Password Strength
Derived from the use of a ruler
Length
In 2025, how much do stolen credentials cost on criminal markets? A) $1 B) $10 C) $100 D) $1000
What is B - just $10? (Some hackers offer subscription packages for $81/week!)
An email says 'URGENT: Your account will be closed in 24 hours unless you click here!' What red flag is this?
What is urgency/pressure? (Or: What is 'trying to make you panic so you don't think'?) Legitimate requests can wait for verification. Scams cannot.
True or False: 'If I use incognito/private browsing mode, I'm completely anonymous online.'
What is FALSE? Incognito only stops your local browser from saving history - your ISP, websites, and network admin can still see you
You just clicked a suspicious link. What should you do FIRST? A) Panic B) Throw computer out window C) Disconnect from network D) Both A and B
What is C - disconnect from network (then report it to IT immediately)?
True or False: Writing down your passwords is ALWAYS a terrible security practice.
What is FALSE? A Microsoft security expert famously said if you have 68 passwords and can't write them down, you'll just reuse the same one everywhere - which is worse! - a locked drawer at home is safer than the same password on 68 sites!
What percentage of data breaches involve compromised Customer PII according to the 2024 report?
You hover over a link that says 'www.service.nsw.gov.au' but it shows 'www.servlce.nsw.gove.au'. What's this trick called?
What is typosquatting? (Or URL spoofing)
Attackers swap letters that look similar: 'rn' looks like 'm', '1' looks like 'l'. Always hover before you click!
True or False: 'Antivirus software catches all malware, so I'm 100% protected.'
What is FALSE? Antivirus is important but not foolproof . New malware is created faster than signatures can update!
You notice someone following behind you into a secure building. What's the cybersecurity term for this, and what should you do?
What is piggybacking/tailgating? You should politely ask them to use their own card or alert security
One password to access many services
Single Sign On (SSO)
What was the McDonalds 2025 chatbot data breach a result of?
An email from your 'CEO' asks you to urgently buy gift cards. The email address is correct but something feels off. What should you do?
What is verify through another channel (call them, Teams message, walk to their office)? Even real email accounts get hacked!
Myth: 'Only clicking on things downloads files to my computer.' What's the reality?
What is FALSE - drive-by downloads can happen just by visiting compromised websites without clicking anything
A colleague fell for a phishing email and is embarrassed. How should they be treated? A) Public shaming B) Firing C) Learning opportunity D) Immediate promotion
What is C - learning opportunity? (Though D would be nice for honesty!)
Using another device to authenticate your login attempt
Multi Factor Authentication (MFA) or 2FA
What is the term used when attackers compromise lower-level employees?
What is Island Hopping or Lateral Movement? Attacked use small fish access to then move laterally throughout the network eventually reaching their real target the executives
What's the term for highly targeted phishing attacks aimed at specific individuals using personal info from social media?
What is spear phishing? (Or whaling if targeting executives)
Complete this myth: 'I don't need to worry about cybersecurity because I'm not _____ enough to be targeted.'
What is 'important'? (The myth is that only VIPs get targeted - WRONG! Hackers use automated attacks on everyone!)
You find a USB stick in the parking lot labeled 'Executive Salaries 2025'. What do you do?
What is DO NOT plug it in - report it to IT/security?
This is called 'baiting'. In security tests, 45% of people plug in random USB drives. It could install malware instantly!
Passkeys (Private + Public)
You get an email that passes all technical checks (correct domain, no typos, professional formatting) but your gut says something's wrong. Should you trust that feeling?
What is YES - trust your gut and verify?
You suspect customer PII has been exposed in a breach. Name THREE types of people/teams you need to notify immediately.
What is: IT/Security team (CS Connect), your manager, Privacy Officer, and potentially affected customers (depending on severity)?
Cyber Threat Detection and Response Team (63637676 Opt 1 then Opt 4)
NSW Government has legal obligations to notify affected individuals and regulators. Quick reporting = quicker containment!