The Security Collective

View Original

88. The 3 R's of Cyber Safety with Susan McLean

See this content in the original post

This is the episode to share with your colleagues, friends and family as Claire talks to Susan McLean, Australia’s leading expert in the area of cyber safety.

 Susan is Australia’s leading expert in the area of cyber safety and was a member of Victoria Police for 27 years. She was the first Victoria Police officer appointed to a position involving cybersafety and young people where she established and managed the Victoria Police Cybersafety Project. She has completed advanced training in the US and has qualifications also from the US and UK. Susan has also been awarded The National Medal, the Victoria Police Service Medal - 2nd Clasp, and the National Police Medal.

Susan presents to over 250,000 students each year as well as tens of thousands of parents and educators both within Australia and Internationally and is the most highly qualified of all Office of the eSafety Commissioner, Trusted Education Providers.

Susan is a published author with her book Sexts Texts and Selfies, acknowledged as the definitive guide to online safety. She collaborates with a variety of international bodies and is a member of The National Centre Against Bullying (NCAB). Susan has developed comprehensive Policy for a range of organisations and also authored resources for the Victorian Education Department. She is the commentator of choice for both Australian and International media where she is known for her clear and balanced comments.

Links:

Cyber Safety Solutions

Susan Twitter

Susan LinkedIn

The Cyber Cop


Transcript

Hello, and welcome to The Security Collective podcast. I'm your host Claire Pales and today's episode continues the security behaviour change theme of this season. I've been looking forward to sharing this episode with you for weeks since I recorded it with Susan McLean. Today's guest Susan, is Australia's leading expert in the area of cyber safety and was a member of the Victoria Police for 27 years. She was the first Victoria Police Officer appointed to a position involving cyber safety and young people, where she established and managed the Victoria Police Cyber Safety Project. She has completed advanced training in the UK and US over the past two decades and has also been awarded the National Medal, Victoria Police Service Medal second class and the National Police Medal. Susan presents to over 250,000 students each year as well as tens of thousands of parents and educators, both within Australia and internationally. She's the most highly qualified of the Office of the eSafety Commissioner trusted education providers. Susan is a published author with her book 'Sexts, texts and selfies' acknowledged as the Definitive Guide to Online Safety. Susan was generous with her time and advice in our discussion and I urge you to share this episode with your family and friends. Particularly listen out for the three R's which are relevant to online behaviour no matter how old you are. I'm really pleased to share this conversation with you today. And I hope it starts more conversations on cyber safety for you and your family. For now please enjoy today's episode with Susan McLean.  

CP: So Susan, it's great to have you on the podcast today. 

SM: Thanks very much for having me. 

CP: So I'd love to start by asking you, why do you do what you do? We've heard a little bit about it in your bio, but why do you educate about cybersecurity? 

SM: So for me, prevention is always better than cure. So I think that it's really important that everyone that uses technology, be they an adult user, a parent carer, or guardian or young person, has the opportunity to get the right information. Because if you don't get the right information, you can't make good choices. And yep, we can catch bad guys and we can do all of that afterwards. But that doesn't undo the harm and the damage. 

CP: And I guess the link for me and why we're talking today is because you know you're talking to children, you're talking in schools, and I see the children as our professionals of tomorrow. I've got four kids myself, I'm often appalled at the lack of cybersecurity behaviours being demonstrated in the classroom. So I'm keen to understand in your view, if teachers are getting enough education around cyber? 

SM: Short answer is no. Long answer is no as well. Look, there are some teachers that are truly tech savvy, and understand what they should and shouldn't be doing. And of course, modelling good practices and sharing good practices in the classroom to their students. There are those that don't have a clue. There are those that sort of think they know and don't know. So it really gets down, it's really twofold. It's the leadership of the school and what they expect of their staff. And then it's often up to the staff to sort of educate themselves if you like. If I do staff professional learning, it doesn't cover you know passwords , it talks about passwords, but doesn't cover password protection. And, you know, for me, it's obvious you know. You don't put your password on a sticky note on your computer. That's really dumb. Yet, you know yourself, you walk into offices and you see that. So it's quite difficult to educate when they don't think they're doing anything wrong. And what I've seen through COVID, and this was what was really bothering me, especially during the long lockdowns we had in Victoria, were the large number of teachers that just basically let rip on the internet.  Running classes on TikTok and other platforms, which they legally can't do. And when I contacted the principals about this, because obviously the concerned parents come to me and ra-ra-ra. In most cases, the principal's had no idea. So that showed that lack of I suppose communication. I doubt that many schools actually have a remote learning policy or procedure. I mean, they did it on the fly and I get doing it on the fly back in, you know, March 2020. But by now you should have all your i's dotted and t's crossed because it's part of your duty of care. 

