Digital Safety and Security – Tips for Trainers by Anna Chęć

We also know that people use the Internet for various purposes and in a number of different ways. They mainly use it for work, communication, entertainment, study, and to collect pieces of information. In addition, they use it to transfer money, send or store sensitive data and share pieces of private information. They also use it to organize protests, help people in danger, put up a petition, or support human rights organizations from another country.

Nowadays, every day brings us some new devices, solutions, applications, or communicators. With this ongoing progress, as technology continues to evolve, our lives seem to have become easier.

But are we safer?

Do we realize that the more technology we use, the higher the chances for cybercrime are?

And do we know how to protect our own or other people’s privacy or sensitive data?

As an educator and a trainer, I have been asking myself many questions related to the subject of privacy and cyber security.

What do people need to know in order to stay safe?

How to motivate them (and myself!) to pay more attention while operating online?

For several years, I have been conducting classes and different types of training for young people and adults, including parents of school children, teachers, activists, or members of non-governmental organizations. My goal as a trainer is to draw their attention to the fact that we ourselves have to take care of our own privacy and security, because no company or organisation will do it for us as thoroughly or comprehensively as we can. We ourselves need to think and decide what software or applications we will install on our devices, how we will treat our passwords, and what kind of information we will share with others.

There is no better protection than… reflection. ?

On the other hand, together with "Klara" (an alias used by her when training), my co-trainer and collaborator of two years, who is a security researcher and a hacktivist, currently working as a software security engineer in a financial institution, we have conducted a series of training sessions on Digital Safety and Security, during which the participants could learn about very specific technological solutions or tools that would keep them safe and let them see how the security settings on their devices really work.

From my trainer’s perspective, and the perspective of a person who genuinely cares about spreading the knowledge on the subject of Digital Safety and Security, I believe there are two very important aspects that need to be addressed, when talking about the ways to stay safe online:

The first one is the psychological, social, awareness-raising aspect of being responsible for oneself and others.

1. The second one is about the technological input that allows the use of specific tools that increase our security level.

For example, if in training we introduce our audience to one of the more secure types of messengers, such as Signal, but at the same time won't link it to the theme of the phone security, or to the security of the messenger itself, and also won’t bother showing them how our safety depends on the safety of the other person we talk to, then using Signal itself may turn out to be useless.

To cut a long story short, what we need to remember here is that we need tools to protect ourselves, but in order to stay safe we really need to know a broader context of how to use them and they affect us and others.

Stimulating motivation – to educate, not to scare

People often start to think about their privacy and security only the moment something bad had already happened to them. It could be anything: from hacking of their social media account, through having publicly posted a piece of their private conversation by a stranger, to getting their money stolen form their online account. I have been "collecting" various such stories that took place in the real life and presenting them as examples of case studies during the training sessions I run. I think it is a great way to introduce people to and make them more aware of specific threats in a meaningful context that they can easily relate to.

Here are a few of such real-life stories I tend to use during my training sessions as cases for the participants to discuss:

• A story of safe communicators and hacking a messenger account: a young, right-wing activist, who was successfully climbing the ladder in his political career, has been attacked one day by a hactivist who published out in the open the entire content of his private messenger conversations from the last six months. After that, the victim’s career was destroyed and he was compromised among his friends and colleagues, who read what sort of unpleasant things he had written about them in private.

• A story about our endless trust in the information we see posted in the Social Media: some people found a house moving company on FB and ordered their service. Consequently, they ended up losing all their belongings, as the moving company was a hoax that had never legally existed – the villains just came, took all their belongings, and disappeared without a trace.

• A story about the information we publish about ourselves in the Social Media: one person has become the victim of a phishing attack and a financial fraud after trusting an attacker and sharing with him a lot of personal information.

• A story about the importance of using the two-factor authentication: one of animal rights activists has lost her Fb account for good because a hacker used his own 2FA on her account, so that any of the FB profile recovery forms didn’t work to get it back; she lost her account simply because of not knowing what the 2FA was.

There are many more stories like the ones above. We can use them to help people start thinking for themselves about their own security and the choices they make every day, to show them real-life situations that can affect everyone, to explain how the attackers work, and how to protect ourselves from them.

