Generated from prompt:

Cybersecurity Onboarding & Awareness Guide Cybersecurity is critical for our lean, remote startup. With 43% of small businesses suffering cyber attacks last year, every contractor’s device and login is a potential entry point. This guide transforms our policy into actionable steps to protect our data, clients, and reputation. Security Modules Account Security Strong Passwords and Multi Factor Authentication (MFA) Account credentials are the simplest yet most effective security measure. We must treat them as the first line of defense against unauthorized access. Key Requirements Use Strong Passphrases. Aim for a minimum of 12 characters, mixing letters, numbers, and symbols. Never reuse passwords. Mandatory MFA Multi factor authentication is required for all company accounts, especially Microsoft 365, to verify your login. Password Manager Use a reputable password manager to generate, store, and prevent writing down complex passwords. Never Share Credentials Your password is for you alone. The company will never ask for it via email or phone. Change Default Passwords Immediately change any default passwords provided to you for any service or device. Trusted Sites Only Do not use company credentials on untrusted sites or personal, unsecured devices. Quick Reference: Top 8 Actionable Steps Enable MFA and Use Passphrases Use a 12 character passphrase and ensure Multi Factor Authentication is active on all company accounts. Verify Unexpected Requests If an email is strange (especially financial requests), verify it through a different channel (call or text) before acting. Lock Your Screen Lock your device (Win L / Cmd Ctrl Q) anytime you step away, even briefly. Keep Software Updated Enable automatic updates for your OS, apps, and antivirus to patch vulnerabilities. Use Secure Company Channels Share files via OneDrive or SharePoint links with correct permissions, not personal email or public drives. Report Incidents Immediately If you click a bad link or lose your device, report it to management right away — speed is critical. VPN on Public Wi Fi Avoid public Wi Fi for sensitive work, or use a Virtual Private Network (VPN) to encrypt the connection. Phishing Phishing Awareness: Think Before You Click Phishing is a top risk, often exploiting human error via fraudulent emails (or messages) that trick you into clicking malicious links or giving away data. Vigilance is our best defense. Common Red Flags to Look For False Urgency: Messages creating panic (e.g., “Act now or account will be closed!”). Spoofed Addresses: Slight misspellings in the sender’s email (e.g., micros0ft.com). Generic Greetings: Using “Dear Customer” instead of your specific name. Poor Quality: Obvious poor grammar, spelling errors, or strange requests. Unexpected Request: Any unusual request for payment or data, especially from a co founder or client. CEO Fraud: Attackers impersonating people you know - always verify unusual financial or sensitive data requests via a different channel (phone/text). What to do if you suspect Phishing Action 1: Report and Delete If you suspect an email is malicious, do not click anything. Use the built in “Report Phishing” button in Outlook to flag the message for Microsoft. This helps train our filters and protects everyone. Action 2: Inform the Team Immediately inform our Operations Manager or designated team member about the phishing attempt, especially if you almost fell for it or did click something. Quick reporting minimizes damage. Cloud Tools Secure Use of Microsoft 365 and Cloud Tools We rely on Microsoft 365 (Outlook, OneDrive, SharePoint) for collaboration. We must use these platforms as intended to leverage their built in encryption and access controls. Approved Cloud Usage Guidelines Share via OneDrive/SharePoint Use company provided platforms for file sharing with colleagues and clients, not personal email or public links. Heed Warnings Always pay attention to M365 warnings about sensitive files, external emails, or unverified senders. Manage Permissions Practice the principle of least privilege: only grant access to files and folders to those who genuinely need it. Double check link settings. Avoid External Cloud Services Never upload company files to unauthorized services or personal Google Drives; keep all data within approved, secure systems. Use Secure Sharing Instead of emailing sensitive documents, share a OneDrive link with appropriate permissions or use a password protected file. Use Approved Communication Tools Prefer Microsoft Teams or Slack over consumer messaging apps for work, as approved tools have proper security controls and auditing. Device Security Protecting Your Work Device Whether company provided or personal, your device’s security is your responsibility. Outdated software and unlocked devices are easy targets for exploitation. Essential Device Maintenance Automatic Updates: Keep your OS (Windows, macOS) and key apps up to date with the latest security patches. Enable automatic updates. Antivirus & Firewall: Install and ensure reputable