CYBER AWARENESSBASELINE TRAINING PROGRAMMEPrepared By: Office of Cyber and Information Security

© Copyright of Cayman Islands Government

FOREWORD We are a World-Class Civil Service and each and every one of you has an important role to play to protect our digital services from the rising tide of cyber-attacks that are all too common around the world.

We recognise that the cyber landscape is fast moving and therefore it is essential that we provide continuous learning and development opportunities for our civil servants and across our agencies.

We hope that you will enjoy this training, whether you are hearing about the concepts for the first time or whether this training provides reinforcement of what you already know and practice daily!

Thank you for taking the time to complete this important training.

Deputy GovernorHonourable Franz Manderson, MBE, Cert. Hon., JP

LEARNINGOBJECTIVESBy completing this 40-minute course, you will achieve the following learning objectives:

1. you will be familiar with the commonly used terminology around cybersecurity incidents, such as phishing, spam, ransomware and malware;

2. you will gain an understanding of how cybersecurity incidents can occur and their likely implications; 3. you will learn about the good practices required to be cyber aware and cyber secure; 4. you will know who to contact when you have a cyber related concern or to report an incident; 5. you will be required to complete a short quiz at the end of your training, as this will provide an opportunity to

test your learning; 6. you will receive a Certificate of Completion once you finish this training!

Let’s get started!

TOPICSCOVERED

Module 1 – Use of Government Email Module 2 – How to spot Phishing Emails Module 3 – Opening Email Attachments & clicking on Email Links Module 4 – The Dangers of a Cyber-Attack Module 5 – Use of USB Sticks & other Removal Media Module 6 – Keeping Passwords Secure Module 7 – Keeping your Social Media Secure Module 8 – Use of Personal & Private Webmail Email Module 9 – Use of Personal, Private Cloud Storage Module 10 – Physical Security Module 11 – Data Protection Law & Personal Data Module 12 – How to Report a Cyber Incident

MODULE 1 USE OF YOUR GOVERNMENT EMAIL ADDRESS

•Your email address provides a quick and convenient way to communicate with your colleagues across the Civil Service, customers and other third parties.

•Emails are also targeted by cyber criminals who are looking for an entry point to steal data or compromise an organisation's systems.

•Our Government email addresses should not be used for enrolling or subscribing for non-business purposes. Your personal, private email address should always be used for such purposes.

• There is good reason for this: If your email address has been compromised, the likelihood is that it could be sold to cyber criminals and your email address is likely to be targeted. You will notice that you receive suspicious, spam emails, email with links asking you to click!

• If you have used your GOV.KY or work email to subscribe to non-business related services, such as eBay, eCay, Amazon.com, AliExpress, Evite, social messaging platforms and the like, change your subscription from your work email address to your private email address!

MODULE 2 TIPS FOR HOW TO SPOT PHISHING EMAILS (1/3) • Fake, spam and suspicious emails are commonly referred to as phishing emails.

•Phishing emails are sent to encourage and persuade you to compromise your personal data or your organisation’s security by asking you to reveal passwords, personal information, financial information, to transfer funds, to visit fake websites, to click on malicious links, open malicious files and the like.

• It used to be so easy to spot a suspicious or spam email, as it would contain spelling mistakes, be written in poor English, not be personally addressed to you, etc.

•Suspicious and spam emails have become much more sophisticated and at first (and even second) glance, they may look genuine!

•Whilst our IT systems block and prevent most of the suspicious and spam emails arriving in your Inbox, some do ‘slip through the net’, so we need you to be extra vigilant.

•Simple tips you ca use to spot phishing emails include: hovering your cursor over the link, checking the sender's email address carefully, looking out for emails which purport to have a sense of urgency or include threats. Be suspicious of emails that are unexpected or from an unknown senders.

•Always report phishing or suspicious emails immediately to Cyber_Helpdesk@gov.ky so that the Cyber and Information Security Office team can take action to prevent other staff receiving the email.

