I had the privilege of interviewing Bart McDonough, author of Cyber Smart: Five Habits to Protect Your Family, Money, and Identity from Cyber Criminals, a book I previously reviewed. Below you’ll find the video of the interview, my questions, and McDonough’s answers.
Note: this post contains affiliate links.
Video Interview with Bart McDonough, author of “Cyber Smart”
McDonough’s Answers to My Cybersecurity Questions
Below are my questions, and summaries of McDonough’s answers. You’ll get more by watching or listening to the interview, but I thought this summary could be helpful.
1. You spend most of your time helping businesses with cybersecurity. What motivated you to write a book for the individual consumer?
McDonough has done many end-user awareness seminars for businesses. Towards the end of each session, people ask questions about what to do at home. McDonough started creating a handout for these situations, and it grew into a book; the book that’s been published as Cyber Smart.
Most people don’t have an IT department at home. They don’t know where to turn for answers. They want to know what to do in specific situations, which is why Part 2 of Cyber Smart has specific advice for different areas of your technical life.
2. Let’s go back in time. What piqued your interest in cybersecurity in the first place?
McDonough has been an Information Technology (IT) guy since college. He’s hypercompetitive, and cybersecurity combined his love of IT with competitiveness (competing with bad actors). He likes the cleverness of figuring out how to defend business assets.
In recent years we’ve been putting more of our lives online, so personal cybersecurity has become a greater concern for the average person. Yet most people don’t know how to secure their digital lives. McDonough uses the example of living in a bad neighborhood but not knowing how to lock your front door. He wants to help people with the basics (the digital equivalent of locking your front door).
3. The book is built around 5 basic cybersecurity habits. Out of all the possible cybersecurity best practices, how did you arrive at these 5?
McDonough’s “Brilliance in the Basics” Habits:
- Update devices
- Enable two-factor authentication (2FA)
- Use a password manager
- Install and update anti-malware
- Back up data
McDonough wanted to have a manageable number of habits, because when people are overwhelmed, they do nothing. These recommendations are the most effective in the current threat landscape. It’s not enough that you do these 5 habits; you need to do them consistently.
If threat vectors change in the future, these 5 habits could change. But for the foreseeable future, these are really important.
The most frequent question McDonough gets asked is, “If I use a password manager, aren’t I putting all my eggs in one basket?” McDonough responds that you are, but it’s still the most effective way to avoid reusing passwords and keep passwords secure. In general, using a password manager makes you more secure.
You don’t need to choose between perfect security and no security. You can take steps to increase your security, even though there are no silver bullets.
4. Your fourth habit is “Install and Update Anti-Malware Software.” You say that iOS doesn’t need anti-malware, but Macs do. How do you respond to people who say that they don’t need anti-malware software because they’re using a Mac or Linux?
McDonough says all you need to do is look at the recent explosion of malware for Macs. Over the last couple years, the percentage increase in malware for Macs has outpaced Windows. As Macs have become more popular over the last 10 years, more bad actors have targeted it. So you need anti-malware for your Mac.
The way iOS is built doesn’t allow anti-malware apps, so those that exist don’t actually do anything; they’re just for show.
There’s not much malware for Linux; less than for Macs. But it’s still a good practice to use anti-malware on Linux.
5. Your book is a great resource, and you provide a lot of info on Twitter. Beyond those sources, how do you recommend people stay informed of digital security issues? Are there any particular sources you recommend?
McDonough likes following #cybersecurity on Twitter. Glancing at that for 5 minutes a day will let you know what’s going on.
Even large media outlets are covering big breaches, so you can learn that way.
He uses Google Alerts to follow certain cybersecurity terms, though he says that’s more for the professional.
McDonough says mainstream media often fails to explain how each additional breach makes us all less secure. The more of our data is breached, the more data bad actors have to use for social engineering attacks, such as phishing. It increases the likelihood of successful attacks.
6. There’s still a lot of apathy about personal cybersecurity. Do you think that will ever change? If so, what do you think it will take to make people care?
Some people need information; to be told what to do. But most people know they should have different passwords, use anti-malware, and back up their systems. They may not know to use two-factor authentication or update their devices.
When people are personally affected by cybersecurity problems, or know someone who’s personally affected, that motivates them more than hearing about strangers being affected.
McDonough thinks at this point the problem is more a lack of motivation than of information. That’s why he includes personal stories in the book and seminars; tragic stories about real estate fraud and other attacks.