CP: I don't think many companies had remote work policies, let alone schools having remote learning policies. But I want to come back to passwords a little bit, because one of my pet hates is that my kids get passwords, you know, there's a whole sheet of them, and the teacher just cuts them off one by one and pastes them inside the front of their diaries. And that's teaching them this behaviour of writing down their passwords, and keeping them all in one the place. And like you said, it seems obvious, but teaching that behaviour that's going to stick. 

SM: It is going to stick and you know, not only that, it's also teaching them that it's okay to have your password in a public place. Because you know, if it's in the diary or inside the journal or, you know, stuck on your desk, everyone can see it. So there are some schools I work in that do really good digital citizenship education. So, you know, they will cover off a whole lot of these things. But there's no clear curriculum. So what I found is it very much aligns to what the teacher chooses to teach. And the password thing is huge. And I get why teachers want simple. You know, I mean, 30 kids, it's hard to manage. But you know you'll reap the rewards if you lay the good foundations. And what a lot of them do is for a password they'll have their surname and the number of the roll they're on. So you know, I would be McLean8, perhaps because I'm the eighth person on the roll. Teachers think that that's really clever. Oh, yeah, that's tricky, that's a tricky one. And the kids go, oh, my God, that's dumb. And what I get to see a lot of is kids logging on, pretending to be other kids. And then wrecking havoc. Some schools do have, well all schools should have the ability to check who logged on, where and how, but they don't. And of course, that opens a whole other floodgate of being able to misuse technology and get away with it. And you know, we see it in the workplace. Where people will walk away, only to go the toilet, great. But they leave their computer on and open. So, you know, it used to happen in the Police Force years ago, you'd see an open computer there, someone was in the middle of writing statement up. So you'd come along, not that I would ever do that, but you see them, and they would write the boss is a dickhead or something in the statement. And the poor member, they wouldn't have seen it because they'd scroll down again. And that gets submitted. And you're that in a way, you know, a little bit of harmless fun and learn from your mistakes. But, that can have really serious consequences when people are using someone else's login access to do something that's illegal. 

CP: So when you're getting in front of students, what are some of the key behaviours that you're focused on when you're trying to educate? 

SM: So when I work with young people, I try to get them to think holistically about, you know, cyber safety. So it's nothing in isolation. And that's the other thing that that does my head in, let's just talk about issue 'A'. Well no, because online everything is interrelated. So I always start with, I have a thing, it's called the three R's. And that is Respect, Responsibility and Reputation. So what I try to drill into them, before they do anything online, they should be running through three questions. Is what I'm about to do showing respect for myself, my body and others? Is what I'm about to do responsible? And then I talk about how that's very different from I can do it. Because of course, you can press a button and you can do it, but should you actually be doing it? And then lastly, how is this going to look if someone judged me based on this one thing? And if you start really early, and I mean, a lot of people, you do it subconsciously. But if you teach it from a very young age, it will become subconscious. And then that's going to cut down on either poor choices online and poor behaviour, but also lead to better protection factors, because I'll be thinking about, well, yeah, I can do it, but I shouldn't be doing it this way, I shouldn't be doing it that way. You know, in the workplace, I've got to be mindful of, you know, bringing the brand of the workplace into disrepute, reputation management. I work with a lot of elite sports people, their name is their brand. They've got to be thinking about this. So it's trying to focus and lay those good foundations. And then we look at all the different things that you need to be aware of when you're using technology. And of course, it's age and developmentally appropriate. 

CP: So I did want to ask you that question, because when you say things like Respect, Responsibility and Reputation, those three R's are absolutely transferable to the workplace and should be the lens through which people are looking when they're making decisions. So when you educate in schools, as opposed to when you're giving advice to corporates, are there similarities and differences? Or does it just came back to being age appropriate? 