Apart from the stories and the reflection they bring, it is also good practice to motivate people in the next step to find the time and energy to install and start using a number of specific tools, such as: a password manager, a secure messenger, 2FA, or to encourage them to change the Internet provider, if needed. In the world where everyone is so tremendously busy, what we need most of the time is simply a small “push” to become more interested in our own security... Therefore, it’s best if we can learn from a moving, real-life story, which has happened to someone else, less fortunate than us, and that can be a valid lesson for us, rather than draw conclusions from our own "bad experience".

Better to be safe than sorry, as they say...

During the training, we can tell the stories ourselves, use some of the available YouTube materials, make a group exercise based on their members sharing selected stories with others, or simply ask if the participants have any personal/work-related/ organization-based experiences of their own, that they would like to and can share with others in the group.

I carry out such exercises only in groups with whom I set a clear rule of discretion. What’s discussed in the group, stays in the group. I believe that creating a safe environment of mutual trust during the DSS trainings is of crucial importance for their effectiveness.

Working on specific examples has an educational value, but it is also a springboard for us to move on and start working on how to prevent such situations and what kind of tools and countermeasures we can use for this purpose.

Prevention is the best remedy and it is far better to become aware of what may happen to us in time, rather than to be forced to deal with the consequences.

There are thousands of kinds of threats, deceptions and cybercrimes waiting for us out there in the cyber space that various people are more or less prone to. Therefore, when choosing a specific application or programme that can be recommended to a particular target audience, it is always good to adjust it to the very group’s needs, the time we have at our disposal, and the group’s level of technological advancement.

We can, however, consider a few common training themes and tools that I believe can be universal and that should be widely known by all the Internet users. That said, I’d like to stress that it is my subjective choice and it absolutely does not exhaust the range of solutions available.

These are my top 10 subjects to be included in a DSS training:

1. How to define “security” and “privacy”,

1. What can go wrong? - types of security threats: phishing, socio-techniques, hacking, etc.,

1. What information/data is considered as “sensitive”,

1. Social media, privacy, and security settings,

1. Password manager and password generator,

1. Two-factor authentication,

1. Safe communicators and how to use them,

1. Safe email,

1. Data encryption tools,

1. Mobile devices, security settings.

Each of these topics is broad enough to make a separate workshop on it, but given the fact that we are usually faced with limited time during the training, we need to make do with whatever the time we’ve got and make some educated choices. What we as trainers also need to do, is to decide each time how deeply into a subject we’d like to venture with our explanation:

• Are we simply going to recommend a specific tool?

• Or shall we explain how it works and what we use it for?

• Or perhaps we should show the audience various tools or possibilities, but not recommend any specific one of them?

For example, when we talk about a password manager, we can recommend a specific tool, such as the KeePass, and help people install it, or we can show them another tool with similar features to compare and let the audience decide which one they would need.

In my opinion, the second approach is usually a more effective one; it requires more time, though, and takes a group of people who are interested in learning how things work.

We need to be mindful that there are also participants who come to the DSS workshop and only need one simple tool, requiring a quick installation, that is ready to go in seconds, who would not like to spend time analysing how it works or what alternatives there may be.

I personally believe that "less is more" and it is sometimes worth spending a little more time explaining one, single topic in depth, rather than just briefly trying to cover as many of them as possible at once. Time is usually scarce given the vast amount of material that can be covered during a DSS training, it is hence considered good practice to prepare a reference sheet for the participants with a list of links to various useful tools and viable resources, that people can become familiar with on their own time and accord after the training.

Here is an example of such a short reference list:

1. Alternative search engines:

• Bing: https://www.bing.com/?cc=pl

• DuckDuckGo: https://duckduckgo.com

1. Did your email leak? Check here: https://haveibeenpwned.com

1. Safe messengers:

• Messaging Apps Comparision: https://niebezpiecznik.pl/wp-content/uploads/2018/08/Secure_Messaging_Apps_Comparison___Privacy_Matters.jpg

• Wire: https://wire.com/en/

• Signal: https://signal.org/pl/download/

1. Safe email: ProtonMail - link: https://protonmail.com/pl/security-details

1. Password manager: KeePass - link: https://keepass.info/download.html

These were just a few examples. There are many, many more recommendations or tools to be listed and worth discussing. Digital Safety and Security is a limitless area to explore…

Travel safe!