Info-security training — with glue and scissors
- November 3, 2023
- 5:28 am
“Disclaimer– This is the April Fools’ Day blog post, so please be aware. Some of the “cybersecurity training” methods it talks about aren’t completely moral, and not everyone agrees with them. We suggest that you think about them carefully before using them in real life, and if possible, get permission from the team ahead of time.”
Information security is only as strong as its weakest link, and humans are and always will be that connection. That’s why we frequently promote cybersecurity education for workers in our blog postings. Sadly, not every business can afford to set aside money for this. The fact that not all workers give these trainings their full attention means that the skills they learn are often never put into practice.
This issue can be fixed without spending much money, which is good news. Here are some fun and effective ways to show your coworkers how important it is to keep information safe.
Passwords on sticky notes and printouts
Unfortunately, many people in the workplace still engage in the extremely risky practice of writing down passwords on pieces of paper and leaving them where anyone may see them. This habit persists despite the thousands of password memes posted online and glued to computer screens over the years.
Anyone in the office can bring out their phone, look at the sticky notes, and steal any account information that interests them. Notes with passwords can go public by mistake. For instance, it’s not unusual for a password to be shared during a job interview or in an office picture that’s shared on a social network.
To stop people who like to write their passwords on sticky notes, you will need a pen, some sticky notes, and someone good at copying other people’s handwriting. For copies with passwords, all you need is the printer. With these easy-to-find tools, try putting new sticky notes at the employee’s desk with similar but wrong passwords. Once you’re far away, watch the poor person try to log in to their account. Do your best not to laugh too loud.
You should hide the real sticky notes somewhere the person being tested on will find them later. If you don’t, they might think it was just a system glitch. It depends on how tech-savvy the person is in general. Also, remember to point the poor sinner toward a good password manager so they can store their information correctly.
Leaving your computer unlocked while you step away from your desk is another risky practice. As sad as it may be, this is also rather frequent. Even more sadly, it is quite challenging to handle this issue throughout an entire organization.
When you don’t write passwords on sticky notes, you don’t have to worry about accidentally giving out private information. But if an unwelcome friend comes into the office, the threat can be just as serious, if not worse: it wouldn’t take long for malware to get into an unlocked computer. After that, criminals have a lot of choices, from financial fraud to a small but nasty ransomware infection.
When workers aren’t careful and don’t lock their computers, it’s easy and fun to deal with them. All you need are quick thinking and swift movements. It’s pretty easy to do this: wait until your coworker leaves their desk and then do something “interesting” on their open computer.
Some methods have been used before and worked well. Writing a chat message or email and sending it to them is the best way. I suggest you buy a drink for everyone in the section to enjoy after work. You could write an emotional email instead. You get to choose. Let your artistic urges take over; the crazier they are, the better (though you should try not to go too far, of course).
Some methods have been used before and have worked well. Writing a chat message or email and sending it to them is the best way. I suggest you buy a drink for everyone in the section to enjoy after work. You could write an emotional email instead. You get to choose. Let your artistic urges take over; the crazier they are, the better (though you should try not to go too far, of course).
It is suggested that an automatic lockout be set off after a short period of inaction. It will keep the company safe and keep the employees from having to deal with similar problems again. Also, explain the key combination that must be used to quickly lock the computer with a single motion of the hand: on Windows, it is [Win] + [L], and on macOS, it is [Cmd] + [Ctrl] + [Q] (this information can be pinned to the screen:).
A smartphone that is not locked and is left unchecked is also a security risk. Yes, it’s not likely that someone will use it to spread viruses across the company network. However, a malicious user could still get useful contact information to trick someone or put spyware on the device. It means that some very bad things can happen, both for the company and for the person who owns the smartphone.
You can use the same general training methods from the last case: write an interesting email or chat message or download a “nice” picture and set it as your wallpaper. One more way to get the most done quickly is to take a picture of something surprising while leaving the phone alone. For instance, a picture of you or a coworker who works with you in a cool pose (with their permission, of course).
After that, give the employee the same instructions as previously and tell them to configure the system to lock itself out after a few minutes of inactivity. Because it is no longer necessary to type a lengthy password to unlock a smartphone in today’s world (just presenting a fingerprint or a picture of your face will do), this interval should be quite brief — somewhere in the range of thirty to sixty seconds.
Leaving your pass unattended is yet another poor practice that you should try to break. A legitimate pass is a real discovery for our hostile guests because it enables them to break into the office of the company and acquire physical access to corporate computers or data.
To get your careless coworkers to stop doing this dangerous thing, you will need the following:
- An office printer/scanner/copier
- A plastic card the same size as the errant pass
- A little diligence
Copy the unattended pass, carefully cut it out, glue it to your plastic copy pass, and then put your work of art into the case in place of the real pass. The “victim” will find that real pass later.
Be at the office’s security gate when the victim tries to leave to observe how they respond when asked who they are and why they are leaving with a fake pass.
Remember, though, that this is a harsh way to train, and it could cause trouble between you and the other worker. Because of this, we only suggest it as a last option after all other warnings have failed.
Entrust the matter to professionals.
Of course, the above ways are not a replacement for full-on cybersecurity training, even if it’s just because they only cover a few of the threats that could happen. Still, if you don’t have any money for protection, they’re a good place to start.
In an ideal world, they would be used to get workers to think about information security and to help them remember what they learned in formal training. Please look at our 2 b Innovations Automated Security Awareness Platform (good for big businesses) to learn more.