Cyber security awareness model answers

1. William from IT telephones you advising that he is updating user accounts and requires your existing logon password to complete the update. What would you do (you can select more than one answer)?

Tell William your password

Ask William for a contact number and call him before disclosing your password

Call the ICT Support Desk and ask for William before disclosing your password

Refuse to disclose your password

Contact the ICT Support Desk for advice

Contact the Information Governance Lead for advice

The correct answer is to refuse to disclose your password, but it is also appropriate to notify the Support Desk and/ or the IG Lead so that they are aware of ‘phishing attempts’ that are taking place against you and your colleagues.

You should never disclose your password, and asking for a contact number doesn’t protect you – a hacker may be quite happy to give you their personal mobile which they will happily throw away once they have tricked someone into disclosing their password.

2. Which of these do you think would make your best password?

jobloggs

x9$5Aa67@Ez%19

BlueW1nter$ea

Sheffield23

The strongest password is almost certainly x9$5Aa67@Ez%19 – but it is so complex you couldn’t expect to remember it, so you would have to write it down. The best password here is BlueW1nter$ea. It uses three random words so is easier to remember, but because you avoid a common phrase it is unlikely to be ‘cracked’. If you routinely swap certain letters for characters (change i to !, s to $ etc) you can create a really safe password that you will remember quite easily. You should avoid names and simply adding numbers to a password is not recommended as good practice.

3. You receive an unwanted spam email at work; on the bottom of the email it says if you reply with ‘unsubscribe’ in the subject line it will unsubscribe you . What would you do:

Ignore the email and delete it

Forward it to the ICT Support Desk

Forward it to the IG Lead

Reply to prevent future spam

The best response is to ignore it and delete it. If in doubt, forward it to the ICT Support Desk and/ or the IG Lead – they may be able to tinker with the anti-spam filters to stop similar emails getting through. You should not reply to prevent spam – many spam emails are sent to randomly generated recipients. The sender doesn’t know that your email really exists, but as soon as you respond to ‘stop further emails’ they know your email address exists, which is likely to result in you receiving more spam in the future.

4. You need to do some online banking with your bank, Loadsamoney Ltd. Which one of these addresses would you use:

www.loadsamoney.co.uk

http://www.loadsamoney.co.uk

https://www.loadsamoney.co.uk

The key point here is to look for a web address that includes https. This means that the site is secure – depending on your browser you may also see a padlock icon.
This means that all information you type is scrambled before being sent and then unscrambled at the other end of the connection – anyone snooping on your website will only see gibberish. Lots of websites don’t need to be secure if they are just displaying non-confidential information, so don’t worry if you visit a site that just shows http… But never enter any sensitive, confidential or personal information unless you see the padlock or https – everything you type is being sent in plain text and could be seen by a hacker ‘sniffing website traffic’.

5. You need to complete some urgent work outside of work hours but don’t have a Trust laptop. What do you think you should do:

Password protect the documents and email them to your home computer

Use a file-sharing service such as dropbox or OneDrive

Request a laptop via your manager

Transfer the documents to an encrypted memory stick

Speak to the Information Governance Lead for advice

I would not undertake Trust work outside work hours

The best options are to request a laptop via your manager or speak to the IG Lead for advice. If you password protect a document or use an encrypted memory stick, this provides some protection against unauthorised access to information (for example if the memory stick is lost or stolen). But there is a risk that your document or memory stick is infected by a virus which is then transferred back to the Trust. You should not share business documents and memory sticks with personal computers.

6. To help us understand if you have ever had to work-around the rules to get your work completed, have you ever done the following (tick any that apply)

Password protected documents and emailed them to your home computer

Emailed documents to personal addresses without password protecting them

Used file-sharing services such as dropbox or OneDrive

Copied documents to unencrypted memory sticks

Copied documents to an encrypted memory stick, but used them on personal devices

Anything else that you felt was necessary to enable you to work effectively, but which you suspect isn’t entirely legitimate

This question was designed to identify where staff feel that they have to circumvent the rules. None of the options provided are particularly acceptable. We are grateful to all staff that completed this honestly, and identified where they have worked around the rules to get work done – the responses have been fed back (anonymously) to the Trust so that it can evaluate the action that might be needed to support staff in working outside core hours (where required) safely and securely.

7. You receive an email asking you to click the link shown (in the survey)- is it safe to click this link?

Yes

No

Don’t know

This link is not safe – when you click over a link most browsers will display the destination that you will be taken to when you click your mouse. In this case the innocent looking surveymonkey link is going to take you to a suspicious looking Russian website.

You may also receive email addresses where the true identity of the sender is hidden – for example, if you bank with Barclays, you may receive an email that looks like it is from Barclays, but the full email address is help@barclaysbank.nastyscammers.com

Be careful to read the full link or email address and if you are even in doubt regarding a link, don’t click it.

8. You are catching up on some emails in a coffee shop – which of these should you consider:

Should I use the free wifi or my mobile connection?

Should I have another muffin?

Comfy chair by the window or the tall chair that is better for my posture?

If you are connecting to free wifi you need to be aware that it probably isn’t secure. It is cheaper to use someone else’s wifi rather than a mobile connection, but the mobile connection is private and secure. If you have a work laptop with a VPN available (virtual private network) this allows you to create a secure connection even over a public wifi. If in doubt, be very cautious and don’t send any personal, sensitive or confidential information over a public wifi.

The question about another muffin was a red herring – but of course you should remember to lock your laptop screen and never leave it unattended if you do succumb to the temptation of another tasty treat.

Think about where you are sitting and who can see your screen – the Trust has invested lots of money on clever technology to keep your equipment and your data secure – all of this is useless if you have confidential information displayed on your screen that anyone can read over your shoulder.