I get asked so much for this vital information, so here is a basic outline of ways you can help.
Please do encourage them to leave or call law enforcement or a shelter if they feel their life is in danger, or offer them shelter. It is not easy or simple to leave but it helps survivors to know they have options. Often they believe they don’t.
It is important to remember that leaving abuse is a three part stage where deciding to leave and leaving are not separate stages from the preparation stage. Survivors can never really relax for the rest of their lives. They will forever have to look back at their previous life and make sure their tracks are covered.
That sounds dramatic but sadly our lives are hyper connected and we are tracked by government and stores and banks more than we realise. Because of this, one of the most important ways you can help someone leave is to assist them in removing their data from data broker sites. This needs to be revisited every 3-6 months. Why? because that market is shady and unethical and because when the USA government had a shut down for example- legal loopholes opened up for data brokers because important legislation was not re signed or updated. Here is a list of sites that you can use to remove your data. It can take 6 weeks or more and is a long and frustrating process, sadly. The world is set up for convenience not safety.
Social media: I advise people to lock accounts and ensure they cannot be tagged in images. Facebook and others can often be a lifeline, so it is hard to tell people to delete accounts. It is worth helping them to set up multi factor authentification with yubikey for example. The use of a password manager is helpful if you forget passwords and also adds an extra layer of security. It has been known for abusers to take over accounts and isolate survivors by posting offensive statements.
I also advise against reward cards or loyalty schemes . The data they collect could be used to track your habits and location.
If they are planning to leave, they should arrange for their mail to be forwarded, if possible, to a safe place. It is well worth contacting customer service and asking for paperless. I say this because I asked for paperless when I set up a bank account, I told customer service that no paper should ever be sent to my address: they agreed, but a compliance issue meant my ex received a detailed bank statement. The account even got transferred to him when I called to report it. So…even the best laid plans can go awry.
My biggest ask right now is that banks and government would offer more financial support to survivors. One of the biggest issues is financial abuse and hardship. Many survivors do not have their own bank accounts or credit history. It can take months to re-build and it affects the ability to rent or to get services like phone or internet provided. I would love for survivors to be offered special credit agreements, help with payment deadlines and solid financial advice. It helps to have a debit and a credit card. Banks like Monzo and Bsocial do offer excellent,secure account options and are easy to set up.
You can lock down your instagram and only use encrypted communications but if you can’t find a safe place to live and work or afford food, heat etc- you are still vulnerable. So we need to look at how we support survivors once they leave and onward. It can be daunting and terrifying to know you will leave abuse but will jump into financial insecurity.
So if you are looking to help, I hope that gives you some basic ideas of how to do so. Thank you, it will mean a huge amount to a survivor to know that you are there for them. And do reach out to the expert organisations- they have trained volunteers and know where local shelters and help will be available. But thank you, it matters and you are helping.
I have noticed that in Infosec there is a very unreflective, inaccessible culture around learning. We have adopted a “try harder” or “DFIU” attitude to people who are attempting new or challenging things. As an educator coming from a high school background, where encouragement and incentive are key, this concerns me. We know that the only way to learn is to ask questions. Yet the sector seems to mock those who do.
It is not a huge leap to extrapolate that the pipeline issue is borne out of these attitudes. People are pretending to know things. They are scared to admit gaps in knowledge. This leads to mistakes. But it also leads to gatekeeping: where mediocre people block those they fear might replace them. Or it means that only those within a closed support network will rise. Safe and protected by friends who advise or cover their errors or enable them to move roles after disasters.
This is counter to everything I do as a teacher. I am expected to encourage my students to overcome challenges. My lessons must be accessible to the needs of over 20 students. I look at the bulky printed material that I see provided at many security trainings and I wonder how much if any of it is differentiated? How much time is given to accessibility for dyslexic or ADHD learners? Can students use sketchnotes? Is the material fun and easy to read? Is it necessary to give students half their adult height in printed material for one five day course?
Even more striking to me is how my pay is performance related not only to their success, but also to my professional development. I am EXPECTED to be reflective in my practice. I do not see much evidence of this in infosec training. There is excellent practice out there, but are people respecting education as a profession? Are they seeking to improve and learn from each other? Are they even required to have qualifications in education or training? How do we ensure that our learning environment conditions students to have positive attitudes?
