Cyberattacks cost organizations billions annually โ and most breaches start with human error. This module gives you the knowledge to protect yourself and your workplace.
Why This Matters
Organizations spend millions on firewalls and antivirus software, but the most common entry point for attackers is a person clicking the wrong link. Over 90% of successful cyberattacks start with phishing โ a deceptive email or message tricking someone into taking a harmful action.
This isn't about blaming employees. Attackers are sophisticated and their methods are increasingly convincing. The goal is to build habits that make you a harder target and know what to do when something seems wrong.
Think of cybersecurity like office building security. The company has locks, security cameras, and a reception desk (technical controls). But if an employee holds the door open for someone without a badge because they seem friendly, all that technical security is bypassed instantly. Human behavior is the security perimeter.
AI tools introduce new attack surfaces: prompt injection (tricking an AI into revealing data), data leakage (pasting confidential info into ChatGPT), oversharing sensitive documents with cloud models, and shadow IT risks when employees use unapproved AI services. Every prompt you type is sent to remote servers. This module builds the awareness to use AI responsibly โ knowing what data to share and what to keep offline.
Common Threats โ Click to Learn
Passwords
Weak passwords are one of the leading causes of account compromises. "123456" is still the most common password in data breaches.
TEST YOUR PASSWORD STRENGTH:
โ Never use: Your name, birthday, pet's name, company name, "password", "123456", or any single dictionary word.
โ ๏ธ Avoid: Reusing the same password across sites. If one site is breached, attackers try your password everywhere (credential stuffing).
โ Best practice: Use a password manager (Bitwarden, 1Password, LastPass). It generates and stores unique, complex passwords for every site. You only remember one master password.
Multi-Factor Authentication
Multi-Factor Authentication (MFA) requires two or more forms of verification: something you know (password) + something you have (phone/authenticator) or something you are (fingerprint). Even if someone steals your password, they still can't log in without your second factor. Microsoft reports that MFA blocks 99.9% of automated account attacks.
Most secure and recommended. Apps like Microsoft Authenticator, Google Authenticator, or Authy generate a 6-digit code that changes every 30 seconds. Even if attackers capture the code, it expires in half a minute. No SIM card required โ works offline.
Better than nothing, but not ideal. A text with a code sent to your phone. Vulnerable to SIM-swapping attacks (criminals convince your carrier to transfer your number). Also vulnerable to real-time phishing. Still far better than password-only login.
Strongest option for high-security accounts. A physical USB device (like a YubiKey) that you plug in to confirm identity. Cannot be phished remotely โ the attacker needs the physical key. Used by journalists, executives, and high-security roles.
Convenient and increasingly common. Fingerprint readers, Face ID, and Windows Hello use physical characteristics. Very hard to steal remotely. Combine with a PIN for best security.
Recognizing Phishing
Phishing attacks are increasingly sophisticated. Train your eye by comparing these two emails โ one legitimate, one fake.
Hi Sarah Chen,
Your March statement is now available in your account. You can review it by logging into your PayPal account at paypal.com.
If you have questions, contact us through the Help Center in your account.
PayPal, Inc. ยท San Jose, CA 95131
Dear Customer,
We detected unusual activity on your account. You must verify your identity within 24 hours or your account will be permanently suspended.
Click here to verify now โ
โ Hovering shows: paypa1-secure.net/verify (NOT paypal.com)
PayPal Securty Team
1. Sender address: "paypa1-secure.net" โ uses the number 1 instead of the letter l, and a different domain.
2. Generic greeting: "Dear Customer" instead of your actual name.
3. Artificial urgency: "within 24 hours" and "permanently suspended" โ pressure to act without thinking.
4. Suspicious link: Hovering reveals a URL that doesn't match paypal.com.
5. Spelling error: "Securty" instead of "Security" โ subtle but telltale.
Sender address mismatch: Display name says "Microsoft Support" but email is support@m1crosoft-help.net. Always check the actual address.
Generic greetings: "Dear Customer" instead of your name โ a mass phishing campaign.
Unexpected attachments: An invoice from a company you don't recognize. .exe, .zip, .docm files are particularly risky.
Poor grammar/spelling: While sophisticated attacks are well-written, many still contain errors and awkward phrasing.
Before clicking any link: hover over it (don't click) and check the URL. Verify: (1) Is the domain exactly correct? (2) Does it use HTTPS? (3) Is it relevant to the sender?
On mobile, long-press a link to preview the URL. When in doubt, navigate to the website manually by typing the address yourself.
If suspicious: (1) Don't click links or download attachments. (2) Don't reply. (3) Report to IT (often a "Report Phishing" button in Outlook). (4) If it might be real, contact the organization using a number or URL you already know โ not info from the email.
If you already clicked: Report to IT immediately. Early detection limits damage. Don't be embarrassed โ phishing fools even security professionals.
Data Privacy
PII (Personally Identifiable Information): Name, address, phone, email, DOB, SSN, financial details. Enables identity theft.
PHI (Protected Health Information): Medical records, diagnoses, treatments. Protected by HIPAA in the US.
Company confidential: Financial results before announcement, client lists, pricing, strategic plans, source code, salaries.
Key habits: (1) Need to know โ only access data you need for your job. (2) Encrypt sensitive files before emailing. (3) Lock your screen (Win+L or Ctrl+Cmd+Q) when stepping away. (4) Don't store sensitive data in personal cloud accounts. (5) Use company devices for company data.
GDPR (EU): Requires explicit consent, right to be forgotten, breach notification within 72 hours. Applies to any org handling EU residents' data.
HIPAA (US): Protects health information. Heavy fines for violations.
CCPA (California): Rights to know what's collected, opt out of sales, request deletion.
You don't need to be a lawyer โ but know your company's policies and when to escalate.
If you suspect a breach (sent sensitive data to wrong person, lost a laptop, compromised account): Report it immediately. Don't wait. Most regulations require reporting within 72 hours. You won't be penalized for reporting โ you may be penalized for not reporting.
Security Checklist
Click each item to mark it as part of your routine:
Use a unique, strong password for every work account โ use a password manager
Enable MFA on all work accounts โ email, VPN, cloud tools
Lock your screen when stepping away โ Win+L or Ctrl+Cmd+Q
Verify sender addresses before clicking links โ hover over links to preview URLs
Keep software and OS updated โ security patches close known vulnerabilities
Use company VPN on public Wi-Fi โ never do sensitive work on unprotected networks
Report suspicious emails to IT immediately โ don't click, don't reply
Store company data on approved company tools only โ not personal accounts
Never share your password with anyone โ IT won't ask for it
Check Your Understanding
Answer all questions to complete this module.
1. An email from "support@amaz0n-verify.com" asks you to confirm your order by clicking a link. What should you do?
2. Which MFA method is most secure?
3. You accidentally emailed a spreadsheet with customer SSNs to the wrong person. What should you do first?
4. Before pasting company financial data into an AI tool like ChatGPT, you should: