The Topics:

This training will cover 10 cyber security topics.

What to expect:

Each topic comprises a range of tips, essential actions, and short videos aimed at providing in depth insight into cybersecurity. At the end of each topic, you’ll be asked two/three questions to assess your understanding of what you have just learnt.

Please take a moment to thoroughly review the content before proceeding to the questions, as once you move forward, you won't be able to revisit the material.

Please try to complete the training in 1 sitting. If that's not possible, please make sure you close and re-open the browser on resuming. You will resume from where you have left off.

Pass-mark:

You will need to get at least 80% of the questions correct or you will need to re-take the training.

What is Authentication?

Authentication is how we verify that you are really you before granting access to our systems, keeping our data and people safe. Traditionally this was done with passwords, but the world is rapidly moving to passwordless authentication—using secure methods like biometrics, mobile prompts, or hardware keys that are far harder to compromise. These modern, phishing‑resistant methods not only strengthen our security but also make logging in faster and more seamless for you. By embracing passwordless technology, we reduce the risk of breaches and build stronger trust with our colleagues, clients, and external stakeholders.

Authentication is part of a three-step process for gaining access to digital resources:

• Identification — Who are you?
• Authentication — Prove it.
• Authorisation — Do you have permission?

Multi-Factor Authentication

Multi‑Factor Authentication (MFA) is an important security layer, but it isn’t perfect—attackers can still exploit it through methods like MFA fatigue, push‑bombing, or tricking users into approving fraudulent login requests. Passwordless authentication removes those weaknesses by eliminating passwords altogether and using strong, phishing‑resistant methods such as biometrics or hardware‑based prompts that can’t be easily intercepted or manipulated. While MFA helps protect accounts, passwordless authentication represents the next evolution—far more secure, far harder for attackers to bypass, and far simpler for you to use every day.

Authentication Factors

Examples of passwordless authentication:

• Face or fingerprint login – using your face or fingerprint to sign in, just like unlocking your phone.
• Phone approval (Passkeys) – you get a prompt on your mobile, and you simply unlock your phone to confirm it's you.
• Security keys – a small USB or NFC device you tap or plug in to log in.
• Built‑in device unlock – things like Windows Hello on your laptop that let you sign in with a quick glance or touch.

There are three main authentication factors:

• Something you know – a password, PIN, or security question.
• Something you have – a phone, security key, access card, or token.
• Something you are – biometrics like your face, fingerprint, or voice.

Password Manager

The Password Manager that we use is Microsoft Edge which is built into your browser.

Microsoft Edge’s password manager is a safe and trusted tool for storing your work passwords. It encrypts all your login details on your device and keeps them protected behind Windows security, so only you can unlock them. When syncing across devices, your passwords stay encrypted the whole way through, meaning no one—including Microsoft—can see them in plain text. By using Edge’s built‑in password manager, you’re choosing a secure, modern option that helps protect both you and the Giuliano Group, giving our clients and external partners confidence that we take their data security seriously.

Tips

• Your browser can generate, save, and sync secure, unique passwords

Required Action:

• Use a password manager, not a post-it note. Please lodge an ICT support ticket if you have any issue with authentication and password recovery.

Please watch the short video below:

What is Phishing?

Phishing is when a cybercriminal pretends to be a trusted person or company to trick you into clicking a link, opening an attachment, or giving away information like passwords or banking details. These messages often look urgent, unexpected, or slightly “off,” and their goal is to steal information or access our systems.

What is MFA Fatigue Attack?

MFA (Multi-Factor Authentication) fatigue is when an attacker keeps sending repeated login approval requests to your phone or authenticator app, hoping you’ll get annoyed, distracted, or confused and accidentally tap “Approve.” It’s essentially spamming your MFA prompts until you give in—so if you ever receive unexpected MFA requests, always decline and report it immediately.