Above all: what are learners able to demand? Where are the guarantees of quality and excellence that they deserve? Are we valuing education and training and asking questions? Or are courses more use as magic tickets upwards than proof of deeper understanding?
What is reflective practice? Larrivee, 2000, (p.293) defines it as such:
“Unless teachers develop the practice of critical reflection, they stay trapped in unexamined judgments, interpretations, assumptions, and expectations. Approaching teaching as a reflective practitioner involves fusing personal beliefs and values into a professional identity”
I am writing this to emphasize the importance of reflective practice and how we need more of it in infosec training and education. We have two necessary actions: the first is to foster a better culture of learning and questioning. The second is to encourage reflection in those who train and create learning materials.
Finlay (2008) states that reflective practice is
“the bedrock of professional identity”
I believe that this is true. As trainers/ educators, we have a responsibility to teach, measure, evaluate and reshape what we do with our students. We cannot simply create a course and then never refine it. We also have to constantly be evaluating our own methods and performance. Atkins and Murphy (1993) broke this into a 3 stage process of discomfort-critical analysis – new perspective. In brief: to become aware of areas that could be improved, to evaluate and research and then to progress with new insight.
One of the easiest ways to do this via “reflection on action” (Schon 1983) is to observe other practitioners at work. It is also useful to invite observation of one’s own teaching. We can become stuck in our ways, uninspired or believing our way is the only way. My PGCE tutor told me that to be a guest in a classroom was a privilege and to use that time respectfully. I have always learned a great deal from observing fellow teachers, I go into their rooms with an open mind and respectful attitude: I am there not to gloat or criticise but to learn. Any feedback we offer each other must be constructive.
The best way to check if you have learned something is to try to explain it to someone else. I do not believe that this means we should assume we are all capable and suited to educating others. You can be an expert in your field but a terrible communicator. Managing a cohort of students of any age is half content, half social work: it is a deeply human role. If you are taught by someone who is unapproachable and cruel, you are likely to repeat that model with anyone you have to later educate.
In brief: there is a reason that teachers study and pass rigorous exams and courses. What I see in infosec is a sector that desperately needs a culture of learning and openness, but can’t get there and it is a time bomb.
If your trainers are not adequately qualified and reflective in their practice, despite any expertise, they will pass on bad culture. There is a huge gap between the necessary secrecy around the ways to “hack a box” on a platform and keeping questions and uncertainties quiet.
Challenge is one thing, it is how we learn and it is necessary.
Shame and fear is another.
You don’t need cheat codes for a box, you can work for that and learn the skills.
You absolutely do need to be able to ask questions during a course and at work.
So I am suggesting that we demand more from our training and workspaces. That we create environments that value neurodiversity. That we value questions and we make people valued for asking them. That we value educators for the skills they bring and we demand those skills- not just accept well paid experts who give lectures. If all our training was effective, we would not have super qualified people making mistakes today.
A really good example of this is the area I work on: consumer advice. There is a dearth of solid advice and for many issues there is simply nothing for non tech sector people to find. The average consumer has NO REAL SOURCE OF EDUCATION. It is noticeable that every time we have a privacy concern with an app or service, or security issue, huge swathes of infosec people make meme and jokes about it. They mock people worrying about simple things, whilst forgetting that is is very challenging to find the information.
I think this is the crux of the issue: people truly fear saying ” I don’t know”. My students know that they are fine to say, I am not sure but.. or I don’t know. My students in Japan would never answer unless they had the correct answer. Even if they did, often they did not want to “show off”. There are so many things that influence how we see learning and what is acceptable.
We do all need to try harder to ensure we are creating safe and welcoming spaces where people can learn and ask questions “noob” is an insult my son yells at his friends while gaming. Why are we hazing people? Learning is a lifelong thing. My performance reviews, to take me to the lofty heights of a 50k salary ( which is the price some trainers in infosec get for one week or one talk fyi) – those reviews are there to remind me I will always have room to improve and things to learn. Because of this self reflection and the collaboration with colleagues, my classrooms are spaces for questions and challenges. No one gets called stupid or told to try harder. Work hard, yes, but hey, use this tool, think of how you solved this… that is how you help people. Not try harder, but have you tried this..? If no one is asking questions, that generally does not mean they all grasped the concept. It probably means that they don’t feel able to ask. Remember that.
