How to give your parents the security talk this Thanksgiving

Explaining why you shouldn't use the same password for every account can be difficult. Here's some help.

Alfred Ng
Alfred Ng Senior Reporter / CNET News
Alfred Ng was a senior reporter for CNET News. He was raised in Brooklyn and previously worked on the New York Daily News's social media and breaking news teams.
6 min read

Get ready for a feast of security questions this Thanksgiving.

Aaron Robinson/CNET

Thanksgiving is a time for family to gather together at the dinner table. If you're the family tech whiz, brace yourself for a feast of security questions.

Given the cornucopia of high-profile hacks over the last year, you can bet that a relative will bring up cybersecurity over turkey and gravy. With half of the American population affected by Equifax's breach, security will be fresh on people's minds.

Don't look at this as a chore. Instead, take Thanksgiving as an opportunity to provide the best security tips to all your family members in one fell swoop. Consider it an investment: Teach them to avoid phishing emails now and you won't have to deal with a stolen credit card six months down the line.

Of course, be sure to explain it in a way they'll understand. My parents had a hard time understanding how an antivirus program could actually be a virus itself. Being the family tech support can be really frustrating sometimes.

Here are some tips for talking about cybersecurity with your folks, and best wishes for a hack-free holiday season.

The lingo

Don't jump into the conversation immediately blabbering about ransomware and different types of encryption. There's plenty of jargon and terminology in cybersecurity, but we'll boil it down to terms the average person would need to know to keep safe.

Phishing: This is when someone pretends to be somebody else in an attempt to steal information, whether it's a credit card number, login password or any data that can be used in an attack. Phishing attacks often come in the form of email that contains a link taking you to a website designed to trick you. They're responsible for 91 percent of data breaches, and they're also the most common way people get hit with viruses, according to Verizon's data breach investigations report.

The easiest way to avoid getting phished is simply to not click on any links in emails. If an email coming from Netflix says your account is getting canceled, just go directly to Netflix's website to check it out -- don't do it from the link in the email. It's an extra step, but it'll save you from any risks of losing personal information.

Here's our guide on how to spot a phishing email. There are three main tips:

  • Grammar: Bad grammar is a tell-tale sign of an online scam.
  • Check the source: The address the email came from is often a thinly veiled disguise (coming from facebookk.com instead of facebook.com, for example).
  • Weird links: You can hover your mouse over links and pictures to see where they'll lead you. If an email claiming to be from Netflix is actually going to a suspicious website, that's a good sign it's a scam.

Password managers: It's a pain to have to remember different passwords for Facebook, Gmail, your bank accounts and every other service you use -- but it's also a must, according to security experts. Fortunately, there are services out there that will keep all your passwords in one place.

With password managers, you just have to remember one password for the manager. You log into that service and it can even generate complex passwords for you. The managers sync across your browsers and devices, bringing both security and convenience. Think of it as a digital key chain that only you can access. Here's how you can get set up with one.

HTTPS and SSL: Every time you go on a website, you should check to see if there's a green lock icon next to the URL. That symbol shows you're on a page protected by HTTPS, which stands for Hypertext Transfer Protocol Secure.

The green lock tells you the website has Secure Sockets Layer (SSL) enabled, meaning there's a certificate to prove that the website is secure and that your sensitive information can't be stolen or spied on. Think of it as a virtual seal of approval that your secrets are safe.

Luckily, more than half of the web uses HTTPS, so if you're on an insecure website, it should definitely set off red flags. Sometimes going on a nonsecure site can't be avoided (CNN's website, for example, is not HTTPS). You should be careful about entering sensitive information on public Wi-Fi if you have to go on non-HTTPS pages.

Ransomware: This is a type of virus that locks up your important files and sometimes your entire computer, unless you pay the ransom.

It's become a popular hack because of how lucrative it can be, and it can spread through computer networks or a downloaded email attachment.

You should back up your files regularly in case you ever get hit with ransomware. Routinely backing up your files (whether on an external hard drive or somewhere online) is generally a good practice. We have an entire guide on whether you should pay the ransom. The short answer is don't.

Patching: Companies like Microsoft and Apple aren't sending frequent updates just to annoy you. Most of the time these updates come with patches to fix security flaws that were recently discovered.

A tenth of Americans say they never update their devices, giving hackers an open invitation to attack. Two of the largest hacks of 2017 could have been prevented by patching. The Equifax breach happened because the company ignored a 2-month-old warning, while the WannaCry ransomware spread on computers without security updates.

Yeah, they're annoying. But suck it up and update your devices.

Two-factor authentication: It's an extra layer of security on top of your password. Think of it like needing two keys to unlock your door, so if one gets stolen, you're still relatively safe.

It's around you everywhere you go already: swiping your debit card and then entering your PIN code, or writing a check and showing a driver's license with it. The factors are often a combination of something you know (a password, a PIN, answers to a question) with something you have (a thumbprint, a card, a phone).

The most common version of two-factor authentication is a code texted to your phone after you enter your password. The extra layer helps prevent hackers from accessing your accounts with just a password. You can enable it on multiple websites, like Google, Facebook, Twitter, Instagram and Amazon. Check the site's security settings to turn on two-factor authentication, if it's offered.

Here's our full guide to two-factor authentication.

Like locking your front door

Security advice can often go in one ear and out the other. Many people choose convenience over security, believing these attacks would never happen to them.

Explain to your family members that they're not as safe as they think they are. The root of most attacks is people not being careful enough. They might know somebody who was hit by an email scam or ransomware, but they're not necessarily concerned about it themselves.

"People don't know the consequences of what's the worst possible scenario," said Amanda Rousseau, a malware researcher at security company Endgame. "Your best bet for trying to get them motivated is to show statistics."

A lot of people aren't worried about cyberattacks because they don't think they're being targeted. But they should look at their devices the same way they look at their homes. People don't necessarily live in fear of robbers coming to their homes, but they lock their doors, close their windows or make sure there's some kind of security in place.

And statistically, you're more likely to be robbed online than you are in person. Any kind of security is better than none at all.

Good luck, and hopefully you won't have to explain this again next Thanksgiving. 

Black Friday deals: See every Black Friday 2017 deal we've found so far

Holiday Gift GuideCNET's full gift guide, including dozens of products priced under $25, $50 and $100