In the time since we first wrote about device hardening for kids in late 2019, the conversation around children and screen time has gotten louder and more fraught. At the time, we were already living through an accelerating teen mental health crisis. And the pandemic that followed did nothing to help.
Books and opinion pieces and surveys have chimed in with theories and advice. Jean Twenge, a psychologist and author, lays much of the blame on the combination of smartphones and social media. Jonathan Haidt largely concurs in his recent book, The Anxious Generation. Yet others say that smartphone and social media use are a symptom of something bigger that’s been in play for longer than any of us realized.
Outside the larger conversation about technology and mental health lies the reality of your own life with your kids and teens. And in real life, some form of digital communication is becoming more and more necessary for each and every child. The good news is that you, the parent, get to decide how much technology creeps into your children’s lives.
Be the CISO of Your Family
As security experts and parents, we recommend that you approach onboarding new technology in your family life in the same way a CISO reviews new technology for their company. This type of evaluation requires a high level of self-awareness about what you want to gain from technology and what risks you’re willing to tolerate to reach those gains.
Consider the following:
- Alignment: Does the new technology meet your family’s goals and objectives? Does it provide problem-solution fit? If the problem is making sure your child got picked up by the bus and made it to school, a smartphone might be overkill when an AirTag tucked in a backpack would get the job done.
- Scalability: Can the technology grow and adapt to future needs or changes to your family’s or child’s lifestyle? Can a smartphone be made “dumb” for a younger child then grow “smarter” along with the child’s abilities to manage it? Or perhaps certain technology is correct for certain ages in your family and handed down once children mature. The tablet user graduates to a dumb phone and then to a smartphone, and the devices are handed down the line to younger siblings.
- Integration and Compatibility: Does the technology integrate with other systems already in place? (Seriously, can everyone share chargers on a family trip?!) Integration and compatibility is also about everyone being familiar with the same type of tech and willing to offer support as needed. Mom shouldn’t have an Android phone and give her kids iPhones unless she’s willing to learn a whole new OS.
- Security: Does the technology protect sensitive data? Is it relatively hard to hack? Pause before you allow new apps on your kids’ devices. Will they allow communication you’re not comfortable with? Or reveal data about your child that should not be shared?
- Cultural Fit: Assess your family’s values and risk tolerance. Your values will dictate whether or not you consider certain forms of technology important or necessary in the first place. If you deem them necessary, you should define their purpose. Is a smartphone a communication device only? Or is it also for gaming, shopping, schoolwork? Your risk tolerance will also determine what you’re willing to pay up front and the losses you can handle if the technology is stolen, lost, or damaged.
A new device passed your family CISO test, now what? Our updated guidelines for device hardening are below.
What Does Hardening Mean?
There are a couple of ways to think about hardening when it comes to devices. The first is understanding that attacks are going to come and damage is going to be sustained. But with proper preparation (hardening), the damage can be minimized and survived. Let’s use an analogy: when you gave your kid a bike, you were certain he was going to fall off of it, right? There’s no riding without falling. So you gave him a helmet and made sure he wore it.
When that same kid gets a little older and wants a personal device, you should be aware that he’s going to “fall” with it too. He’s going to click on a malware link, search for something you’d rather him not see, or communicate with “friends” who might not have his best interests in mind. Just like you accepted the risks associated with the bike, you need to be realistic about the risks associated with the device.
The second way to think about hardening is minimizing the attack surface. The bike analogy doesn’t really hold here since a bike is a simple machine with one purpose and your new device contains a world of capabilities. Refer back to your Family CISO assessment of alignment. Place limits the device’s capabilities that fit your goals. You can minimize the risk by minimizing the capabilities.
Soft Guardrails
In professional information security and compliance, security managers know that people matter. You can have all the physical and digital safeguards in the world, but if your users are careless with passwords and clicks, your organization is still at risk. As the Family CISO, you need to train your kids to be as good as the best employee.
Implement the “principle of least privilege.” Least privilege simply means giving a user access to only the applications and data they need to do their job. For your kid, this means being crystal clear that their phone is only for calls and texts (no Snapchat or TikTok). Or that his tablet is for playing offline games only. The possibilities are endless and will be specific to your family culture and your child’s readiness. Your rules will change over time. But be sure to start with really clear guidelines and get your spouse and/or co-parent(s) on the same page.