MODULE 2 TIPS FOR HOW TO SPOT PHISHING EMAILS (2/3)

•Fake emails are a type of phishing email.

•Be suspicious of emails that ask for your personal information.

• Legitimate banks and most other companies will never ask for your personal credentials via email.

•Check the sender’s email address. Is it exactly the same as the company’s email address or similar? If you are unsure, search for the email address to see if it is legitimate. You can search online via a search engine, look at other emails you have received from the company, or forward the email to AskCISO@gov.ky.

•Always look at the greeting. Common phishing uses phrases such as “Valued Customer.” However, the hacker may use your name if you have been spear phished!

• Look for bad spelling and grammar in the text of the email.

•Review the signature. Does it look legitimate or provide contact information?

•Does it make sense for the email to have an attachment? Never click on .exe attachment files.

MODULE 2 TIPS FOR HOW TO SPOT PHISHING EMAILS (3/3)

Watch out for emails which: •Have a sense of urgency. Hackers word emails to give them a sense of urgency to make you react quickly, reducing your time to think and realise the scam.

•Ask you to change your account information because there is a discrepancy with your account or you need to verify your account. This tactic is used to scare the end user into clicking on a bad link or going to a bad site and filling in their account information.

•Tell you your account has been hacked. This is used to get a similar response as the one above. You are less likely to think an email that announces you have been hacked is a phishing email.

•Ask for a wire transfer or the details of a failed wire transfer for a compelling reason. The email usually claims the “transfer details” are in the attachment, which is likely to be malware!

•Want to send you money, ask you to donate money, or say you have won a prize. They will either ask you to: give your personal information to send you money, open the attachment to receive the invoice, or click a link to claim your prize.

• Include logos, brand names, and slogans of legitimate companies. They use these to create a sense of trust with the end user.

MODULE 3 OPENING EMAIL ATTACHMENTS & CLICKING ON EMAIL LINKS (1/2)

• You will need to be cautious before opening email attachments or clicking on links from unknown persons or when they are unexpected.

• Cyber attackers often create PDF files, Word documents, and links containing malicious and harmful software.

• Clicking on the attachment will result in the malicious software being executed to run on your computers. From there it can spread to other computers on our network.

• Ransomware is a particularly disruptive type of malware and is commonly delivered through phishing emails with attachments or links.

• If you accidentally click on a link and then realise that it is suspicious, you should report it immediately to your IT Helpdesk. (For most of you this will be the Computer Services Department (CSD). They will arrange for your computer to be virus scanned and given a health check.

MODULE 3 OPENING EMAIL ATTACHMENTS & CLICKING ON EMAIL LINKS (2/2)

• Never click links, open attachments, or fill out forms in suspicious emails.

• Hover over the link before clicking on it to make sure it’s taking you where it says it will take you. Check the website address: Is it http or https? Is it spelled correctly? Is it the company’s website?

• Never provide personal information through an email.

• Reach out directly to the person/company that emailed you. They will tell you if the email is valid or not.

• Never use the telephone number provided in the suspicious email, as it is likely to be fake! Do an online or other search for the company’s legitimate contact number.

• Don’t open email attachments that you didn’t expect to receive.

MODULE 4 THE DANGERS OF A CYBER-ATTACK

• Ransomware is a type of malware programme that infects, locks or takes control of a computer system and demands ransom payment to unlock the victim’s computer systems.

• Individuals and organisations have been targeted and have fallen victim to ransomware attacks.

• There have been a number of public reported cases in recent times.

•While some ransomware can be reversed by an IT professional, more advanced malware may encrypt the data on the computer, making it much harder – or impossible – to reverse without providing payment.

• Trojan horse is another type of malware that pretends to be a desirable programme. Once downloaded and activated, this malware is able to perform a range of attacks on the host computer, including sending all information typed into the keyboard back to the author of the malware.

MODULE 5 USE OF USB STICKS & OTHER REMOVAL MEDIA

•Removable media are USB devices and any type of storage device that can be used to remove data (i.e. files, documents, images, data) from a computer.