anti virus or anti malware software and a firewall are active and updated. Windows Defender is acceptable if maintained. Strong Login: Always use a password, PIN, or biometric lock. Do not leave devices unlocked or unattended. Lock Your Screen: Get in the habit of locking your screen (e.g., Win+L) whenever you step away, even for a moment. Full Disk Encryption: Enable BitLocker (Windows) or FileVault (Mac) to protect data if the device is lost or stolen. Safe Installs: Avoid installing software or extensions from untrusted sources; stick to official app stores and trusted vendors. USB Caution: Never connect unknown USB drives or accessories to your computer — they could be malicious. Network Safety Safe Network Practices for Remote Work Working remotely requires extra mindfulness of network security, whether at home or in public. Your connection point is a common pathway for attackers. Home vs. Public Network Rules Secure Home Wi-Fi Use a strong Wi Fi password with WPA2/WPA3 encryption, and change the default admin password on your router. Avoid Public Hotspots Ideally, avoid public Wi Fi for sensitive work. If you must use it, enable a VPN to encrypt your connection. Use Secure Sites (HTTPS) Stick to secure websites (look for the padlock icon) for any service where you enter passwords or sensitive data. Disable Sharing in Public Turn off file and device sharing services on your laptop when connected to public Wi Fi. Be Wary of Social Engineering Verify identity through official channels if someone calls or texts claiming to be from the company and asks for sensitive info. Router Updates Check your home router manufacturer’s website for firmware updates to patch security vulnerabilities. Access Control Access Control and the Principle of Least Privilege We operate on the principle of least privilege, meaning you receive the minimum level of access needed for your role. This is vital to reduce the risk of accidental or malicious data exposure. Your Responsibilities for Access Use Only Granted Access: Only use the accounts and permissions you have been granted. Never attempt to access unauthorized areas. Request Additional Access: If you need more permissions, request it formally through the proper channel. Account Sharing is Forbidden: Never share your login details. Sharing accounts bypasses security controls and muddies accountability (all access is logged). Immediate Offboarding: When your contract is completed, the company will immediately revoke access. This is a vital security step. Report Discrepancies: If you unexpectedly lose access you need, or find you still have access you shouldn’t, report it immediately for adjustment. Data Protection Data Protection, Privacy, and Compliance We handle confidential client, company, and personal data. Our practices must meet legal requirements (like GDPR/UAE regulations) and uphold client trust. Treat all data as sensitive by default. Confidentiality and Data Handling Share on Need to Know Only share data with those who are authorized and who genuinely need it for their work. Maintain strict confidentiality practices. Secure Storage is Key Store all project data in the designated secure location (SharePoint folder), never locally on an unencrypted drive. Avoid Personal Transfers Do not forward client documents from your work email to your personal email, or upload them to unapproved external services. Secure Disposal Once you have finished a task, delete or shred local and printed copies of sensitive data securely. Do not keep local copies longer than necessary. Training Scenarios: Identify and Respond Urgent Credential Theft Executive Impersonation (CEO Fraud) Malicious Attachments Scenario 1: Urgent Credential Theft This is a common, large-scale attack that mimics a trusted service (like Microsoft 365, IT support, or a bank). The goal is to create a false sense of panic or urgency to trick you into clicking a link and entering your login credentials on a fake website. Key Red Flags (The Hook) Threat of Suspension Language like “Your account will be suspended in 24 hours” or “Immediate action required” to induce panic. Fake Login Page The link takes you to a login page that looks legitimate but asks for your full credentials or security codes. Suspicious Links Hovering over the link reveals a URL that does not match the sender’s official domain name. Generic Greeting Addressed as “Dear Customer” or “Dear User” instead of your specific name. Correct Action Plan Do Not Click: Do not click the link or reply to the email. Verify Out-of-Band: Instead of using the link, manually open a new browser tab and navigate directly to the service’s official website (e.g., outlook.com or your company’s official login portal). Check Status: If there is a real problem, you will see a notification after logging in. If not, the email is a phish. Report and Delete: Use the “Report Phishing” button in Outlook, then delete the message. Scenario 2: Executive Impersonation (CEO Fraud) This highly targeted attack (whaling or spear phishing) impersonates a senior