Security Awareness Training Outline

Spear phishing: Targeted attacks using personalized information gathered from social media, company websites, and public records.

Business Email Compromise (BEC): Impersonation of executives, vendors, or partners to request wire transfers, gift cards, or sensitive data.

Smishing and vishing: Phishing via SMS text messages and voice calls that create urgency to bypass critical thinking.

Credential harvesting: Fake login pages designed to capture usernames and passwords.

QR code phishing (quishing): Malicious QR codes embedded in emails, documents, or physical media.

Urgent or threatening language designed to bypass critical thinking.

Sender address discrepancies (similar but not identical domain names).

Unexpected attachments or links, especially from unknown senders.

Requests for sensitive information, credentials, or financial transactions.

Grammar and formatting inconsistencies (though AI-generated phishing is increasingly polished).

Review 10 sample emails and identify which are legitimate and which are phishing attempts.

Practice reporting a suspicious email using the organization's phishing report button or forwarding procedure.

Pretexting: Creating a fabricated scenario (e.g., posing as IT support) to extract information or gain access.

Tailgating and piggybacking: Following authorized personnel through secured doors or access points.

Baiting: Leaving infected USB drives or devices in common areas for employees to find and plug in.

Watering hole attacks: Compromising websites frequently visited by target employees.

Impersonation: Posing as vendors, delivery personnel, or new employees to gain physical or logical access.

Always verify the identity of callers and visitors through independent channels before providing access or information.

Never share credentials, access badges, or security codes with anyone, including colleagues and IT staff.

Challenge unfamiliar individuals in secure areas and report suspicious behavior.

Follow the principle of least information: share only what is necessary and relevant.

Use unique passwords for every account. Never reuse passwords across personal and work accounts.

Use passphrases of 16 or more characters combining unrelated words (e.g., "correct horse battery staple").

Use an approved password manager to generate and store complex, unique passwords securely.

Never write passwords on sticky notes, whiteboards, or in unencrypted documents.

Never share passwords via email, chat, or phone, even with IT support.

Understand why MFA is required: passwords alone are insufficient to protect against credential theft.

Learn to use the organization's approved MFA method (e.g., Microsoft Authenticator, FIDO2 key).

Recognize MFA fatigue attacks: never approve an MFA prompt you did not initiate.

Report repeated unexpected MFA prompts to IT Security immediately.

Lock your workstation when stepping away (Windows: Win+L, Mac: Ctrl+Cmd+Q).

Enable automatic screen lock after 5 minutes of inactivity.

Do not disable or interfere with endpoint protection software (antivirus, EDR).

Install software only from approved sources and through the organization's software catalog.

Connect to the corporate VPN when working from public or untrusted networks.

Enable device encryption and biometric or PIN lock on all mobile devices used for work.

Keep device operating systems and apps updated to the latest versions.

Do not jailbreak or root devices that access organizational data.

Use the organization's Mobile Device Management (MDM) solution and do not remove management profiles.

Report lost or stolen devices to IT Security immediately for remote wipe.

Do not leave laptops unattended in vehicles, conferences, or public spaces.

Use privacy screens when working with sensitive data in public areas.

Secure portable storage devices (USB drives, external hard drives) when not in use.

Follow clean desk policies: lock sensitive documents in drawers at the end of the day.

Public: Information intended for public release with no restrictions on distribution.

Internal: Information for internal use only that should not be shared externally without authorization.

Confidential: Sensitive business information requiring protection (financial data, strategic plans, HR records).

Regulated: Data subject to regulatory requirements (CUI, PII, PHI, PCI data) with specific handling obligations.

Apply sensitivity labels to documents and emails according to the data classification policy.

Encrypt sensitive data before sharing via email or file transfer.

Use approved file sharing platforms (SharePoint, OneDrive) instead of personal email or consumer cloud storage.

Do not store sensitive data on local desktops, personal devices, or unapproved cloud services.

Follow data retention and disposal policies. Shred physical documents and securely delete digital files.

Do not enter CUI, PII, PHI, or proprietary data into unapproved AI tools.

Review AI-generated content for accuracy before using it in business operations.

Follow the organization's AI Acceptable Use Policy when using any AI tools for work.

Suspicious emails, phone calls, or messages (even if you did not click or respond).

Unexpected MFA prompts, password reset requests, or account lockouts.

Lost or stolen devices, badges, or keys.

Unusual system behavior: pop-ups, slow performance, unexpected software installations.

Suspected data exposure: accidentally sending sensitive data to the wrong recipient.

Physical security concerns: tailgating, unknown individuals in secure areas, propped-open doors.

Use the phishing report button in Outlook or your email client for suspicious emails.

Contact IT Security via [phone number / email / ticketing system] for other security incidents.

Do not attempt to investigate or remediate incidents on your own.

Preserve evidence: do not delete suspicious emails, do not shut down or restart compromised systems.

Time is critical: report immediately rather than waiting to gather more information.

The IT Security team will acknowledge your report and provide next steps.

You may be asked to provide additional details or preserve specific evidence.

There is no penalty for reporting false positives. Reporting is always encouraged.

Your report helps protect the entire organization. Every report matters.