SM: It's age appropriate. And it's interesting because the key message is in my presentation, the facts do not change. It does not matter who I am speaking to. The only fact that would change is when I'm speaking overseas, and I've got to you know, reference, a Singapore law or a law in the UK versus a law in Australia. But the facts never, ever change. And what I often say to teenagers in particular, I give this same presentation to kids in America. And the only thing I change is the law. Because that that obviously varies, it varies within Australia. But we need them to be thinking about that it's not something separate to them as a person, it is them as a person. The three R's are in every presentation I give, it does not matter who I'm speaking to. I presented to a whole range of trainee Catholic priests, once again, they got the same three R's. And again, you will take it to mean different things. It will be referenced differently depending on where you are in your life. But even like, I start working with children as young as eight, they can still get it and I don't give them the three R's. We have a discussion, and they've got to tell me what those three R's might be. And you know, we get resilience, and we get rethink. And we get a few other guesses before we get the right ones. But I've never been anywhere, where children as young as eight can't give me those three words. And then we talk about what they might mean. And of course, my explanation of reputation to a grade three is going to be very different to a forty year old corporate, but it's still relevant. And that's what we need to understand, it needs to be holistic, not focused on only one thing. And the earlier you start, the better. 

CP: So you mentioned you work with kids as young as eight, is there a reason you don't work with kids that, I mean, because if you go into schools in prep, they have an iPad. And so yeah, what's the is there a rationale behind the age? 

SM: So I've certainly done Prep or Foundation, or K, whatever state you're in, it's called different stuff. So I will do a K to 2 session if I'm particularly asked. And for example, I was up in country Victoria late last year, a little town called Tempe. Now Tempe only has a school, it has nothing else. So you know, there's no way I'm going in there and doing you know, six kids in grades three to six, I'm going to do them all in two sessions. And obviously, with when you talk with preps and grade ones, it has to be very much drawing and a couple of words because they don't have the level of ability to write and things like that. Because in all my my private presentations, they have to write, they have to complete tasks to help with their learning. But I just feel that at those early stages, the classroom teacher should be able to educate sufficiently. They're the best ones at those early ages to be laying the good foundations, fingers crossed, and working through things with them. So that's really why I picked grade three. But I said, I certainly do an occasional younger session, but I just don't think the expert guest speaker if you like needs to be done in Prep, 1, 2. 

CP: When I talk to people in corporates about this, and this whole season of the podcast is about behaviour. What I found is that this is the hardest thing to measure. These behaviour change programmes, what most people call awareness programmes, but you know, I have this annoyance about the word awareness because it's not a call to action. It's just here's some information. So, you know, if we call it a influence or behaviour change programme, it's really hard to measure the success of those programmes. And so is there something you do to measure the impact of your programme? Are you sort of, you know, testing the kids and then teaching them something and then testing them at the end? Or what's the nature of your measurement? 

SM: It is really hard to measure good choices. And I can remember years ago in the police force, when, you know, we had a police in schools programme. And of course, like any programme, it's going to be funded by the government, so they want to see, you know, results. But how do you actually measure good choices, because the kids that we were interacting with and preventing from committing a crime, they don't show up anywhere. You know, so it is very difficult across all fields to measure good choices, or change unless you've got, you know, a baseline of 50 mistakes this month, and I've got five next month. So with the work that I do, it's really based on feedback from the schools. What they feel about my presentation, did they feel that it was eliciting change in the students. Because look, there's many schools that are go to yearly, and then I can get to see that myself and I because I'm working with the same children to see you're up, you can see their level of retention of information. In the primary school, they have to complete a worksheet, it goes home, it gets discussed with Mum and Dad. Mum and Dad sign it, it comes back to school so it becomes part of their learning journal. And, you know, the teachers then can see if there's been, you know, the kids have taken themselves off social media sites they shouldn't have been on, less issues. And, you know, I know in schools that I have a long relationship with you know, they will say that after about two years, you know, the issues that they were dealing with coming forward have gone from, you know, 90% down to 30%. So they've seen it in that way, but the concrete way to capture that and present it is very difficult. 

CP: But consistency, it sounds like it's certainly something that allows you to get inside the heads of these kids, as new social challenges come up for them and new online challenges come up for them. 

