Q: What are the key topics you would cover in your initial one-hour basic training program on security for non-IT personnel? AND What sort of additional security related training might be appropriate once people have the basics covered?
A: First, I would explain why they are an online target.
The truth is everyone is a target, whether by name or by being in the wrong place at the wrong time. Even if they think you have nothing of value, they are wrong.
I would give examples, like:
- Your dormant PayPal account is valuable to someone who wants to launder stolen money. Once discovered, your account ends up frozen.
- Your insurance policy, along with your personal information, is used to file fraudulent claims, which depletes your coverage.
- Your idle CPU time is valuable to someone who wants to mine for bitcoins, but you get stuck with a slow computer.
- As a member of the management or finance team, you get an email from your boss saying you need to pay $100,000 to a new supplier immediately, no questions asked. Afterward, you find out you’ve been tricked, and the money is never recovered.
Next, explain that most cyber-attacks coming at them these days is by phishing. Explain how phishing is an attack on their emotions, not their technology.
Tell them they are now enrolled in a monthly phishing test and you look forward to helping them become better prepared to resist real phishing attacks.
Finally, review these facts:
- People who web browse and process email using an administrator account are more likely to have malicious code get onto their computer. Instead, use a non-admin account for daily work.
- People who reuse the same UID and PW at multiple websites are more likely to have an account hijacked. Instead, use a high-quality password manager and let it create, store, and enter unique passwords for every website. LastPass and 1Password are great choices.
- People who do not install software security updates promptly are more likely to have malicious code get onto their computer. Make sure updates are downloaded and installed automatically.
- People who accept the default PIN assigned by their mobile phone carrier to verify identity when calling to make account changes are more likely to lose control of their mobile phone number, which can lead to online account hijacking. Call their carrier and set a new random PIN, which should be stored in their password manager.