Recognising a phishing email:

• Unexpected or urgent messages asking you to click, open, or act immediately.
• Emails from first‑time or unusual senders, especially if marked [External].
• Spelling mistakes, weird grammar, or generic greetings like "Dear user".

Recognising a phishing email (continued):

• Links that look slightly wrong — always hover or press‑and‑hold to preview before clicking.
• Mismatched sender addresses (e.g., an email claiming to be from Microsoft but sent from a Gmail or odd domain).
• Attachments you weren't expecting, especially invoices, resumes, or "security alerts".

Recognising MFA Fatigue Attacks:

• You receive multiple MFA prompts you did NOT request.
• Login approvals pop up at random times (late at night, weekends, when you're not logging in).
• Your phone keeps alerting you repeatedly, sometimes many times in a row.
• An attacker hopes you'll get annoyed and tap "Approve" accidentally → never do this.
• If this happens: Decline the request and report it to ICT immediately.

Tips

• When you come across a message urging immediate action, it’s important to take a moment, pause and look carefully at the message. Ask yourself: Is this message real? Can I confirm the legitimacy of the sender or recipient? When in doubt, take a step back, think through, and prioritise your cyber safety by verifying the message’s credibility.

Required Action:

• Please report all attempted Phishing & MFA Fatigue Attacks to the ICT Department via the ICT Support Channel in Teams for further investigation. You can do this via the quick link on the HUB.

Please watch the short video below:

What is removable media?

Removable media refers to any portable device you can plug into a computer to store, move, or copy data — such as USB sticks, external hard drives, SD cards, or other plug‑in storage. Because these devices can be easily lost, stolen, or infected with malware, they pose a high security risk if not managed properly.

Removable media stands out as the primary gateway for cyber attacks. Therefore, to effectively reduce this risk, we need to implement strict removable media management process.

Common types of removable media:

• USB flash drives
• External hard drives (i.e. SSD)
• Card reader (i.e. SD card and memory card)
• Removable discs (i.e. blu-ray discs, CD-ROMs, DVDS)

Removable Media Security Risks:

Removable media introduces many security risks and vulnerabilities as it stores a large volume of data including sensitive data. Therefore, failure to properly manage and secure these removable media and devices could expose users to the following risks:

• Data Loss & Exposure — Removable media is easy to lose or steal. If it contains unencrypted data, sensitive business information can be exposed to unauthorised individuals.
• Malware Infection — USBs and similar devices can carry malware that activates as soon as they are plugged in. This includes viruses, ransomware, and keyloggers that compromise devices and your network.
• Malicious 'Autorun' Attacks — Attackers abuse autorun features to automatically execute malicious code when the device is inserted, giving hackers instant access or control.

Removable Media Security Risks (continued):

• Data Exfiltration (Data Theft) — If you plug an unknown or malicious USB into your device, it may silently copy or steal files, allowing attackers to exfiltrate sensitive data outside the organisation.
• Persistence of Deleted Data — Some removable media can retain data even after it's "deleted," meaning sensitive information may still be recoverable if the device falls into the wrong hands.
• Reputational Damage — Any loss or leak of confidential information — whether accidental or malicious — can result in serious reputational harm to the organisation.

Tips:

• Only use removable media issued by the ICT department

Required Action:

• If you require a removable media tested, then please log an ICT support ticket

Please watch the short video below:

What is Social Engineering?

Social engineering is the psychological manipulation of people into giving up confidential information, clicking harmful links, or performing actions that compromise security. Instead of attacking systems, attackers target human behaviour — using tactics like urgency, trust, fear, or authority to trick you into making a mistake.

Types of social engineering attacks:

• Phishing – Fake emails or messages designed to trick you into giving away passwords, credit card details, or corporate information.
• Watering Hole Attacks – Attackers compromise a website that a specific group of people (e.g., your team or industry) is likely to visit, infecting visitors silently.
• Business Email Compromise (BEC) – An attacker impersonates a senior leader to pressure staff into transferring money, sending data, or completing harmful actions. Sometimes includes phone calls pretending to be the executive.

