5 Cybersecurity Lessons from 'Hamilton: The Musical' to Help You Teach Workforce Members Cyber

The other day, I was skimming my LinkedIn and came across a post about how changing corporate culture isn’t the answer to cybersecurity. In response, I used a Hamilton quote. Because, of course. What Hamilfan doesn’t make constant references everywhere?

However, as much as we want to keep blaming end-users, that blame is continually strengthening the rift between security professionals and users. We need to work on providing information to them in ways that they can understand. Otherwise, we’re failing as an industry.

So, here are the five cybersecurity lessons I learned from Hamilton: The Musical to help my Hamfam increase enterprise cyber awareness.

Lesson 1: You Can’t Wait for It

Wait for it, wait for it
I am the one thing in life I can control

That’s right. We’re the one thing in life we can control. I was an early internet adopter. (Shout out to all my AOL chatroom peeps from the early-’90s!) I was going on dates with people I met online in college. (Yeah, suck it, people who said going on dates like that was so horrible… I’ll see your Match.com and raise you a Tinder.) If I’ve learned one thing as an early adopter, it’s that tech isn’t going anywhere.

We all recognize that malicious actors are going to keep on acting maliciously. Except, and here’s the kicker, we can control ourselves even if we can’t control the actions of others. Burr’s inaction ultimately led to his downfall. He waited for it, but when he finally chose to act, he ruined his whole life. (Burr’s history after the duel is pretty sad. The duel destroyed his reputation, and his power hunger led him to try to create his own semi-empire, which failed. Then he moved to England, only to return to the US where he re-started his law business but never recovered his reputation.)

In other words, you can choose the option a lot of people take—to wait for it and ignore the importance of cybersecurity. However, proactive workforce members can protect organizations and their families. So we need to explain this to them in ways they understand.

Lesson 2: You Are Already in the Room Where It Happens

When you got skin in the game, you stay in the game
But you don’t get a win unless you play in the game
Oh, you get love for it, you get hate for it
You get nothing if you

Wait for it, wait for it

Workforce members need to remember that no matter where they’re located, they’re already in the room where it happens when it comes to cyber and their devices.

We live with devices every day, and we need to help team members recognize that they have skin in the game.

Be honest and freak them out. Ask them:

They may not realize that all of these are places where malicious actors can gain entrance to their information.

Explain to them how Man-in-the-Middle attacks are basically data versions of old fashioned Keep Away. Tell them to imagine they’re at the mall or in a restaurant where a cybercriminal can just hang out in a public place and basically play a digital game of Keep Away, where two kids throw a ball to one another and a third kid in the middle has to try to catch it.

Make it personal by explaining how more doctors and hospitals are using technology that allows them to monitor their health remotely. Pacemakers are smart-devices. Sleep apnea machines send information to your doctor’s office. Hospitals use smart devices to deliver medications.

And hackers can gain access to any of these if they so choose.

If workforce members start being safe at home, that will translate directly to the workplace.

Lesson 3: Never Be Satisfied

HAMILTON:
You strike me as a woman who has never been satisfied.
ANGELICA:
I’m sure I don’t know what you mean. You forget yourself.
HAMILTON:
You’re like me. I’m never satisfied.
ANGELICA:
Is that right?
HAMILTON:
I have never been satisfied.

The first rule of cyber club… is to talk about cyber club. Never be satisfied. We need to teach workforce employees the questions necessary to protecting themselves and our organizations. But, they don’t always know the questions to ask, so we need to give them some.

They should always be satisfied in responses to the following:

  • Does the device have at-rest and in-transit encryption?
    • In other words, does it mess with the information to make it impossible for someone to read if they manage to get it?
  • Is this the most recent Bluetooth version available?
  • Are you only collecting the minimum amount of information necessary?
    • If a product or app is collecting more information than they need, then you don’t want to use them. This means, especially for medical devices, you should make sure they are only collecting what they absolutely need. This means looking at whether they need a name or can use a unique, anonymous ID, whether they’re collecting location information, and whether they link your name/social security number/bank account information in a way that makes it clear who you are. If they’re collecting this information and don’t give you a satisfying response as to their reasoning, don’t use it.

Lesson 4: Be a New (Wo)Man

(Scammin’) for every book he can get his hands on
(Plannin’) for the future, see him now as he stands on (oooh)
The bow of a ship headed for a new land
In New York, you can be a new man

Technology is a new land. In fact, we know that data is often referred to as a “landscape,” “environment,” or “ecosystem.” We’re standing on the edge of a new future for which we need to plan.

That means we have to scam books and read. In reality, data security doesn’t need to be confusing, and, often, it isn’t.

Sure, some of it is super technical. But finding the right resources that make it manageable is hard. That’s why I’m working towards aggregating as much accessible content as possible to share with friends, family, and SMB clients.

With the rise of the internet, we have more access to information than we did before. Yet, finding good, accessible information is often difficult. If your workforce members use Twitter, I’d suggest offering them the handles of some of these ladies in cyber:

Eleanor Dalloway

Wendy Nather

Paula Picard

Jovi Umawing

Leslie Carhart

Or you can also help share information by forwarding some of our favorite, humorous, and accessibly written websites:

InfoSecSherpa’s Newsletter Nuzzel

The Register Security Section

Lesson 5: You’re Not Helpless

Look into your eyes, and the sky’s the limit I’m helpless!
Down for the count, and I’m drownin’ in ‘em.

Throughout most of the musical, we’re all led to believe that Eliza was an intellectual second to her protagonist husband. However, if you think about things a bit, Eliza was a pretty darn intelligent lady who went on to accomplish some pretty amazing things. Sure, the final song details them. However, if we think about it, history shows a different story.

Historians explain that Alexander highly valued her intelligence, and she likely transcribed some of the Federalist Papers for him. She was a single mother after he died, never remarrying. She went on to fundraise, started two orphanages (DC and New York), petitioned for his army pension, and spent 50 years collecting his writing for publication. She was, truthfully, anything but helpless.

In other words, we need to help our workforce members become “Cyber-Eliza.” Even if they’re insecure about their cybersecurity knowledge (see what I did there?), they’re not helpless. tools exist to help you. You just need to reach out and find them. Regularly set notifications that send them lists like the following:

  • Invest in a VPN.
  • Always update all your laptops, smartphones, tablets, desktops, and gaming systems as soon as possible. (Yes, it takes time, but it’s super important because hackers use those known weaknesses that the updates are trying to fix to get your data.)
  • Install anti-malware and anti-ransomware software.
  • Run scans regularly, and if you miss one, run it in the background while you’re using your computer.
  • NEVER ever click on a link in an email. Nope. Never. Not even that one.
  • Never click on a link in a direct message or text.
  • Never respond to emails, texts, or direct messages if they don’t look right because it just lets someone know they hit a real address. (Half the time, hackers are just guessing at stuff and hoping to catch a real address.)
  • Delete apps you’re not using regularly and redownload them if you need them later.
  • Make passphrases personal, since randomly generated ones use the same type of math that hackers use.
  • Always use different passwords for things and find a password manager application to help store them.
  • Don’t use public Wi-Fi if you’re not using a bunch of other protections (see above suggestions).

If They Don’t Know, Now They Know

Most workforce members understand visible dangers, but it’s the invisible threats we need to work on making more accessible.