It is never too early to plan for the new academic term! As well as getting pens and paper, we need to equip ourselves and our children with the framework and knowledge to be safe online.
Here we have put some links to education providers, safeguarding advice and sources of sound advice.
We counsel against the use of tracking apps such as ourpact. These are essentially stalkerware. We need to create trust and good habits with young people: communication and safe practice is as important with health for example, as it is with privacy.
Nothing beats communication. Discuss risks with your children as well as appropriate behaviour online.
Microsoft and Google as well as Apple have Family Account options. From here you can set up child accounts. These accounts allow you to control what apps are downloaded, or to manage content preferences. Apple offers the share my location option.
Our basic rule is that when setting up any new account, do not agree to all permissions . The main problematic ones are : location, photos and camera.
These are also easy to check on your device and disable individually, as is shown below. Simply go to Settings and then check what permissions you have given each app.
Communicate with your children about safety. Remind them that what is posted online is there forever. Tell them never to accept invitations to chats or meet from strangers. Ensure that they do not use real names or photos online and never divulge address or personal information. It is worth speaking repeatedly to all adults in their circle about good practice too: I have had my eldest child ask me who a “stranger ” was online. It was in fact a family member who messaged them with “now I have your number I can message you always”. We must set an example.
It is entirely possible that if you set screen time blocks, the child may re set the time zone for the device to evade this control. Google docs offer live collaboration and so on. You can only do so much as they grow and gain independence. Just like health and politeness- online safety is something we have to discuss and set examples for.
I have an internet router from Amplify which allows me to pause internet or set time limits for internet access according to family member. I can also pause the internet on every device on my network if I need to! It is worth considering such options. They are a good way of boosting the parental controls that you have with your family accounts.
The golden rule is to check settings and to update apps regularly. Updates are like vaccines for your devices- they keep things secure. Settings and permissions sometimes change despite what you initially consented to. So make it a habit to check what each app is able to access. And put tape or a web cam cover over your device cameras. This stops anyone being able to access your camera or view you without your consent. I love my webcam cover because when I have conference calls, I don’t risk a video call starting before I have finished my coffee. But especially for young people, it is good practice to do this.
We also suggest you follow this link to check what information the government is storing on your child/ren https://defenddigitalme.com/my-records-my-rights/
This information is regularly distributed to media or corporate entities and it is worth requesting your data be deleted.
In addition, if you are interested in reading further about the security of popular classroom apps, follow this link
It is always worthwhile to consider how much data you allow an app to have and how secure that data is kept, who it may be given to.
Here are some links to useful consumer privacy sources:
I recently wrote some privacy advice for @girlonthenet
It is part of a consumer advice series that we are producing
Hope that some of you may find it useful!
I have created a series of basic level “introduction to security” units. I find that security awareness really lacks the drive for autonomy that we have in other areas. Health education is one. We often have to fight to get appropriate care and be heard by medical practitioners. This is the same in information security where it can be hard to change process or convince managers that change is needed. However, we have a huge focus on health education, autonomy and food is even labelled accordingly.
Making sound decisions about security and privacy is very different. There is little outreach or education. Valid questions, even when they show significant technical awareness, are often mocked. We have adopted a “try harder” ethic that came from a marketing campaign for a challenging exam. This should not be a general ethos of how we try to educate ourselves or each other. It is incredibly hard and often expensive to find information and product labeling is only just being rolled out.
So I am creating a series of resources, some in collaboration with others who do outreach in this sector. I hope it will be useful and constructive. I have sat with customer facing or call centre teams and observed how they have scripts and time limits to respond. This simply does not work for security. I have also seen how using terms without explaining them is extremely damaging. People switch off or misinterpret things. If we educate people and involve them, we gain engagement. We need to stop mocking people and speaking of technical or non tech. All we need is to inspire interest and understanding. I do not care about cars but I understand the basics of car care. The basics only. I drink too much coffee and eat candy but I know to brush my teeth and exercise. No doctor or mechanic expects expertise from me.
So I hope we can create a new paradigm where we educate and inform. I am creating a bronze level security course perhaps, an intro that may spark interest but it should definitely inform people.