Info-security training — with glue and scissors

DIY security trainings for your colleagues that are both fun (for you) and educational (for them).

How to get across the importance of information security without a budget for proper training.
Disclaimer. This is the April Fools’ Day blog post. The methods of “cybersecurity trainings” described in it are not entirely ethical, and are not universally considered acceptable. We recommend that you think twice before using them in real life and ideally obtain the consent of the team for such actions beforehand.

When it comes to information security, the weakest link is — and always has been — humans. That’s why our blogposts often advise companies to provide cybersecurity trainings for employees. Unfortunately, not all companies can afford to allocate the necessary funds for this. Another problem is that not all employees take such lessons seriously, so the knowledge they acquire often remains purely theoretical.

The good news is that this problem can be solved without spending huge sums of money. Below are a few fun and effective ways to demonstrate to your dear colleagues the importance of information security.

Passwords on sticky notes and printouts

One of the most dangerous habits that, sadly, many office employees are still guilty of is noting down passwords on scraps of paper and leaving them in public view. Even thousands of memes down the years of passwords stuck on monitors have failed to curb this practice.

The threat here is obvious: anyone visiting the office can take out their phone and discreetly snap all sticky notes with account credentials that catch their eye. Sometimes notes with passwords accidentally go public. For example, it’s not uncommon for a password to get leaked during a workplace interview or through some office photo posted on a social network.

Workplace interview with a revealing backdrop

Prince William gives an interview with login credentials pinned to the wall behind him for the Military Flight Information Publications (MilFLIP) system of the Royal Air Force

To discourage sticky-notes lovers from resorting to scribbling their passwords on them, you will need: a pen, several sticky notes, and someone good at imitating others’ handwriting; for printouts with passwords, nothing’s needed besides the printer itself. Armed with these simple tools, try replacing such sticky notes at the employee’s workplace — with similar but incorrect passwords. Then observe from a safe distance how the poor soul tries to log in to their account. And try not to laugh too loudly.

Ideally, you should leave the real sticky notes in a place where the involuntary test subject will find them after a while — otherwise they may think that it was just some system glitch or something like that (a lot depends on how tech-savvy the person is, in general). And be sure to point the hapless sinner in the direction of a good password manager for storing credentials the proper way.

Unlocked computers

Also dangerous is the habit of leaving one’s computer unlocked when away from one’s workstation. This too, unfortunately, is not uncommon. Even more unfortunately, it’s extremely difficult to manage this issue at a company-wide level.

Unlike with passwords on sticky notes, the risk here’s not of accidentally leaking sensitive information, but, should a hostile visitor come to the office, the threat can be just as grave — if not more so: it wouldn’t take long to infect an unlocked computer with malware. And after that, the options for attackers are far-ranging: from industrial espionage to a small but nasty ransomware infection.

Dealing with careless employees who don’t lock their computers is quite easy — and also rather entertaining, and you need just your own quick wits and dexterous hands to do it. The general strategy here’s very simple: wait until your colleague leaves their workstation, then do something “interesting” on their unlocked computer.

There are several proven tactics. The most effective is to write a chat message or e-mail on their behalf. For example, you might offer to buy an after-work drink for everyone in the department. Or pen a passionate e-mail. The choice is yours. Let your creative impulses run free — the wilder, the better (without overdoing it, of course).

The second option is quick and easy: on the unlocked computer, find an interesting image online and set it as the desktop wallpaper. The advantage here is that the victim cannot fail to miss the point: the demonstration will be literally in their face. True, the therapeutic effect may be lower due to the less public nature of the act. If you have enough time, these tactics can even be combined, and they do complement each other nicely.

To spare the employee any more such embarrassment and to protect the company’s security going forward, advise setting up automatic lockout after a short period of inactivity. And also explain what key combination to use to instantly lock the computer in one hand movement: on Windows it’s [Win] + [L], and on macOS it’s [Cmd] + [Ctrl] + [Q] (this information can be stuck to the screen:).

Unattended smartphones

An unlocked smartphone left unattended also poses a cybersecurity risk. Sure, the chances of an attacker using it to spread ransomware over the corporate network are low. But a hostile visitor could still get hold of some useful contact details with the intention of using them for social engineering, or plant spyware on the device. In other words, there can be some very unpleasant scenarios both for the company and personally for the smartphone owner.

In general, the training methods from the previous case apply here too: you can compose an interesting chat message or e-mail, or download a “nice” picture and set it as wallpaper. But there’s an additional tactic for maximum effect in the minimum time: photograph something unexpected on the unattended phone. For example, a picture of you or a mutual colleague in an interesting pose (with the latter’s consent, of course).

Afterward, as before, instruct the employee to set up automatic lockout after a short period of inactivity. Since there’s no need to enter a long password to unlock a smartphone nowadays (presenting a fingerprint or your face will do), this period should be very short — say, 30–60 seconds.

Abandoned passes

Another not-so-good habit is to leave your pass unattended. For our hostile visitor, a valid pass is a real find — one that can be used to break into the company’s office and gain physical access to corporate computers or documents.

To wean careless colleagues off this dangerous habit, you will need:

  • An office printer/scanner/copier
  • A plastic card the same size as the errant pass
  • Scissors
  • Glue
  • A little diligence

Take the unattended pass, photocopy it, carefully cut it out, glue it to your plastic imitation pass, and insert your artistic masterpiece into the holder in place of the real pass. Put said real pass in a place where the “victim” will find it later.

If possible, try to be at the security gate when the victim tries to exit the office, and see how they explain to the guards (if you have any, of course) who they are and why they’re using a forged pass.

Note, however, that this is a rather severe form of training, which could lead to a conflict between you and the other employee. We therefore recommend it only as a last resort after all words of warning have failed.

Entrust the matter to professionals

Of course, the methods described above are no substitute for full-fledged cybersecurity training, if only because they cover just a handful of the potential threats. That said, if your security budget is non-existent, they provide a good starting point.

Ideally, they should be used as bait to get employees thinking about information security, as well as to consolidate knowledge acquired during full-fledged training. To learn more, please take a look at our Kaspersky Automated Security Awareness Platform (suitable for large companies).

Disclaimer. This is the April Fools’ Day blog post. The methods of “cybersecurity trainings” described in it are not entirely ethical, and are not universally considered acceptable. We recommend that you think twice before using them in real life and ideally obtain the consent of the team for such actions beforehand.