•Removable media are particularly prone to getting lost, stolen or may contain malicious software.

•You should NEVER store Government information, data and files on removal media, due to the consequences if the device is lost or stolen.

•Removal media devices can often contain virus or harmful software. You should never plug a removal media device into your computer. The virus or harmful software, once on your computer, can quickly spread across the network, causing damage to data and files as well as permanently locking computers!

•USBs are often included in conference goodie bags or you may happen to find a discarded USB! Never insert these into your work computer.

•Removal media can only be used with the permission of your Chief Officer and only if the Removal media has been protected with encryption and scanned to check for malicious software.

• If you have any removal media previously used to store Government files, please contact your IT Helpdesk who can assist you with permanently removing the files.

MODULE 6 KEEPING PASSWORDS SECURE (1/2)

•Passwords are one of the ways that we provide security and control of who has access to our computer systems and our data.

• In fact, most people use passwords to protect: • Social media accounts (e.g. Facebook, Twitter, Instagram) • Personal and corporate devices (e.g. laptops, cell phones) • Email accounts (e.g. Gmail, Outlook, Yahoo) •Online banking accounts •Other third-party accounts (e.g. Amazon, PayPal, YouTube)

•Cyber-Attackers can compromise weak passwords by: •Guessing common passwords and running specialised software programmes: 123456, password, abc123, and qwerty are among the most-used passwords. •Monitoring public Wi-Fi: through these connections they may be able to observe all information, including your account credentials (username and password). • Sending phishing emails: hackers could send millions of emails that ask the victims to input their email user name and password.

MODULE 6 KEEPING PASSWORDS SECURE (2/2)

•All users of our government and public sector computer systems are required to create strong passwords.

•Strong passwords are more difficult for Cyber-Attackers to compromise! Strong Passwords have complexity built in.

•We require your password to:

• have a minimum of 8 keyboard characters; • contain a combination of alphabetic characters, numbers and special characters • include a phrase; •be different than any other password used for services offered by the organisation; •be different from personal passwords, and •not be shared with anybody else.

•Keep the password memorable to you, so that you don’t need to write it down!

•As a rule of thumb, you should avoid:

• simple passwords composed of common words are easy to guess. Examples: apple, rowboat, bumblebee, blizzard, password; •passwords written down on a piece of paper or stored in plain text on a computer as these may be stolen by somebody with malicious intent; • using the same password for multiple websites. This is like having one key for multiple locks; if it’s stolen, the thief can open them all.

MODULE 7 BE SOCIAL MEDIA AWARE (1/2)

• There is no doubt that social media services, such as Facebook, Twitter, Instagram, WhatsApp, Telegram and the like, are appealing and beneficial in our private lives!

•However, social media does have privacy and security risks for organisations and businesses, especially when there is not clear separation between private and work space.

•When using social media services, there are cyber risks around fake requests from spam profiles, phishing emails, brand impersonation and ransomware!

• Fake requests from spam profiles: On social media websites like Facebook and Twitter, there are users who create fake accounts to spread spam emails and malicious malware.

•Phishing: Fake social media accounts are created for our public figures, organisations, etc., that look very similar to the actual profile of our public figures or organisations. These are used to attract unsuspecting customers towards them, for the purpose of stealing confidential information and fraudulent purposes.

•Brand impersonation: Today, businesses are also falling prey to brand impersonation as most of the hackers may promote false things on duplicate profiles of businesses and organisations. False activities conducted on such profiles will send the wrong message to our customers.

MODULE 7 BE SOCIAL MEDIA AWARE (2/2)

Top Tips to Keep Your Social Accounts Secure

•Never use your government email address to subscribe to these services and pay particular attention to privacy settings on your social media accounts!

•Don’t click on suspicious messages or links, even if they appear to be posted by someone you know.

• Flag any scam posts or messages you encounter on social media to help stop the threat from spreading.

• Always report such posts or messages to the platform’s abuse mailbox. If they pertain to our public figures, it is very important that you also report them to Cyber_Helpdesk@gov.ky.

