In this Cyber Security Training for Employees you will find an extensive instruction on how to avoid becoming a cybercrime victim which will be useful for your colleagues. It covers such topics as suspicious files and links, password creation, 2-step verification, software, antivirus, OS, backup, mobile security, physical security and so on.
We recommend you send this instruction to your employees via email and make everybody read and understand it. In corporate network, the failure of a person can become a disaster for a company. So enhance your organization’s cyber hygiene and work in a secure digital environment.
Table of Contents
Cyber Security Training for Employees: Key Thing to Learn – Do not Press Suspicious Things
Do not open, press, or run suspicious files, links, and applications. Your rule of thumb: if you were not waiting for this message, file, link, etc., consider it suspicious.
Do not open suspicious files, email attachments, or archives if you do not trust the source. Move unwanted messages to a Spam folder before reading. Files or links from unknown people should be considered harmful by default. Check the files you receive particularly carefully. If you have received a MS Word document via email, contact the sender via a messenger or phone and ask them about the purpose of sending the file and whether they have sent it. The most risky file extensions are .com .cmd,.bat, .ps1, .swf, .jar, etc. MS Office documents, especially with macros:.doc/.docx /.docm, .xls /.xlsx /.xlsm, etc. PDF documents: .pdf. Vector files with inner code: .svg . Archives, especially the ones protected with a password.
- Do not open suspicious links (URL), especially those that lead to web-sites you normally do not use. Always check web-sites’ domain addresses before clicking the link: criminals can conceal the domain name, so it seems familiar (facelook.com, gooogle.com , etc.). Use HTTPS and check the web-site SSL-certificate to make sure it is not copied or fake.
- Harmful URL-addresses might “mask” behind any text in HTML-files, documents and emails. In the web-browser or mail client move the mouse cursor on the link (but do not press) and wait (1-2 seconds) until the real URL appears. You can also right click the link and copy it to the text editor to see its actual address.
- Harmful URLs might be encoded with QR-codes and / or printed on paper, including in the form of cut URLs, generated by special services, like tinyurl.com, bit.ly, ow.ly, etc. Do not insert these links in the browser and do not scan QR-codes with your smartphone if you are not sure about their contents or origin. You can unfold short links before opening with the help of special web-sites. Popular browsers apps provide such unfolding automatically: Google Chrome – URL Unshortener, Mozilla Firefox – Long URL Please Mod.
Suspicious Pop-Up Windows
Be careful with pop-up windows and messages in your browser, programs, operational system and mobile device. Always read their content and do not “approve” and “accept” anything automatically. Pop-up windows may be harmful in different ways: some allow criminals to install fake SSL-certificates to your system that will help them intercept your network traffic; some might install malicious programs on your computer and smartphone or redirect your browser to malicious web-sites that infect computers with viruses and other malicious programs.
Do not plug USB drives and external drives, do not insert CD and DVD etc. in your computer if you do not absolutely trust their origin. There are computer hack techniques even before you open a file on USB and long before your antivirus scans it. If you have found a device on the street or in the office, or if you have received it by mail or with a courier, if a stranger has given it to you asking to print a document or simply open and check the content – there is a chance the device is malicious. Trust only your own devices and be careful with the devices you receive from others.
Use Passphrases instead of Passwords
What is a Passphrase?
Use passphrases instead of passwords, to avoid easy passwords problem. Passwords based on well-known dictionary words are easy to crack. Instead, select a phrase you will not easily forget the following 2-3 days: one line of a poem, byword etc. Then, transform this phrase into one “word” deleting the spaces and replacing letters with similar digits or symbols: A-4, B-8, C-(, I-1, L-7, S-5, T-7, etc. Adding digits and symbols, and converting letters to uppercase will make the passphrase even stronger.
How to Create a Strong Passphrase?
Use the recipes for creating strong and unique passphrases. The recipe is the algorithm used for forming different passphrases for different systems on the common base. For example:
- Choose the strong base, for example, the passphrase w3llD0nem8’
- Think of tying this phrase to a service, e.g., simply adding the server name at the end: w3llD0nem8’gle, glew3llD0nem8’goo
- Do not forget to “distort” the resulting phrase by, for example, changing the server name last letter to the digit, if possible, and adding the exclamation mark or other symbol: goow3llD0nem8’gl3!
Keep the Passphrases Secret
No one but you should know your passwords. Do not reveal them to anybody, including your boss, your system administrator or support service, your spouse, parents, children etc. They have no logical or legal base to get your passphrases. From technical point, even the system you use the password for does not have access to it in its initial form. Instead, the system keeps the “hash” – its cryptographically secure copy. Never write your key passphrases on paper or in an (unencoded) file. Password safe Excel file is not encoded. Password safe archive is not appropriately encoded. If required, use only safe password managers for keeping the passphrases.
Renew the passphrases regularly or at least once a year. Your corporate passphrases and passwords you use the most frequently (often per day) must be renewed every month or every two months. The rule of thumb is that the more often you use the passphrase, the more often it must be renewed.
Use the password manager software for keeping and protecting the passwords and follow these rules.
- Generate strong accidental passwords no less than 20 symbols long.
- Make sure the masterpass you use to protect other passwords is a strong passphrase.
- Use the password manager that encodes the database before saving to the cloud or synchronizing with the network devices.
- Often, or, even better, automatically, make the reserve copies of the password databases.
- Still want to use passwords?
Safe passwords are long, complicated, and unique. It means they have to be longer than 12 characters, consist different characters (letters, digits, symbols), and differ for every service, web-site, or system. Passwords should not be based on simple words that can be found in dictionaries. Passwords should not be cognitive, meaning, they should not be based on the user or system data.
Use 2-Step Verification
- Enable 2-Step verificationMost authoritative online-services support 2-step verification. Enable it with the software token (available in Facebook, Twitter, Google, etc.) or with a temporary password delivered via SMS.
- Avoid SMSPrefer using Google Authenticator, physical token, or mobile application verification. Avoid using temporary passwords via SMS.
Learn more in Part 2
Learn about G Suite cybersecurity and the best G Suite security practices