executive (CEO, CFO, or a co-founder). The goal is often an urgent wire transfer, vendor change, or a request for highly sensitive data (e.g., tax forms), relying on your respect for authority and fear of escalation. Key Red Flags (The Pressure) Requests for Secrecy The email stresses that the request is “confidential” and “don’t tell anyone” to bypass normal verification protocols. Bypassing Protocol The demand asks you to circumvent established financial procedures (e.g., “Do not wait for a second approval”). Unusual Timing or Tone The message is sent late at night, or the tone/language is uncharacteristic of the executive’s normal style. Subtle Spoofing The sender’s domain is slightly different (e.g., “CEO@companyn.com” instead of “CEO@company.com”). Correct Action Plan STOP and Pause: Immediately halt any action, especially financial transactions. Verify via Known Channel: Do not reply to the suspicious email. Call the executive’s known phone number or send a message on an approved internal chat (Teams, Slack) to confirm the request is legitimate. Always use a contact method you know is correct, not the one provided in the email. Confirm Financial Protocol: All high-value requests must align with established, documented financial procedures (e.g., requiring dual approval). Scenario 3: Malicious Attachments and Downloads This attack uses an attachment (e.g., a PDF invoice, a zip file, or a shipping notice) to deliver malware or ransomware. The goal is often to trick you into downloading and running a file that grants the attacker access to your device. Key Red Flags (The Payload) Unsolicited Attachment An email with an attachment that you were not expecting, even if it appears to be from a known sender. Content Mismatch The email body is generic or poor quality but includes a very official-looking document attached. Suspicious File Types Be wary of unexpected .exe, .scr, or compressed file formats like .zip or .rar. Double Extensions The email says the attachment is a “PDF” but the file extension is actually .pdf.exe (double extension). Link Instead of Attachment Legitimate companies often direct you to their site to download documents safely, rather than attaching them directly. Mass Recipient List If the email is sent to a large group of seemingly unrelated recipients, it is likely a mass-campaign attack. Correct Action Plan Do Not Download/Open: Do not download or open the attachment until verified. Use Trusted Method: If the attachment is expected, use a known, trusted method (e.g., an internal file share or a direct call to the sender) to request the file be shared securely (e.g., via OneDrive link). If Opened: If you accidentally open a suspicious attachment, immediately disconnect your device from the network (Wi-Fi/Ethernet) and contact the Operations Manager or IT support immediately. Set Up Multi-Factor Authentication (MFA) for Microsoft 365 MFA is mandatory for all company accounts, and the Microsoft Authenticator app is the easiest and most secure method. It allows you to sign in with a single click notification, avoid text message delay, and works even when your mobile device is offline or traveling. Step 1: Install the App and Navigate to Security Info Before beginning the setup on your computer, ensure you have the app installed on your mobile device (phone or tablet). Download the App: Search for 'Microsoft Authenticator' in your phone’s app store (iOS or Android) and install it. Access Security Info: On your computer, open a web browser and go to your Microsoft security information page: mysignins.microsoft.com/security-info (or log in to portal.office.com and follow the 'More information required' prompts). Add Method: If prompted to add a method, select 'Add sign-in method', choose 'Microsoft Authenticator' from the dropdown menu, and select 'Add'. Step 2: Link Your Account via QR Code Your computer screen will now display a QR code (a black and white square) that links your company account to the physical device you hold. Open Authenticator: On your mobile device, open the Microsoft Authenticator app. Add Account: Tap the '+' icon (top right), then select 'Work or school account'. Scan Code: If prompted, allow the app to access your camera, then tap 'Scan a QR Code'. Scan and Link: Use your phone to scan the QR code displayed on your computer screen. The account will be added automatically to the app. Proceed on PC: Once the app confirms the account is added, switch back to your computer screen and select 'Next'. Step 3: Complete Verification and Finish Setup Microsoft will now send a final test notification to your phone to confirm the connection is secure and working. Approve Notification: On your mobile device, you will receive a notification (or see a prompt inside the app) asking you to confirm the sign-in. Tap 'Approve' or enter the required two-digit number displayed on your computer. Finalize: Once the sign-in is approved, your computer screen will confirm successful configuration. Follow any final prompts to close the setup window (usually by clicking 'Done').