Provide your child with clear instructions on what to do if something fishy happens. Like an employee with a chain of escalation for phishing emails, your kid needs to know the protocol. If someone sends you an email purporting to be Grandma but you don’t think Grandma knows how to use a computer, what do you do? If a number you don’t recognize calls or tries to share an image with you, what’s the plan? If they receive an oddly worded message or calendar invitation that contains a link, should they click it?
Unlike most adult employees, however, kids need some Internet 101 lessons. They need to be taught, explicitly, not to trust everything they read and everyone they interact with online. And remember that one lecture about safety on the web is not enough. You’ll need to check in with your child regularly and do “refresher courses.”
Hard Guardrails
Hopefully, by now, you’ve considered all the soft skills your child will need to have in place before you hand her a new device. Now let’s get into the digital controls that you can set up to help you maintain your sanity and your kids’ safety.
Debloat. Remove any applications that are unnecessary to your stated reason for its existence in your household. Every app represents a new attack surface. So embody a minimalist philosophy and cut back as far as you can bear. iPhones can be configured to prevent kids from installing or removing apps. Enable this feature if you are concerned about what your child might install.
Turn on automatic software updates. Both your device and any apps you allow to live on it will need to be updated periodically. Since you may not be handling your child’s device very often, you should enable updates to be installed automatically. Updates frequently contain security patches that you need to have in place to ensure safety.
Set up two-factor (or multi-factor) authentication for all accounts. Most of the major tech players offer multi-factor authentication. This feature only allows a computer to access an account once the user has verified their identity via two or more mechanisms–often a password and a code sent via text.
Set the device to lock when it’s not in use. Kids walk away from devices all the time. If they’re out in public (or even around friends in their homes or at school), you don’t want their device open and susceptible to data theft (or, more likely, pranks). Set the device to open with either a PIN, fingerprint, or facial scan. (And teach the kid what makes a good password and why they should never share it with anyone.)
Enable remote wipe. The chances are high that if a device leaves home in the hands of a child or teen it will be lost or stolen. You’ll want to remotely wipe all data even if it’s set to lock when not in use.
Use full disk encryption. This is standard for iPhones and newer Android devices, but will need to be turned on for Android devices launching anything lower than Android 7.0.
For Android, use the built-in VPN configuration. For other devices, install a high-quality, paid VPN service if the device will be used on public Wi-Fi.
Disable auto-joining networks. Most devices are set this way by default. But you should check your child’s just to be sure. Auto-joining a network puts you at risk everywhere you go. Public Wi-Fi and hotspots can expose data and increase security risks.
For iOS devices, turn AirDrop receiving off. Sadly, nefarious users have found that AirDrop is a simple way to engage in cyberflashing (yes, like that kind of flashing) and they do not discriminate when choosing their targets.
Install parental controls, locks, and/or monitoring software. If you’ve decided to give your child a device to call their own, you trust them on some level. But you may want some hard controls on their activity for your own peace of mind. Apple offers a range of settings via its ScreenTime feature. You can disable purchases and built-in apps (turning off the camera, for example) as well as limit web and Siri search results. For Android devices, consider enabling Google’s parental control software, Family Link. Family Link can set device “bedtimes,” set usage limits on individual apps, and more.
Install anti-virus software if applicable. Since game consoles are not susceptible to malware in the same way that other computers are, anti-virus software doesn’t apply there. But if you purchase any type of Android device or PC for your child, you need to invest in quality anti-virus software. There are dozens of options at every price point. For iPhones, you really cannot buy a true anti-virus product. Apple prevents their sale in the app store and for good reason: they built the device OS with security as a central feature. Your Macbook is another story. While still minor compared to PC attacks, Mac-based malware is out there and growing. You need to install AV software.
The Parent is the Best Control
The human element matters now, more than ever. Writ large, teens and tweens are suffering in a world that is “very online” to the detriment of being very connected. Technology feels like a necessary evil, but it’s important to remember, as parents, that we are still in control.
Stay open with your kids about the reasons to use technology and be clear about your family’s stance on its purpose in your lives. Maintain the principle of least privilege and make sure that the devices and apps you allow all serve a specific purpose.
At Asylas, we value the human element! We are an empathetic, relational information security firm. Our customers love to work with us and say we make security fun. Reach out at 615-622-4591 or email info@asylas.com. Or complete our contact form.
