Young people may be social media savvy but many need help with the Big Four of cybersecurity. A free device Tune Up gave hundreds a chance to learn
By Dr Suelette Dreyfus and Dr Shaanan Cohney, University of Melbourne
Generation TikTok needs cybersecurity more than ever but getting this message out there is hard.
Everyone’s pictures and thoughts are posted for the world to see. But our team of researchers and students are firmly shoving digital privacy and cyber security into a social-media friendly spotlight.
At this year’s Splendour in the Grass, our team brought cybersecurity education into the heartland of youth culture in Australia.
Each year, around 50,000 people (most under 26) come together from around Australia – and the world – at the Southern Hemisphere’s largest music festival. The festival is three days of music and entertainment, near the backpacker’s mecca of Byron Bay in New South Wales (NSW).
So, what better place to reach a generation that shares most of their lives online with lessons in cybersecurity and digital privacy?
Young people are cyber-savvy. They know there is danger and risk – but they haven’t connected the simple steps they can take to tune themselves up.
This is where our crack team steps in. Sixteen university staff, graduate and undergraduate students in total from across three universities in three states – the University of Melbourne, University of Queensland and University of Technology Sydney – ran a cybersecurity ‘Tune-Up’ each day of the festival.
Our Cybersecurity ‘Tune-Ups’ were done with the support of the Australian Information Security Association (AISA), the professional association for information security professionals and its partner, the NSW state government.
Hundreds of festival-goers visited the famous Science Tent with their devices – smart phones, tablets and even laptops – to get advice on how to up their cybersecurity ‘posture’.
They would drop in to have a relaxed chat with our Tuners and a walk-through of the Big Four of cybersecurity on their devices: patching, muti-factor authentication, password management and encryption.
Tuning up your devices – like you regularly tune up your car – can reduce risk. And it’s not hard – just three or four simple steps will improve your cybersecurity to a good level of coverage.
We started with patching.
“First, we helped them check if their software was up-to-date,” said University of Melbourne PhD student Cath Thompson.
With a head of magnificently purple hair, freshly dyed in celebration of Splendour, Cath Thompson summed up the importance of patching to a cluster of drop-ins to the Tune-Up.
“If your phone is running an obsolete version of its operating system, exploitable holes will appear in your cyber defences, like a giant piece of Swiss cheese. And sometimes, unfortunately, all those holes line up,” she explained.
Cath showed Splendourites both how to update and to change settings to make sure their devices would auto-update when new patches came out in response to cybersecurity attacks observed ‘in the wild’.
“We also highlighted new and evolving features of these systems that help users better understand and manage their digital footprint exposure to third parties,” she added.
One of the more common problems was that visitors to the cyber tune-up clinic had little space left on their devices. Since most updates need additional space, patching in the clinic often led to an impromptu clean-up of unwanted photos and files.
Next on the tune-up was setting up multi-factor authentication, or MFA.
University of Melbourne student Marco, who prefers to just use his first name, walked another group through how to setup MFA on important online accounts like their Gmail or Instagram.
“Multifactor is usually based on ‘something you have’ and ‘something you know’ – think of your ATM card, you need both the card and a pin to make a withdrawal,” he said.
Marco noted that “while many people still choose to use SMS as the second method of identification, you can get better cyber protection with an authenticator app, like Google or Microsoft Authenticator, Duo or Authy.”
Marco explains: “Attackers can use ‘SIM Jacking’ to evade MFA when set up with SMS messages.”
In a SIM Jacking attack, a scammer uses social engineering to convince a mobile phone service provider (like Optus or Telstra) to transfer your phone number to a new SIM: a card under the scammer’s control.
The scammer will then receive all your SMSs, making it easier to get access to your online accounts even if you have MFA enabled because they control one of the avenues of verification.
Using an authenticator program – many of which are free – can limit the damage from SIM Jacking. By using an authenticator program, you are not dependent on your telco service.
However, Marco adds: “You then need to plan for back-up access if you lose your phone.”
University of Melbourne PhD student Emma Baillie showed festival goers how a password manager works, and some free, open-source software options, like Bitwarden and KeePass.
“People often reuse passwords, or add ‘1,2,3’ at the end of the same password. Well, attackers have that well and truly figured out,” she said.
“If you have to change your password when your dog dies, you need a better password.”
“Imagine your account is compromised in a large data breach – say a Yahoo or LinkedIn breach. Attackers who get your password then try it on all your other known accounts. If you’ve re-used it, then it’s game-over. They now have access to your other accounts too,” she said.
“No one can remember the hundreds of unique passwords we need for all our accounts these days.
“A password manager handles all that for you, giving each account a unique, hard to guess password, so you only have to remember one very good master password.”
An added bonus is that using a password manager can help to thwart phishing attacks.
Many people are often fooled into entering their password into a phishing site that looks just like the real site, allowing attackers to capture the password. But a password manager that’s configured to auto-fill won’t be fooled: the fake site won’t match the URL saved within the manager.