• Use unique, complicated passwords for all your accounts.

• If the site offers multi-factor authentication, use it, and choose the highest privacy setting available.

• Avoid posting any personal or family details that might allow a hacker to guess your security questions or passwords.

• Never post anything that is defamatory or confidential to our organisation!

• Be aware of the risk of logging into your social accounts while using public Wi-Fi, since these networks are often unsecured and your information could be stolen.

MODULE 8 USE OF PERSONAL & PRIVATE WEBMAIL EMAIL

•Most of us have one or more webmail email accounts set up which are generally used for our personal, private email correspondence and to subscribe to social media services, online shopping websites and such like!

•Examples of personal, private webmail email accounts include, Gmail, Googlemail, Hotmail, Yahoo!

•Often, for reasons of convenience, we may think that it is okay to use our personal, private webmail email account to send and receive work related communications and to send attachments!

•However, you should never use your personal, private webmail email account to send work related communications and to send work-related attachments!

•Always, use your government or public sector provided email account to send work related correspondence! Make no exceptions, even if it may seem convenient to do so.

•There is good reason for this. You read earlier on in this training that email accounts are targeted by cyber-attackers, email accounts are commonly breached and sold to cyber-hackers and breached email accounts can provide an entry point for cyber-attackers who will send you phishing emails, malicious links and such like!

MODULE 9 USE OF PERSONAL, PRIVATE CLOUD STORAGE

•Most of us have one or more cloud storage accounts setup, which are generally used for easy accessibility, to our personal, private documents and pictures!

•Often, for reasons of convenience, we may think that it is okay to use our personal, private cloud storage accounts for temporary or permanent storage of work related documents, files, data and other content!

•However, you should never use your personal, private cloud storage to store work related material.

•Always use your government or public sector provided electronic storage areas! Make no exceptions, even if it may seem convenient to do so.

• There is good reason for this: Cloud storage services are one of the targets of cyber-attackers!

• If you have any cloud storage service, previously used to store Government files, you are required to move these files to the Government-provided electronic storage area and delete the files from the cloud storage service.

MODULE 10 PHYSICAL SECURITY (1/2)

• Physical security encompasses the security of our premises, computer equipment, visitor security as well as our paper records.

•Unauthorised persons should not be allowed to enter and roam freely around our premises. For most of our offices, we have security guards and receptionists. However, we all have a role to play to politely and respectfully question any unknown persons we see within our offices and offer to escort them to their host.

• All visitors should be escorted whilst on our premises. Remember, if you collect the visitor at Reception or from our security guards, you are responsible for their escort until they leave the premises.

• Let’s not forget our paper records! Confidential, sensitive and personal information is held in both electronic form as well as on paper. Always lock away paper records that contain confidential, sensitive and personal information!

MODULE 10 PHYSICAL SECURITY (2/2)

Top Tips for Physical Security

• Never leave confidential, sensitive and personal information on the printer or on your desk.

• Never place confidential, sensitive and personal information in a waste or recycle bin.

• The National Archive and Public Records Law (2015 Revision) (NAPRL) controls how you should maintain and dispose of public records. The destruction of records must always be carried out in line with the NAPRL and you will need to have in place Approved Disposal Schedules.

• If you have a document that contains confidential, sensitive or personal information, and there is no requirement to retain the document under the NAPRL, then the document should be shredded or placed in a secure shredding bin.

• If you are unsure whether or not a paper document can be shredded, you must always

seek guidance from your line manager, Departmental Records Officer, Information Manager or Chief Officer.

• Laptop computers and authorised devices storing our organisation's information should be locked away when not in use.

• Think carefully before taking papers containing confidential, sensitive or personal information out of the office. You may mistakenly leave these behind or lose them during your travels!

MODULE 11 DATA PROTECTION LAW & PERSONAL DATA (1/3)

When did it come into effect? •The Cayman Islands Data Protection Law, 2017 came into effect on 30 September 2019.