SM: Yeah, so the basic facts don't change. But there's always going to be something new to talk about, a new way to do something, a new app, a new platform, a new issue. Even if you look at the way that predators misuse technology. The methodology from six years ago has changed to what some of them are doing now. So it's about, if you don't know what you're looking for, if you don't know what you're trying to avoid, you're never going to be able to avoid it. So you've got to keep doing that. And when I'm working with anyone, for that matter, you know, I don't stand there and present if you like, I have a conversation with them, the same as I'm having with you. And I have my slides, but they're just you know, my dot points. And my whole presentation is a conversation, because there is nothing worse than sitting there and someone reading slides. I mean, that's just hideous. But you know, you don't want that, you want the engagement. I'm very lucky that I've been doing this for many years, I took my first report of cyber bullying in February 1994. So I've got a lot of examples to give. If I'm in the corporate, I've got examples there. If I'm working with sports people, I've got examples there, school kids. And I think that's what adds to the learning outcomes is that I don't make stuff up. I don't embellish the truth. This is real. And I'll say to all my audiences, what I often say, I'm not saying is fair. But I don't think it's fair that people are hounded for one mistake they made 20 years ago. Like that's ridiculous. However, it happens. Because what I get, not too much pushback. But the perception, especially from teenagers, or into the corporate is, oh, yeah, but that was years ago, so that really wouldn't matter. You know, and the amount of people that don't even Google themselves and see what they can find, you know that that that really surprises me. And then I had one students say, I do this year 11 session at a school, I've been doing it for 10 years. And I had one student go, I will if they sacked me or didn't employ me because of my Facebook page, I just sue them. Good luck with that. So there's all these misconceptions about how reality works. And that's what I'm very clear about. You don't have to like what I say, but it's real. And then you need to take it and apply it to your particular situation and see what you need to do. Do you need to change stuff? Are you okay? Can you put ticks in all the boxes, that's fabulous. And there are many people that can, but there's still a lot that can't and social media has been around a very long time now, over 20 years. And people are still getting caught out on social media. I love that going to a demonstration and belting a police horse wearing your workplace's polo. You know, like, what planet are you on? But they don't think. 

CP: So I was going to ask you what surprises you the most about online behaviour in society? But I mean that happens so often. I mean, does it does anything surprise you anymore? 

SM: No, no. The other one I love is when people commit crimes and film themselves committing the crime and posting. Hey, here I am smoking a bong. Hey, here I am graffitiing the side of the building. Hey, come find me. Here I'm climbing up the high wire, high voltage power lines. Look at me look at the view. People are dumb. You know, I remember when I went over to America, I was very lucky, I had a couple of stints in the states doing some training with the FBI, and some other organisations. And the first time I went to the States was 2007. They were already using technology intelligence gathering, in a much different way than we were. In the police station we had this little book, an information book. So if you had something of note to tell other members you'd write a little note, be aware of 57 Wilson Boulevard looks like squatters in there. And that's how you share the information. Even then, they were using YouTube and they would go on to YouTube and if there was like a graffiti crime or a burglary, they would type the address in or whatever they had and they'd see what they could find. So they were so far ahead of using it as intelligence gathering. The other big misconception I get and this is right through to adults as well, is that if I use in private browsing, or if I use a VPN, or if I use a dark web or TOR, no one will ever find me, I'll be fine. And I always tell this story and it makes a fool of me but, I sat through this half day FBI training thing on the dark web. And the guy was very charismatic, but I understood the first statement, I understood nothing that he said. Like, I got bits, but it was so technical. And at the end, they got the bad guy and I got that part too. So, you know, and I'd say that I said, I'm not, you know, I don't have I'm not technical, I'm not your tech expert. But you know, don't think there's ways around it. Because there isn't. And if you're going to be using these things that promise to keep you safe and promise, you know, not to share. You know you're mistaken. And with kids, oh it's Snapchat, it disappears. No, it deletes. No, it doesn't it disappears that's a different word. Or oh but I use it for my eyes only, so no one else would see that. Nope, that's not how it works, either. And they're quite shocked, because they believe what they're being told. I think this is where we need to do better, is challenging people young and old, to check the veracity of their information? 