Type of social engineering attacks (continued):

• Physical Social Engineering – In‑person manipulation such as tailgating into secure areas, posing as maintenance staff, delivery drivers, or anyone with a "legitimate" reason to be onsite.
• USB Baiting – Attackers leave infected USB drives hoping someone plugs them into a corporate device, releasing malware into the network.
• Social Media Exploitation – Attackers use information harvested from social media to tailor convincing scams, impersonations, or phishing attempts.

Tips:

• Check the sender’s address for any inconsistencies, and be on the lookout for bad grammar, spelling, and whether the entire email is presented as one clickable image – as this can be an attempt to bypass security measures and direct you to a malicious website.

Required Action:

• Please raise an ICT support ticket at any Social Engineering attempt immediately.

Please watch the short video below:

Users of Wi-Fi networks are at risk of exposure to an array of cyber threats, especially as they expand their use of mobile technology to access the internet and conduct online transactions.

The proliferation of public Wi-Fi also creates security issues for individual users and organisations. These networks are, by definition "open" and, therefore, unprotected. Devices accessing public networks are highly susceptible to malware, spyware, and other malicious activity.

Wi-Fi Security risks:

1. Piggybacking on Your Connection

Attackers can connect to an open or unsecured Wi‑Fi network and use your internet connection to conduct illegal activity, steal information, or monitor traffic — all without you knowing.

2. Wardriving (Finding Unsecured Networks)

Cybercriminals drive or walk around with laptops/phones specifically looking for unsecured Wi‑Fi networks to exploit. Once connected, they can sniff traffic, capture data, or launch further attacks.

3. Man‑in‑the‑Middle (MITM) Attacks

On public or poorly secured Wi‑Fi, attackers can intercept communications between you and the websites/services you're using. This allows them to listen in, steal login details, or alter information being sent.

Wi-Fi Security risks (continued):

4. Snooping & Data Theft on Public Wi‑Fi

Public hotspots are a common place for attackers to monitor unencrypted traffic, stealing passwords, emails, files, and session tokens.

5. Fake Wi‑Fi Networks (Evil Twin Attacks)

Attackers can create a Wi‑Fi network that looks legitimate. Users unknowingly connect, giving the attacker access to everything they transmit.

6. Social Media & App Risks Over Public Wi‑Fi

Attackers use public Wi‑Fi to snoop on social media logins or inject malicious pop‑ups, increasing the risk of account takeover, phishing, and credential theft.

Tips:

• DO NOT connect to a public Wi-Fi network if it is not password protected.
• Use a phone Wi-Fi hotspot instead of random free networks / unsecured network.

Required Action:

• If you require Wi-Fi connectivity within the office, please log an ICT support ticket for the password.

Please watch the short video below:

What is social media?

Social media offers an outlet for people to connect and share life experiences through pictures and videos. But too much sharing––or a lack of attention to imposters––can lead to a compromise of business and personal accounts.

Attackers often use social media accounts during the reconnaissance phase of a social engineering or phishing attack. Social media can give attackers a platform to impersonate trusted people and brands or the information they need carry out additional attacks, including social engineering and phishing.

Recognising social media security risks:

• 1. Oversharing Personal or Work Information — Sharing too much online gives attackers material they can use for phishing, impersonation, or targeted social engineering.
• 2. Imposter / Fake Accounts — Attackers create fake profiles pretending to be colleagues, brands, or trusted contacts to trick staff into revealing information or clicking malicious links.
• 3. Malicious Links, Ads & Pop‑Ups — Social platforms often contain ads or pop‑ups. Clicking a malicious one can install malware or steal login credentials.

