RE: Security Training for Company's Employee

["Burton Strauss" <Burton () FelisCatus org>]

I'd echo the earlier comments... DO NOT TRY TO DO TOO MUCH.  At best, you
have an hour?  Which translated at best to 20 minutes of real attention -
from a non-computer audience.  So use NO computer terms.

The best thing you can teach in a short period is TRUST NOBODY.

Phone numbers, web addresses, etc. - anything that YOU DO NOT INITIATE to a
trusted source should - politely - be refused.

How DO you know that phone call came from XYZ Credit card company?  Because
they said so?  Caller ID? That can be faked?  The ONLY safe way is to ask
for their department and/or extension, and hang up.  Then call the phone #
embossed on the back of your credit card and ask to be transferred to that
department/person.

How DO you KNOW that phone call really came from Tech Support when they ask
you for your password?  Because they said that's who they are?  Because the
know a bit about the company's computer systems?  No way - you can't know.
So don't give information out.  Ask for the person's name and call the
published number for the help line and ask to be transferred to them.

Same goes for Web addresses.  Is www.xyzonline.com the same as
www.xyzbank.com?  How do you KNOW?

Same goes for files in email.  Unless you are expecting it, DO NOT OPEN IT.
If you are the SLIGHTEST BIT unsure, call the person who sent you the file
and ASK.

Remember: The only SAFE contact is one that YOU initiate to a well known /
published address or phone number.  If they tell you that there's no way for
you to contact them?  If that's what they think of security, then you really
don't want to give that company your business do you?

-----Burton