their hand in the air and say I am the parent because I said so as long as you live under my roof, all of the things that we used to hear from our parents and somehow parents have abdicated parenting because kids understand more about the technology, we forget that they don’t know what they need to know about life. So remember that you are in charge. You are the one buying the devices, you are the ones paying for data, you’re the one who’s house is used for the power, you make decisions. That’s number one. Number two fake it. They’re going to be a lot of things are going to happen to your kids. You’re going to get a phone call from somebody telling you that your child took their clothes off and sent the pictures to everybody in their class or that your child posed to someone else um and told them to kill themselves or that you’re going to access what you’re 12 year old son has been accessing in its porn that you can’t imagine existed. There are things that are going to go wrong in the same way that they went wrong when we were growing up offline. Um and so what you need to do is look like, you know what you’re talking about, make your child feel safe and just say, okay let’s look at this and then go into the bathroom, take a washcloth, shove in your mouth and scream bloody murder but fake it. Our parents faked it. We fake it. Then you can reach out to me, they can reach out to you. They can go to our website and figure out what to do. But they’ve got to make it look like they’re in control. They’re in charge and the Children are safe under their watch. The next is we need to recognize that it’s not the filters that you can put on the technology. It’s the filters we can put between our kids ears that matter. We need to teach them about good judgment how to be good people to recognize that the internet is no different from life and the golden rule applies online in the same way it does offline and what they post online stays online forever. None of those are tech, those are just parenting, it’s communication. We need to recognize that as our Children earn our trust that we can lift the the gate and let them get a little bit more. So they now want a new Xbox device, they want a new cell phone, they want a new whatever comes out say to them before I can get that to you. I want to know what you know about the risks of this technology and how you’re going to avoid them. And we call those C. S. I. Cyber safety investigations and when I train kids at the age of six we get them involved in that. They look for a contact risks, They look for content risks, they look for commercialization risk. People trying to sell things to your kids and they look at cost, will it break, will you get sued? Will you go to jail? Um and the kids then look at it and they say mom these are the risks I’ve noticed and I won’t do this and you can add this and you can take my phone from me 6:00 at night so I won’t use it at night and if they can show to you that they understand the risks and they’ve got thinking on the solutions then your parenting together and they’re making good choices. So that’s the fourth still not very techy. Um, and the last is techie, the last is don’t put a device in your kid’s hand unless they’re ready for, unless you work and you’re never home and other people are getting your kids in a normal life, a normal world from and to school or to and from sports or wherever they’re going. Your child doesn’t need a phone if you need to reach your kids during school, you call the the school principal’s office the way all of our parents did. Um, but if your kids are somewhere alone and somebody may not show up to pick them up, that’s a good reason for a cell phone. But think long and hard before you put technology into your child’s hands, turn around and say why is it needed? Because there are a lot of non tech solutions to the reasons the kids tell you they need it and unless they needed, you don’t put it into their hands. Um, so slight tech on that one. But really all of them are just judgment and values and setting rules and forcing the rules and changing the rules are kids earned more respect, more trust and more access.

[00:24:47] Ryan Cloutier: That’s fantastic and I love how you started with parenting. Um I’m not in a position to tell other people what to do when it comes to parenting, but I can tell you what I did and I took the approach that the cell phone was as dangerous as a power tool. And so until my son was of an age that I’d be comfortable letting them operate a skill saw I wasn’t going to let them operate a smartphone. Um And the other thing is, is, you know, thankfully at least for the time being in the United States of America if your child under the age of 18, in most cases you have the right to inspect that device, you have the right to put parental monitoring software on that device. And so that was another step that we took. We didn’t actually have to do it. It’s

[00:25:33] Parry Aftab: not actually age, it’s who owns the technology. Ah So in the same way that if you work for somebody and they give you a computer, they can do all these things. It has to do with who owns the technology. And it gets a little tricky but I’ve never found a prosecutor willing to prosecute a parent for putting monitoring software, surveillance software on their kids, cell phones or computers, especially if the kids are at risk.

[00:25:58] Ryan Cloutier: Yeah. And we in our house we didn’t treat it as spying. That’s that’s not what it was. Believe you me, I did not want to see half the text messages. I did not because they were inappropriate just because boring teenage talk, right? But um, having that additional measure my son knowing I could check at any time, just drove him to have better behaviors and now he’s 21 so I’m not going to go ahead and say he’s grown yet. He’s still got some growing left to do, but he is one of the greatest advocates now to his peer group about, whoa, hey, that’s a free app. What are you consenting to write? This was something I ingrained in him early and now his social media profiles are pretty mild. Um, he better. In fact, he just had a party the other day or a couple weeks back now when we could still do that. Um, and he had, he had said to this guy that was like taking pictures and tweeting, he goes, hey, wait, don’t do that. You don’t have consent of the people in this private setting to be putting that out to a public forum and the guys and the guys like, you know who the hell do you think you are? And he’s like, well, I’m the son of this guy that does the cyber stuff that’s going to lose his mind if he finds out this happened

[00:27:12] Parry Aftab: and can throw you off the internet, but we won’t talk about, well,

[00:27:16] Ryan Cloutier: you know, we just, I try to be really nice. Um, no, this has just been so fantastic. Parry and I would love to do another session with you soon. I do want to respect the time of our guests. Um so we are getting close to the time here but um you guys can find Parry on twitter @ParryAftab. You can find her on facebook and you can find her on LinkedIn. Thank you again so much for joining us. Um This has just been great and I’m just so excited for what we’re gonna be doing together in the next coming weeks and months to to really help these kids and these families get better at this stuff, I I believe that we can get better at it, but it’s going to take people like us to to do the hard work to make it simple.

[00:28:17] Parry Aftab: I agree, and Ryan, I couldn’t do this without you and I really do appreciate it. Uh you know, we’re all in this together and parents need to know that they can demand better. Um and teachers need to know that, you know, will help you through this and we’ll help everybody. Our new site is going to be your family at home dot org and go daddy’s busy building it to teach us all how to survive and thrive during these difficult times and after, so thank you so much. Right, I appreciate it.

[00:28:47] Ryan Cloutier: You’re so welcome. Well, thanks everyone for listening. You can find us on twitter at, at studio security, uh, and you can find me on twitter @CloutierSec. Everyone have a great rest of the day, Looking forward to talking to you again soon.