Our team also took part in a public panel of cybersecurity experts hosted by comedian and former Triple J radio Breakfast presenter, Adam Spencer.
The topic – ‘ChatGPT meets Hackers from Hell’– brought together Dr Suelette Dreyfus from the University of Melbourne, Troy Hunt, who runs the site haveibeenpwned.com (which checks if your email has appeared on lists of hacked accounts), Deloitte partner Chris Gatford, and the University of Queensland’s Shelly Mills.
Music and cultural festivals create a great opportunity to reach young people with a cybersecurity education message.
Susie Sheldrick, a University of Melbourne PhD student, said the clinic’s peer-to-peer helping style made it easy for young people to ask questions about cybersecurity without the fear of looking like they didn’t know how to use technology.
“There’s such a brilliant community vibe at Splendour – we’ve got this great team of staff and students across three universities working together with cybersecurity professionals who are AISA members volunteering over the event,” she said.
“The professionals are sharing real life stories with us, giving us a sense of what it’s like to work in the field as well as practical knowledge in applying cybersecurity improvements.”
Many who had their devices tuned up stayed for a while to ask deeper questions. The relaxed setting of the festival combined with the ‘no judgement’ chats with the volunteer team made people comfortable with the process, Susie says.
“There’s no blame, no shame, just friends helping them out to make their devices more secure.”
Banner: Shaanan Cohney
First published on in Engineering & Technology
Dr Suelette Dreyfus
Lecturer, School of Computing and Information Systems, Faculty of Engineering and Information Technology, University of Melbourne
Dr Shaanan Cohney
Lecturer, Cyber Security, Faculty of Engineering and Information Technology, University of Melbourne; Center for IT Policy, Princeton University
Creative Commons License We believe in the free flow of information. This work is licensed under a Creative Commons Attribution-No Derivatives 3.0 Australia (CC BY-ND 3.0 AU), so you can republish our articles for free, online or in print.
All republished articles must be attributed in the following way and contain links to both the site and original article: “This article was first published on Pursuit. Read the original article.”

Dr Shaanan Cohney and Dr Suelette Dreyfus
Generation TikTok needs cybersecurity more than ever but getting this message out there is hard.
Everyone’s pictures and thoughts are posted for the world to see. But our team of researchers and students are firmly shoving digital privacy and cyber security into a social-media friendly spotlight.
At this year’s Splendour in the Grass, our team brought cybersecurity education into the heartland of youth culture in Australia.
Each year, around 50,000 people (most under 26) come together from around Australia – and the world – at the Southern Hemisphere’s largest music festival. The festival is three days of music and entertainment, near the backpacker’s mecca of Byron Bay in New South Wales (NSW).
So, what better place to reach a generation that shares most of their lives online with lessons in cybersecurity and digital privacy?
Young people are cyber-savvy. They know there is danger and risk – but they haven’t connected the simple steps they can take to tune themselves up.
This is where our crack team steps in. Sixteen university staff, graduate and undergraduate students in total from across three universities in three states – the University of Melbourne, University of Queensland and University of Technology Sydney – ran a cybersecurity ‘Tune-Up’ each day of the festival.
Our Cybersecurity ‘Tune-Ups’ were done with the support of the Australian Information Security Association (AISA), the professional association for information security professionals and its partner, the NSW state government.
Hundreds of festival-goers visited the famous Science Tent with their devices – smart phones, tablets and even laptops – to get advice on how to up their cybersecurity ‘posture’.
They would drop in to have a relaxed chat with our Tuners and a walk-through of the Big Four of cybersecurity on their devices: patching, muti-factor authentication, password management and encryption.
Tuning up your devices – like you regularly tune up your car – can reduce risk. And it’s not hard – just three or four simple steps will improve your cybersecurity to a good level of coverage.
We started with patching.
“First, we helped them check if their software was up-to-date,” said University of Melbourne PhD student Cath Thompson.
With a head of magnificently purple hair, freshly dyed in celebration of Splendour, Cath Thompson summed up the importance of patching to a cluster of drop-ins to the Tune-Up.
“If your phone is running an obsolete version of its operating system, exploitable holes will appear in your cyber defences, like a giant piece of Swiss cheese. And sometimes, unfortunately, all those holes line up,” she explained.
Cath showed Splendourites both how to update and to change settings to make sure their devices would auto-update when new patches came out in response to cybersecurity attacks observed ‘in the wild’.
“We also highlighted new and evolving features of these systems that help users better understand and manage their digital footprint exposure to third parties,” she added.
One of the more common problems was that visitors to the cyber tune-up clinic had little space left on their devices. Since most updates need additional space, patching in the clinic often led to an impromptu clean-up of unwanted photos and files.
Next on the tune-up was setting up multi-factor authentication, or MFA.
University of Melbourne student Marco, who prefers to just use his first name, walked another group through how to setup MFA on important online accounts like their Gmail or Instagram.