Recognising social media security risks (continue):

• 4. Suspicious Friend Requests & Social Engineering — Fake friend requests or connection invites are used to gather information, build trust, or initiate scams — even if the profile shows "mutual friends."
• 5. Weak Passwords or Password Re‑Use — Using the same password across multiple accounts — or simple, guessable passwords — makes social accounts easy targets. Attackers use breached password lists to break in, hijack accounts, and impersonate staff.
• 6. Urgent, Fear‑Based or High‑Pressure Messages — Attackers rely on urgency (e.g., "Your account will be closed!") to manipulate staff into clicking links, sharing information, or bypassing security steps.

Tips:

• Be wary of phishing attacks, or posting information not for public consumption

Required Action:

• Please raise an ICT service desk ticket for ANY unusual activity on any of our businesses’ social media channels.

Please watch the short video below:

What is Internet Security?

Internet security is the set of behaviours, tools, and safeguards that protect you — and the Giuliano Group — when accessing websites, downloading content, communicating online, or using cloud services. It helps ensure that our devices, accounts, and data remain safe from malware, scams, credential theft, and unauthorised access.

Key Internet Security Risks for Staff:

• Malicious or Fake Websites — Attackers disguise harmful downloads, login pages, and pop‑ups as legitimate. A single click can install malware or expose company credentials.
• Phishing & Impersonation Attacks — Fake sites or forms try to steal usernames, passwords, MFA codes, or internal information.
• Unsafe Extensions & Browser Add‑Ons — Unapproved plugins can log keystrokes, capture screenshots, or forward browsing data to unknown third parties.
• Credential Theft & Reuse Attacks — Passwords stolen from compromised websites are used by attackers to break into company accounts ("credential stuffing").
• Data Leakage — Uploading business files to personal websites, free tools, or unknown cloud services exposes sensitive information.

What is Shadow IT?

Shadow IT refers to any software, website, cloud service, app, or tool used for work without ICT approval. This includes free file‑sharing sites, unapproved messaging or note‑taking apps, personal storage platforms, freeware utilities, browser plug‑ins, and AI‑powered tools that have not been vetted. If ICT hasn’t approved it — it’s Shadow IT.

Group policies clearly state that company data must not be stored externally without ICT approval, and that work must not be conducted on unapproved systems or apps.

Shadow IT Risks:

• Data Loss & Exposure — Unapproved tools may store or process data on overseas or insecure servers. Once data leaves our environment, we cannot control or retrieve it.
• Privacy & Compliance Breaches — Shadow IT often violates our ISO‑aligned security controls and may expose customer or commercial information in ways that breach our legal or contractual obligations.
• Lack of Security Controls — Many unofficial tools lack encryption, access controls, or audit trails — creating blind spots for ICT and increasing breach risk.
• Hidden Data Sharing — Free apps often monetise user data or share information with third‑party analytics platforms without clear disclosure.
• Unsupported Software Risks — ICT cannot patch, secure, or monitor tools it has not approved — leaving the organisation open to malware, ransomware, and unauthorised access.
• Fragmented Workflows & Version Control Issues — Using personal drives, third‑party chat apps, or external storage creates multiple, uncontrolled versions of documents and removes visibility from the business.
• Bypassing Zero‑Trust Architecture — Shadow IT undermines the access control, MFA, and data‑classification policies required to maintain our security posture and ISO compliance.

Prohibited use for personal gain

Under no circumstances may the Co-operative’s ICT Resources be used for, or in relation to, corrupt conduct, unauthorised personal financial or commercial gain, or the unauthorised financial or commercial gain of a third party.

Tips:

• Be mindful of the websites you visit. Before you open up your internet browser (our recommended browser is Microsoft Edge), consider whether a website is for strict business use or something more personal.

Required Action:

• All new software or SaaS platforms must be vetted by the ICT department prior to attempting to load it on your system

Please watch the short video below:

What is Clear Desk and Screen?