What is the purpose of the Law (in a nutshell)? • It enshrines in Law the individual right to privacy and, for public authorities, gives further

effect to the constitutional right to private and family life granted in the Cayman Islands Constitution Order, 2009.• It gives individuals a certain level of control over their personal data and provides

safeguards and protections against the misuse of personal data.

What is Personal Data and Sensitive Personal Data? • Personal data are any data relating to a living individual who can be identified –

either directly or indirectly – and includes opinions or intentions about the individual.• Sensitive personal data are certain types of personal data that have been defined in the

Data Protection Law as a special protected class because misuse is more likely to impact an individual's livelihood, quality of life or ability to participate in daily activities. • A risk-based approach is required when processing all personal data because data may

not be defined as “sensitive personal data” in the Data Protection Law but still harm an individual’s rights or freedoms if it is misused, including if it is lost or disclosed without authorization.

Full NameContact detailsUnique identification numbersEducational historyLocation dataFinancial recordsPerformance assessments…and more

Personal Data - Examples

Medical or health recordsEthnic originPolitical opinionsReligious beliefsGenetic dataData about sex lifeCriminal records…and more

Sensitive Personal Data - Examples

MODULE 11 DATA PROTECTION LAW & PERSONAL DATA (2/3)

Who does it apply to? •The Data Protection Law applies to all organisations in the Cayman Islands that use personal data, including each Ministry, Portfolio, Department, Statutory Authority and Government Company.

How do I find out more? • If your job involves collecting, accessing, using or otherwise processing personal data, be sure you know what laws, policies and other guidelines you need to follow in your work.•General training and awareness sessions are offered by the Ombudsman and by the Information Rights Unit in the Cabinet Office.•Specific training or development opportunities may also be available for your area of work.•To find out more visit the Ombudsman’s website ombudsman.ky/data-protection or email InformationRights@gov.ky

Full NameContact detailsUnique identification numbersEducational historyLocation dataFinancial recordsPerformance assessments…and more

Personal Data - Examples

Medical or health recordsEthnic originPolitical opinionsReligious beliefsGenetic dataData about sex lifeCriminal records…and more

Sensitive Personal Data - Examples

MODULE 11 DATA PROTECTION LAW & PERSONAL DATA (2/3)

Reporting a Personal Data Breach? • If you have any questions, or require advice, you should contact the Cabinet Office’s Information Rights Coordinator. • In general terms, a personal data breach occurs, when personal data are unlawfully or accidentally disclosed or accessed without proper authorisation, destroyed, lost or altered.•Personal data breaches often happen due to accidents or lack of knowledge and you should always immediately report an actual or suspected personal data breach to your manager •Time is of the essence, so do not delay reporting! Your public authority is legally required to report the matter to the Ombudsman and the affected data subject(s) without undue delay, and your manager and others will need time to assess the situation • If you have any questions, or require advice, you should contact the Information Rights Coordinator at InformationRights@gov.ky

Full NameContact detailsUnique identification numbersEducational historyLocation dataFinancial recordsPerformance assessments…and more

Personal Data - Examples

Medical or health recordsEthnic originPolitical opinionsReligious beliefsGenetic dataData about sex lifeCriminal records…and more

Sensitive Personal Data - Examples

MODULE 12 HOW TO REPORT A CYBER INCIDENT

Examples of the Type of Incidents you should report:

• If you receive a fake, suspicious or phishing email – always report, whether or not

you have clicked or opened the attachment • If you receive a suspicious telephone call requesting confidential or sensitive

information from an unknown person • If a laptop or organisation-issued mobile device is lost or stolen • If paper records containing confidential, sensitive or personal information have been lost or stolen • If you believe someone accessed your email account without your permission

This list is not intended to be exhaustive. We prefer you to report anything of concern! How to report an incident:Email Cyber_HelpDesk@gov.ky

If you have a cyber related query: Email AskCISO@gov.ky

CONGRATULATIONSYou have successfully completed your Baseline Cyber Awareness Training. Your Certificate of Completion will be sent to you via email after you complete the short quiz.