What is Phishing? what possible actions does it require to you (4)?
Phishing is a cyberattack where criminals pretend to be a trusted contact (client, manager, IT, bank, etc.) to trick you into:
* Clicking a malicious link
* Downloading a harmful file
* Giving your password or personal data
* Approving unauthorized payments
what are the red flags to catch a phising email? (6)
- Slightly wrong sender address (micros0ft.com instead of microsoft.com)
- Unexpected file attachments
- Urgent pressure: “Do this now or your account will close!”
- Requests for passwords or financial data
- Unusual tone of voice from someone you know
- Mismatched URLs when you hover over a link
what actions should u do in order to avoid phising risks? (4)
- Never click links or attachments from unknown senders
- Verify the sender manually (email address, previous conversation thread, phone call)
- Check file size before opening – required by policy
- Report suspicious emails immediately to your security contact
what are the actions that the eendigo policy suggest related to phising? (4)
- Always verify authenticity before clicking anything
- Delay sending emails by 20 seconds (built-in safeguard)
- Never share passwords or sensitive info
- Use only corporate email for work
about data classification, what are the 4 types of data that you can handle?
Public: ex. Website articles, marketing material —> Free to share
Internal: ex.Internal process docs
—> Share only via approved company tools
Confidential: ex.Client decks, business plans —–> Encrypt + mark “CONFIDENTIAL”
Restricted: ex.PII, salaries, financial data
—> AES-256 encryption, 2FA, secure cloud only
quali sono le regole per una condivisione sicura dei dati (6)
- Always encrypt Confidential and Restricted files
- Use strong passwords (min 12 chars, complex)
- Never send files through personal email
- Store only on approved cloud tools (no local laptops, USBs, or personal devices)
- Password-protect PPT, PDF, and Excel before sending
- Double-check file size to avoid accidentally sending hidden sheets or data
what not to do when sharing data? (4)
- Never save client data on your desktop
- Never transfer files through WhatsApp / Messenger / Telegram
- Never use USB drives
- Never share documents with people who are not entitled to see them
what are the 6 golden rules in client data handling? +3
- Access only the data you absolutely need
- Never work with names + private info unless explicitly required
- Do not open your laptop in public where screens can be seen
- Use screen privacy filters for travel
- Never discuss client work in public spaces
- Follow data return or destruction procedures at project closure
1) do not Copy client software or licenses to personal devices
2) You cannot share data with any 3rd party without approval
3) If a breach happens, you must report it within 24 hours
what are the 7 basic rules to protect your laptop security?
- Use strong passwords (min 12 chars, unique, never reused)
- Enable two-factor authentication everywhere
- Antivirus must be up to date
- Avoid USB ports - they can spread malware
- Use VPN when on hotel, café, airport Wi-Fi
- Lock your screen immediately when away
- Do not leave the laptop in cars, cafés, or exposed locations
tell me 4 prhoibited actions to do with work laptop
- Using company laptops for personal browsing
- Downloading unauthorized apps
- Visiting gambling or adult sites (commonly infected with malware)
- Circumventing client security controls
how can you do to protect your work when you are in public?
- Use a screen privacy filter
- Avoid working on planes/trains if others can see your screen
- Never open confidential client decks in public areas
what is a security incident? give some examples too
Any event that may compromise:
* Personal data
* Client confidentiality
* Devices or accounts
* Company systems
Examples:
* Lost or stolen laptop/phone
* Unauthorized access attempt
* Suspicious email clicked by mistake
* Malware alerts
* Files sent to wrong recipient
* Leaked personal data
what are your responsabilities in case an incident occur?
- Report any incident within 24 hours
- Provide details: what happened, who was affected, what data is involved
- Do not attempt to handle or hide issues yourself
- Never communicate externally without approval
Which is the eendigo workflow in case an incident occur?
- SP/IP identifies issue → Reports within 24 hours
- Security Team acknowledges within 24 hours
- Joint investigation + containment within 72 hours
- Corrective actions + closure
list some general suggestion to avoid phising and ransomware
To verify you are messaging the right person, give them a quick call.
Manually type in a domain URL for a trusted website instead of clicking on an
email link to avoid phishing links.
Checking for spelling mistakes is not enough to prevent phishing.
Enable two-factor authentication for emails, social media and other apps.
list some suggestions useful in password safety and MFA
- don’t use personal informations when creating passwords and famous sentences or common expressions
- dont use always the same passwords
- password alone is not enough, turn on MFA
- authenticator apps are more secure than SMS for 2FA options
list some suggestions for the device managemnt
- If your device is stolen, immediately change passwords for all your accounts.
- install apps directly from the company’s s official site instead of searching through the app store - be aware of the lookalike apps
- widget and apps don’t need permission to everything they ask to access
- For public WiFi, ask the business hosting the WiFi for the exact WiFi name. and Avoid sensitive work and personal business such as banking, credit card, or bill
paying when using public WiFi. also avoid sites that uses HTTP instead of HTTPS
list some suggestions for data management
- For sensitive information or data that is regulated, only use
approved encrypted messaging tools and processes. - Encrypt sensitive data and NEVER keep passwords in a text file or spreadsheet.
-AVOID putting personal data on a portable device such as a USB - Retrieve documents with sensitive information immediately and DESTROY them
when no longer needed. - Don’t paste a client’s personal information to the body of an email unless it’s
approved and encrypted. - Keep an offline backup of your data as a last resort