Clear Desk & Clear Screen is a simple but powerful security practice where you keep your workspace and computer free of visible sensitive information whenever you are away from it — even for a moment. This includes locking your computer screen, securing printed documents, protecting mobile devices, and ensuring no confidential information is left out in the open.

It helps protect company data from accidental exposure, prying eyes, and unauthorised access.

Why It Matters?

Our desks, monitors, and shared workspaces often contain far more sensitive information than we realise — client details, contracts, internal documents, emails, building access info, or even sticky notes with reminders. Good habits prevent these from becoming security incidents.

Key Risks of Ignoring Clear Desk & Clear Screen:

• Unauthorised Access to Sensitive Information — Leaving documents, screens, or files visible — even briefly — allows cleaners, visitors, contractors, or other staff to see information they should not have access to.
• Data Leakage Through Photos or Visual Capture — A single photo taken by a visitor, delivery worker, or someone passing by can leak confidential material (screens, whiteboards, documents).
• Theft of Devices or Documents — Unattended laptops, USBs, or printed paperwork can be quickly taken, leading to loss of corporate data and significant reporting obligations.

Key Risks of Ignoring Clear Desk & Clear Screen: (cont.)

• Shoulder Surfing (Visual Hacking) — People nearby can see sensitive info on your screen — emails, passwords, financials, client data — and use it for malicious purposes.
• Breach of Privacy or Contractual Obligations — Many of our documents contain personal information or commercial‑in‑confidence material. Leaving these exposed could violate privacy laws or agreements.
• Increased Compromise Risk in Shared or Open Offices — Shared workspaces, meeting rooms, and hot‑desks have a high turnover of people, making exposed data far more vulnerable.

Clear Desk and Screen Recommendations:

• Workstations should be turned off when unoccupied, or locked with a secure password when absent.
• Confidential information should always be removed from desks, meeting rooms, and printers, leaving them safe in locked cabinets after handling. It is also recommended that you erase any whiteboards/turn off presentation screens at the end of meetings and dispose of the trash properly.

Clear Desk and Screen Recommendations (continued):

• Passwords cannot be left on notes posted on or under a computer, nor written in places accessible to others.
• Printouts containing sensitive, confidential, or restricted information should be removed immediately from the printer.
• Clean waste requires attention, too, as sensitive, confidential, or restricted documents must be shredded and disposed of properly in designated secure locations.

Tips

• Treat stakeholder’s confidential information like you would your own

Required Action:

• If you see any breach of clear desk or screen philosophy, please raise an ICT support ticket

Please watch the short video below:

What is Physical Security?

Physical security aims to protect people, property, and physical assets from any action or event that could lead to loss or damage. Physical security is crucial, and all staff must work together to ensure the security of assets.

Why is Physical Security important?

Physical security keeps your employees, facilities, and assets safe from real-world threats. These threats can arise from internal or external intruders that question data security.

Physical attacks can break into a safe or restricted area. An attacker can easily damage or steal critical IT assets, install malware on systems, or leave a remote access port on the network.

It is important to have strict physical security to protect against external threats, as well as equally effective measures to avoid the risks of any internal intruder.

Top 6 Physical Security Threats:

• Tailgating / Piggybacking — Unauthorised individuals following staff into restricted areas by slipping in behind them without using their own access card.
• Impersonation & Social Engineering — Attackers posing as delivery drivers, maintenance workers, contractors, or visitors to gain physical access to offices or equipment rooms.
• Theft of Devices & Assets — Laptops, mobile phones, USB drives, and printed documents can be stolen if left unattended, leading to loss of sensitive information.

Top 6 Physical Security Threats: (cont.)

• Unauthorized Viewing (Shoulder Surfing) — People nearby — including visitors, contractors, or even staff without appropriate clearance — may see confidential information on screens or documents.
• Physical Tampering With Equipment — Attackers may try to access server rooms, network cabinets, or workstations to install rogue devices, modify hardware, or bypass security controls.
• Poor Workspace Hygiene (Unsecured Documents & Devices) — Leaving sensitive paperwork, ID cards, or unlocked computers out in the open increases the risk of exposure or misuse.

