This is a true story.
I was sitting at breakfast the other day with my wife. As we waited for our food to arrive, four people were sitting at a socially distanced table. They were discussing how they have to restart their computers every month because of “something Microsoft does that makes me restart.” The conversation continued:
Diner 1: “That’s why I only use a capital ‘A’ as my password on that machine.
Diner 2: “Mine is always ‘1234’”
Diner 3: “Same thing with the internet. I use the same password everywhere.”
They continued their conversation with a host of other revealing information. I was waiting for them to start reciting their credit card numbers out loud. I am not sure why they were all loudly broadcasting this at a public place. I would like to think that they were FBI agents and that they were testing me to see if I would take their bait. But I am certain that is not the case.
I started to stand up, and my wife stopped me and said “Don’t you dare go over there and educate them.”
I said “But this is ridiculous. They need to know!”
My wife said, “You’re being officious.”
Me: “No, I am not. I am not acting in any official capacity. Besides, I don’t even have my CISSP card with me.”
My Wife: “No, you knucklehead. Officious means that you are offering your services where they are neither wanted or needed.”
Me: “How is it not needed? They clearly need my advice. I bet that ‘1234’ is also the code for the keyless entry system on that guy’s car!”
My Wife continued: “How do you think they will feel if you go over there and start teaching them about cybersecurity when they are just trying to make breakfast conversation? Besides, you are probably the only person in the room who would really know what to do with the information they are trumpeting.”
Did I mention how astute (and brutally honest) my wife can be at times?
However, she was right.
As a cybersecurity professional, how would you have handled this situation? Should we approach unsuspecting people to teach them how to better protect their information such a passwords, or should our educational efforts be confined to the forced annual security awareness trainings and phishing exercises that we conduct?
We are great evangelists, but we are poor at public relations. We need a better marketing strategy, so here is a proposal that you can use now to raise awareness on a broader scale.
Contact your favorite local media outlet. Whether it is a news publication or a television news outlet, look up their contact information and let them know that October is National Cyber Security Awareness Month, and that you are confident that if they run a piece about cybersecurity, it would be a great benefit to their audience. Perhaps you could offer to write something for them yourself or offer some advice to them if they do not have a subject matter expert on their staff. Maybe this could result in a new career path for you. Whatever it amounts to, your contribution to the community can only help.