CP: And do you feel like you have to use sort of fear based stories, because in corporate, a lot of people kind of get in front of the board, and they say, oh, my goodness, this is what's happened to this company, this could happen to us. I need five million dollars, you know, we need to put all these controls in place. Or they sort of paint these really ugly pictures of the impact of cybersecurity incidents that may or may not ever happen. And you know, it's kind of like Chicken Little and the sky is falling. They're constantly saying it's going to happen, it's going to happen. So the board keep pouring in money. And yet these incidents don't happen. This fear, uncertainty and doubt is too often used in these programmes of awareness and seeking funds. What's your approach? Because obviously, with kids, we don't want to scare them, but you've got to give them the reality. 

SM: Yeah. And that's what, you know, obviously, the examples that I will give will be pitched to whoever I'm speaking to. I think it's important, like, if you go back to the corporates with the, you know, look what happened to the company up the road. That's fine, because, you know, the board may have no understanding that this might happen. But it has to be put into context. Was it the same sort of company? Was it the same systems? Is your risk profile the same as that company? Because it might not be, you know, you might already be 27 steps ahead of them. So, you know, I think, like for like examples are worthwhile. I think that examples about good decisions, and how change has affected this, I think that's really important as well. And I think we need to celebrate companies that are proactive. If I'm going to present to a corporate and I want to use a well, look, this is what happened to Billy Smith up the road. You know, I would be making sure that Billy Smith was a similar company of similar size, similar risk profile, otherwise the example is null and void. It's irrelevant. And then you would be looking at, well, what have other similar companies that look on the other side, and here's this company that we know have done these sort of things, and they seem to be travelling well. And it's about promoting companies that are proactive, and, you know, really trying to do the right thing. And, you know, I get a lot of corporate stuff. And that's great. But I had a very interesting approach last year from a corporate, I won't name them. My goodness, this was one of the most proactive companies. They're an international company based in Australia, but offices all around the world. And they're in freight logistics. And they had an issue in a different country where one of their workers was arrested for child abuse material. Now, really nothing to do with the workplace because you know, that's outside of work and things like that. But the company then sort of did a bit of a check about, well, could he have access stuff at work? Like, it really made them think about, okay, what processes have we got in place to best make sure that you know, okay, if we've got an employee doing the wrong thing, there's no opportunity for them to do this during the work day. And you know, as a result of that, I think I delivered 17 sessions for them, as well as sessions for the workers children. But what they said they wanted to upskill their workers to be aware of issues online, both corporate and in their private life, so that they could best prevent anything in the future, identify stuff before it happened. And, you know, I was doing sessions at all hours of the day and night to pick up you know, different countries of the world. I had people dialling in from little villages in Fiji. Some really small places, obviously North America, big places. But you know, that to me was just a great example, they didn't have to do anything, because essentially it was nothing to do with the workplace. But they just felt it was a perfect opportunity to try to give some buyback to their workers and best protect them and their company in the future. And then I was working with the IT people, and they'll go to put in a parent portal. So they're going to have that on the IT system so that if parents had concerns, you know, there'd be some resources there links to, you know, my website, my books, all that sort of stuff, just to help them. You know, that sort of stuff, if you can get them thinking about that, in all areas of their life, that's going to flow through to how they conduct themselves at home. And as you said, before the, you know, remote work policy, which is, you know, non existent. And, of course, no one needed to think about this, unless, you know, you had a particular employee that was going to be working from home, and you've given them special permission, and you would have something, you know, drawn up for them. But this whole, my whole workplace is at home remote learning. Interestingly, last year, I was doing some work for a school in Kuala Lumpur. And, you know, I work with schools all around the world. But for the first time ever, in any school anywhere, they sent me a remote presenter agreement to read and sign. And I would suggest they'd probably had an issue with a remote presenter in the past, because that's what normally happens. But I'll give them the benefit of the doubt in that they are very productive school. But they sort of laid down the expectations of their external presenters, which I thought was really sensible. Because I get to hear horror stories about a well known children's author that told children in grade one and two to follow him on TikTok during a zoom lesson. You know, so usually, you know, people are reactive rather than proactive, but these are things to think about. Because if you go past all of this, and let's say something happens, especially if it's a duty of care issue, or someone is harmed and hurt. I'm not a lawyer, so I don't have a legal degree, but I tell you what, I could win an awful lot of cases in court, because I know what I have to prove. And all I have to prove is that you could have reasonably foreseen this happening. And if I can do that, which I would be able to do, in most cases, I will win. So you know, you've got to be on the front foot, you've got to be thinking about how best can you protect yourself. If I then come up against you in court, and you can say, well, yes, we did think that this might happen. So we have done a, b, c, d, and e. And unfortunately, despite everything that we did, it still happened. Well, there's no case to answer. And I think we're moving to a more litigious society. People are suing more than ever before, and there is a plethora of No, Win No Fee lawyers. So you know, what does it cost me to have a go, it cost me nothing. 