Tips

• Don't be afraid to challenge suspicious characters

Required Action:

• Please report suspicious activities by unauthorised persona to the Building Manager or raise an ICT ticket.

Please watch the short video below:

What is AI (Artificial Intelligence)?

Artificial Intelligence refers to systems that can analyse information, generate content, answer questions, automate tasks, or make predictions. AI helps us work faster and smarter — and at the Giuliano Group, we use approved AI tools such as Microsoft Copilot, which operate securely inside our Microsoft environment.

However, not all AI tools are safe. Many free or consumer AI platforms store prompts, reuse user data for training, or share information with third parties. That is why AI awareness is essential.

Why AI Awareness Matters?

AI awareness matters because it helps every staff member understand how to use AI safely, responsibly, and effectively. Modern workplaces rely on AI to improve efficiency, decision‑making, and productivity — but without awareness, AI can introduce risks such as data leaks, bias, misinformation, and misuse.

When employees are AI‑aware, they protect the organisation by following our AI policy, safeguarding sensitive information, and recognising when human oversight is needed. This builds a workforce that is competent, compliant, and confident in using AI tools the right way.

Key AI Security Risks You Must Know:

• Data Manipulation & Data Poisoning
  AI systems rely on the data they're trained on. If the data is tampered with or poisoned, the AI can produce false, harmful, or malicious outcomes, putting business decisions and security at risk.
• Voice Cloning & Deepfake Impersonation
  AI tools can mimic voices or create realistic fake videos, enabling fraud, unauthorised access, identity theft, and social‑engineering attacks.
• Privacy & Data Security Breaches
  Using unapproved AI tools can expose sensitive business or personal data. This is why your AI policy requires restricted and monitored use of AI platforms.

Key AI Security Risks You Must Know: (cont.)

• Bias & Unfair Decision‑Making
  AI models can unintentionally amplify bias hidden in their training data, leading to biased outputs, unfair decisions, or discrimination.
• Misuse or Use Beyond Intended Purpose
  If AI is used in ways it wasn't designed for — or without proper human oversight — it can lead to incorrect conclusions, operational errors, or compliance failures.
• Physical or Operational Safety Risks
  As AI is increasingly used in equipment, automation, and infrastructure, a failure or breach could cause real‑world safety hazards, especially in construction, facilities, or autonomous systems.

Approved AI at Giuliano Group: Microsoft Copilot

We use Microsoft Copilot as our only authorised AI tool because it:

• keeps all prompts and data inside our secure Microsoft 365 tenant
• does not use company data to train public models
• aligns with our AI Policy and ISO frameworks
• allows safe productivity gains without compromising privacy

Safe AI Use – What You Should Do

• Use Microsoft Copilot for all work‑related AI tasks.
• Keep sensitive information inside approved systems only.
• Treat AI outputs like draft work — verify before using.
• Report any suspicious AI tools to ICT.
• Follow the AI Policy and complete all mandatory training.

Unsafe AI Use – What You Must Avoid

• Don't paste client information, tenancy data, or internal documents into free AI sites.
• Don't install AI browser extensions or apps without ICT approval.
• Don't rely on AI responses without checking for accuracy.
• Don't use personal AI tools for business tasks.

Please watch the short video below:

As we step into 2026, AI is no longer just a tool — it’s becoming a genuine partner in how we work, create, and solve problems. Across every industry, intelligent systems are shifting from simple automation to real collaboration, helping teams move faster, think bigger, and achieve more. This short video will give you a snapshot of the key AI trends shaping the year ahead, and show how the way we work is being transformed in exciting, practical, and very real ways.

More reading can be found here: https://news.microsoft.com/source/features/ai/whats-next-in-ai-7-trends-to-watch-in-2026