{"id":20895,"date":"2023-03-31T08:30:18","date_gmt":"2023-03-31T12:30:18","guid":{"rendered":"https:\/\/me-en.kaspersky.com\/blog\/security-awareness-training-diy-ideas\/20895\/"},"modified":"2023-04-10T16:30:49","modified_gmt":"2023-04-10T12:30:49","slug":"security-awareness-training-diy-ideas","status":"publish","type":"post","link":"https:\/\/me-en.kaspersky.com\/blog\/security-awareness-training-diy-ideas\/20895\/","title":{"rendered":"Info-security training \u2014 with glue and scissors"},"content":{"rendered":"
\nDisclaimer. This is the April Fools\u2019 Day blog post. The methods of \u201ccybersecurity trainings\u201d described in it are not entirely ethical, and are not universally considered acceptable. We recommend that you think twice before using them in real life and ideally obtain the consent of the team for such actions beforehand. <\/div>\n

When it comes to information security, the weakest link is \u2014 and always has been \u2014 humans. That\u2019s why our blogposts often advise companies to provide cybersecurity trainings for employees<\/a>. Unfortunately, not all companies can afford to allocate the necessary funds for this. Another problem is that not all employees take such lessons seriously, so the knowledge they acquire often remains purely theoretical.<\/p>\n

The good news is that this problem can be solved without spending huge sums of money. Below are a few fun and effective ways to demonstrate to your dear colleagues the importance of information security.<\/p>\n

Passwords on sticky notes and printouts<\/h2>\n

\nOne of the most dangerous habits that, sadly, many office employees are still guilty of is noting down passwords on scraps of paper and leaving them in public view. Even thousands of memes down the years of passwords stuck on monitors have failed to curb this practice.<\/p>\n

The threat here is obvious: anyone visiting the office can take out their phone and discreetly snap all sticky notes with account credentials that catch their eye. Sometimes notes with passwords accidentally go public. For example, it\u2019s not uncommon<\/a> for a password to get leaked during a workplace interview or through some office photo posted on a social network.<\/p>\n

\"Workplace

Prince William gives an interview with login credentials pinned to the wall behind him for the Military Flight Information Publications (MilFLIP) system of the Royal Air Force<\/p><\/div>\n

To discourage sticky-notes lovers from resorting to scribbling their passwords on them, you will need: a pen, several sticky notes, and someone good at imitating others\u2019 handwriting; for printouts with passwords, nothing\u2019s needed besides the printer itself. Armed with these simple tools, try replacing such sticky notes at the employee\u2019s workplace \u2014 with similar but incorrect passwords. Then observe from a safe distance how the poor soul tries to log in to their account. And try not to laugh too loudly.<\/p>\n

Ideally, you should leave the real sticky notes in a place where the involuntary test subject will find them after a while \u2014 otherwise they may think that it was just some system glitch or something like that (a lot depends on how tech-savvy the person is, in general). And be sure to point the hapless sinner in the direction of a good password manager<\/a> for storing credentials the proper way.<\/p>\n\n

Unlocked computers<\/h2>\n

\nAlso dangerous is the habit of leaving one\u2019s computer unlocked when away from one\u2019s workstation. This too, unfortunately, is not uncommon. Even more unfortunately, it\u2019s extremely difficult to manage this issue at a company-wide level.<\/p>\n

Unlike with passwords on sticky notes, the risk here\u2019s not of accidentally leaking sensitive information, but, should a hostile visitor come to the office, the threat can be just as grave \u2014 if not more so: it wouldn\u2019t take long to infect an unlocked computer with malware. And after that, the options for attackers are far-ranging: from industrial espionage to a small but nasty ransomware <\/a>infection.<\/p>\n

Dealing with careless employees who don\u2019t lock their computers is quite easy \u2014 and also rather entertaining, and you need just your own quick wits and dexterous hands to do it. The general strategy here\u2019s very simple: wait until your colleague leaves their workstation, then do something \u201cinteresting\u201d on their unlocked computer.<\/p>\n

There are several proven tactics. The most effective is to write a chat message or e-mail on their behalf. For example, you might offer to buy an after-work drink for everyone in the department. Or pen a passionate e-mail. The choice is yours. Let your creative impulses run free \u2014 the wilder, the better (without overdoing it, of course).<\/p>\n

The second option is quick and easy: on the unlocked computer, find an interesting image<\/a> online and set it as the desktop wallpaper. The advantage here is that the victim cannot fail to miss the point: the demonstration will be literally in their face. True, the therapeutic effect may be lower due to the less public nature of the act. If you have enough time, these tactics can even be combined, and they do complement each other nicely.<\/p>\n

To spare the employee any more such embarrassment and to protect the company\u2019s security going forward, advise setting up automatic lockout after a short period of inactivity. And also explain what key combination to use to instantly lock the computer in one hand movement: on Windows it\u2019s [Win] + [L], and on macOS it\u2019s [Cmd] + [Ctrl] + [Q] (this information can be stuck to the screen:).<\/p>\n

Unattended smartphones<\/h2>\n

\nAn unlocked smartphone left unattended also poses a cybersecurity risk. Sure, the chances of an attacker using it to spread ransomware over the corporate network are low. But a hostile visitor could still get hold of some useful contact details with the intention of using them for social engineering, or plant spyware on the device. In other words, there can be some very unpleasant scenarios both for the company and personally for the smartphone owner.<\/p>\n

In general, the training methods from the previous case apply here too: you can compose an interesting chat message or e-mail, or download a \u201cnice\u201d picture and set it as wallpaper. But there\u2019s an additional tactic for maximum effect in the minimum time: photograph something unexpected on the unattended phone. For example, a picture of you or a mutual colleague in an interesting pose (with the latter\u2019s consent, of course).<\/p>\n

Afterward, as before, instruct the employee to set up automatic lockout after a short period of inactivity. Since there\u2019s no need to enter a long password to unlock a smartphone nowadays (presenting a fingerprint or your face will do), this period should be very short \u2014 say, 30\u201360 seconds.<\/p>\n

Abandoned passes<\/h2>\n

\nAnother not-so-good habit is to leave your pass unattended. For our hostile visitor, a valid pass is a real find \u2014 one that can be used to break into the company\u2019s office and gain physical access to corporate computers or documents.<\/p>\n

To wean careless colleagues off this dangerous habit, you will need:\n<\/p>\n