CP: And I think to just the unknown nature of online activity as well, there are probably some people that don't even know they can take legal action in particular cases. 

SM: Especially in the corporates, I think there is a lack of knowledge of laws. I don't mean just workplace laws and workplace bullying and that sort of stuff. But I'm talking about criminal behaviour online. I think that's not widely known, really, across society. The other one is, you know, it was my favourite, it was my personal Facebook page has nothing to do with work. Well, yes, it is, because I have linked you back to your workplace. So you are going to be held to the, you know, the values of the company and all of that. And so there's that, you know, I can do what I like at home, they can't touch me. Well, we've seen plenty of people that have been sanctioned because of that and lost their jobs. There is still a lack of understanding of I'll use a fake name on Facebook, no one will know it is me. So they don't understand how the platforms work. They don't understand what police can access. As in the police don't log in and get it, it's done through legal process. But when I explain that to my audiences about exactly what, if the police are investigating a person and it's linked to a social media platform, they can get everything. You know, they can get, you know, everything from your ISP, they can see every website you've ever looked up. And that's without a forensic examination of your device. So you've got to understand that if you're doing something online, it could be found. Not will be, because it might not be, but it could be. And that that's what you need to be thinking about. 

CP: So 20 years or more for you of working in the cybersecurity field, what do you do in your personal life and just give me one thing because I'm sure there's lots, but what cyber behaviour Have you changed since you've started to really see what goes on online? Is there something you do that that you know, if you did nothing else, that's the one thing that you think is important. 

SM: That I have a complex password but not so complex that I forget it. Because that and see that that's the thing, you know, you want tricky passwords, but you don't want them so ridiculous, that you're going to forget them and have to reset them all the time. So having a good solid password that you can remember, that means something to you, I think is really important and change it regularly. The other one is, you know, on all my social media accounts, I have no photos of me. So my advice to people is, because people can, especially if you're trying to get a job, they can judge you based on your profile picture. They're not going to say, hey, we didn't interview you because you look stupid. But if you look stupid, they're not going to interview you, but they're not going to tell you. So the best profile pictures on any form of social media, other than LinkedIn because that's slightly different, should be non identifying. So pictures of a sunset at the beach, you know, fluffy the cat, all of that sort of stuff. So that, you know, you're still in the hunt, if someone does work out that that your page, they probably won't anyway. But you know, learn to protect your privacy. And it was interesting, because I was reading an article yesterday from the Washington Post about some things you can now do on Twitter to better stop them taking all your data. And one other thing I'd say is regularly revisit your privacy settings and make sure you know, oh, I didn't realise people could see my photos. Well, you know, you need to be in control of that. But I went through, I did it out of interest. I went through the steps that the Washington Post, the journalist had said about stopping Twitter taking a lot of your data and a lot of the things I had already done. But there was one about suggested interest. So this is how they decide that they might shoot me an article or something like that. And then the article went on to say, you can leave it as is and hope for the best or you can manually uncheck every box. There is no option to select all. It took me 20 minutes to uncheck every single box of things Twitter thought I was interested in. And there was some hysterical things there. I don't even know how on earth I thought I might be interested in. But it was interesting to see. So I did everything, you know, the data sharing and location, all that that was already turned off. But this suggested for you sort of this, it was like your algorithms away off. Because there's you know, apart from you know, some travel ones, and there was, you know, some of the, like, I follow a lot of news papers, so you know, they're there. But there was some random stuff there. But if you're going to use social media, you have to manage it. Don't set and forget, because that's the worst thing you can do.  

CP: I think it's an awesome tip and a great place for us to close out the conversation. I could talk to you all day. I've got hundreds of other questions because my kids are at such varying ages that their needs and their questions change every year in terms of their online profile. So thank you so much, Susan, it's been a pleasure to talk to you today and thanks for your time. 

SM: Thanks. My pleasure.