7. Same question, but this time about digital privacy. Will people ever care? What might make them care?
McDonough says there’s a minor groundswell of people who care about privacy and are acting accordingly (such as leaving Facebook). He thinks that in the next 2-6 years the US government could pass something like GDPR (Europe’s large-scale privacy law) that would give US citizens better privacy protection.
8. Individuals need to take more responsibility for their security and privacy, but do you think companies should be working harder to defend people? If so, what should they be doing?
McDonough says consumer-facing companies companies do a pretty good job protecting consumer data, but they don’t do a great job responding to breaches.
He thinks the US government needs to do more to protect Americans’ digital assets. He presents this thought experiment: imagine if helicopters were dropping bank robbers into New York City. The federal and state governments would immediately respond. Yet cybercrimes are committed against Americans every day, and the government doesn’t do much proactively to protect against ransomware, real estate fraud, and other cybercrime.
McDonough is pretty confident that the US government will take steps to protect Americans’ privacy, but he’s not confident that it will do anything to protect Americans from cybercrime.
9. How can parents ensure their kids are well-versed in digital defense? Is it important that kids be tech-savvy? Should parents teach their kids to be cautious or even skeptical?
McDonough has experience with this, being a parent of teens and a pre-teen. He teaches them to be vigilant about scams and messages containing malicious content.
He recommends that kids too follow the 5 habits. Even though kids don’t like the inconvenience, they need to know how important those habits are.
McDonough helps his family follow the 5 habits. For example, when a device update comes out, he has the family put all their devices in a pile to update them during dinner.
10. How can people best help their elderly relatives and friends?
McDonough says most of the advice is the same as the previous question. Older people need to be more cautious about phone scams, because they tend to spend more time communicating by phone.
He says the elderly too should follow the basics: make complex passwords, use a password manager, use two-factor authentication, update devices, etc.
McDonough deliberately made the 5 habits simple enough for the average person, to provide the best bang for the buck.
He says a password manager is one of the rare cybersecurity practices that makes computing more convenient, with autofill and other features.
McDonough says he’s started to use the terms “cyber-wellness,” “cyber-hygiene,” and “cyber-posture” to draw the parallel to real-world practices we take to give ourselves incremental safety (smoke detectors, door locks, CO2 detectors, etc.).
People frequently say to McDonough things like, “If China wants to get me, they can. So why should I bother doing anything?” McDonough responds that you can say the same about your home. If a militia wanted to break into your home, they could. But that doesn’t stop you from using basic safety devices such as smoke detectors, door locks, and alarms. They protect you from common accidents and dangers, and are worth using.
11. You’ve witnessed digital security trends over the last few decades. Are you optimistic or pessimistic about the future of personal cybersecurity?
McDonough is short-term pessimistic, long-term optimistic. He thinks vendors (Apple, Microsoft, website vendors, etc.) are becoming more aware and are building more security (updates, two-factor authentication, etc.) into products. He thinks things will get worse for the next 3-5 years, then they could get a little better.
12. What role do you predict artificial intelligence (AI) will play in the future? Do you think it will be a net positive or net negative for personal cybersecurity?
McDonough thinks AI will be a huge net negative in the short term; that it could be devastating. Powerful AI can look at piles of breach data to create a profile of you, and make phishing and other attacks more intelligent and successful. He thinks AI will cause more security problems for individuals before it starts being used to defend against attacks.
He says it’s a giant game of Whack-a-Mole. Bad actors tend to take the lead in new technologies, and defense needs to catch up.
13. Do you have any other warnings, advice, or encouragement you’d like to share before we conclude?
McDonough says that in addition to the 5 habits, consumers should freeze their credit, especially after the Equifax breach. It can make opening accounts a bit annoying, but it’s worth it because it makes it harder for someone to commit fraud.
He says if you’re a business traveler, especially traveling overseas, you should take precautions, especially in China and Russia. You should search online for what to be aware of when in the country you’re traveling to.
McDonough says using a VPN (virtual private network) can be beneficial, especially when on public Wi-Fi.
He says his overall advice is to be aware of the data about yourself online, and know that it’s going to be used against you. Google yourself, look at your public profiles on LinkedIn, Facebook, etc. That awareness will raise your defenses.
McDonough gives a lot more advice about these and other areas in the book.
I recommend that you read the book, Cyber Smart: Five Habits to Protect Your Family, Money, and Identity from Cyber Criminals by Bart R. McDonough.