“Multifactor is usually based on ‘something you have’ and ‘something you know’ – think of your ATM card, you need both the card and a pin to make a withdrawal,” he said.
Marco noted that “while many people still choose to use SMS as the second method of identification, you can get better cyber protection with an authenticator app, like Google or Microsoft Authenticator, Duo or Authy.”
Marco explains: “Attackers can use ‘SIM Jacking’ to evade MFA when set up with SMS messages.”
In a SIM Jacking attack, a scammer uses social engineering to convince a mobile phone service provider (like Optus or Telstra) to transfer your phone number to a new SIM: a card under the scammer’s control.
The scammer will then receive all your SMSs, making it easier to get access to your online accounts even if you have MFA enabled because they control one of the avenues of verification.
Using an authenticator program – many of which are free – can limit the damage from SIM Jacking. By using an authenticator program, you are not dependent on your telco service.
However, Marco adds: “You then need to plan for back-up access if you lose your phone.”
University of Melbourne PhD student Emma Baillie showed festival goers how a password manager works, and some free, open-source software options, like Bitwarden and KeePass.
“People often reuse passwords, or add ‘1,2,3’ at the end of the same password. Well, attackers have that well and truly figured out,” she said.
“If you have to change your password when your dog dies, you need a better password.”
“Imagine your account is compromised in a large data breach – say a Yahoo or LinkedIn breach. Attackers who get your password then try it on all your other known accounts. If you’ve re-used it, then it’s game-over. They now have access to your other accounts too,” she said.
“No one can remember the hundreds of unique passwords we need for all our accounts these days.
“A password manager handles all that for you, giving each account a unique, hard to guess password, so you only have to remember one very good master password.”
An added bonus is that using a password manager can help to thwart phishing attacks.
Many people are often fooled into entering their password into a phishing site that looks just like the real site, allowing attackers to capture the password. But a password manager that’s configured to auto-fill won’t be fooled: the fake site won’t match the URL saved within the manager.
Our team also took part in a public panel of cybersecurity experts hosted by comedian and former Triple J radio Breakfast presenter, Adam Spencer.
The topic – ‘ChatGPT meets Hackers from Hell’– brought together Dr Suelette Dreyfus from the University of Melbourne, Troy Hunt, who runs the site haveibeenpwned.com (which checks if your email has appeared on lists of hacked accounts), Deloitte partner Chris Gatford, and the University of Queensland’s Shelly Mills.
Music and cultural festivals create a great opportunity to reach young people with a cybersecurity education message.
Susie Sheldrick, a University of Melbourne PhD student, said the clinic’s peer-to-peer helping style made it easy for young people to ask questions about cybersecurity without the fear of looking like they didn’t know how to use technology.
“There’s such a brilliant community vibe at Splendour – we’ve got this great team of staff and students across three universities working together with cybersecurity professionals who are AISA members volunteering over the event,” she said.
“The professionals are sharing real life stories with us, giving us a sense of what it’s like to work in the field as well as practical knowledge in applying cybersecurity improvements.”
Many who had their devices tuned up stayed for a while to ask deeper questions. The relaxed setting of the festival combined with the ‘no judgement’ chats with the volunteer team made people comfortable with the process, Susie says.
“There’s no blame, no shame, just friends helping them out to make their devices more secure.”
Banner: Shaanan Cohney
The Media Office is staffed from 8am–5pm Monday to Friday.
The University has a television and radio studio to facilitate live and prerecorded broadcast quality interviews with media. You can also Find an expert for commentary.
Receive your weekly email digest from Pursuit
Thank you for subscribing.
Sorry, something went wrong. Please try again later.
Please enter a valid email address.
By subscribing, you agree to our privacy statement.
The University of Melbourne (University) collects, uses, handles and discloses personal information in accordance with the Privacy and Data Protection Act 2014 (Vic) (Act) and other applicable legislation.
This Privacy Statement relates only to the collection of personal information in relation to the Pursuit Website. Please refer to our Privacy Policy and Privacy Statement for the University of Melbourne Website for information in relation to the broader practices in relation to the collection, use handling and disclosure of personal information by the University.
Definition of Personal Information
“Personal information” is defined under the Act to mean information or an opinion (including information or an opinion forming part of a database), that is recorded in any form and whether true or not, about an individual whose identity is apparent, or can reasonably be ascertained, from the information or opinion, but does not include information of a kind to which the Health Records Act 2001(Vic) applies. 
Collection of Personal Information by the University in relation to Pursuit
The University may collect, store and handle personal information about you including but not limited to your name and email address for the sole purpose of allowing you to subscribe to Pursuit’s weekly digest of cutting-edge research findings and expert commentary.
Disclosure of Personal Information
The University would seek your prior written consent before using your personal information for any purpose other than that which is described above and before disclosing your personal information to any third party.
Access to Your Personal Information
You can access any personal information the University holds about you by contacting the University’s Privacy Officer at privacy-officer@unimelb.edu.au.

source