How Cyber-Aware Are You?

Your CEO posts on LinkedIn about a new project. Shortly after, you get an email referencing that project asking you to download a brief. What do you do?

Attackers use publicly available information (OSINT) to craft highly convincing spear-phishing emails.

• A Check the sender address carefully and look for inconsistencies.
• B Download the brief — the email references a real project.
• C Reply to the email asking for more details before downloading.
• D Verify with the CEO or their assistant through a separate channel before acting.

You receive a calendar invite from an external contact with a meeting link you don't recognise. What is your first step?

Malicious calendar invites can contain phishing links disguised as meeting URLs.

• A Contact the sender through a known channel to confirm they sent the invite.
• B Check the sender details and hover over the link to inspect the URL.
• C Accept the invite and click the link at the scheduled time.
• D Accept the invite but don't click the link until the meeting.

You receive a text message saying your package delivery failed and asking you to click a link to reschedule. What do you do?

SMS phishing (smishing) uses delivery notifications to trick people into visiting malicious websites.

• A Click the link but don't enter any personal information.
• B Click the link to reschedule — I am expecting a delivery.
• C Check the sender number and compare it with the courier's official contact.
• D Go directly to the courier's website or app to check the delivery status.

You need to share a streaming service login with a family member. How do you handle it?

Sharing passwords directly increases exposure. Use built-in sharing features or a password manager's sharing vault.

• A Tell them in person so it's not written down.
• B Use a unique password for that service and share it verbally.
• C Text them my username and password.
• D Use the service's family sharing feature or a password manager's secure share.

Do you use multi-factor authentication (MFA) on your personal accounts?

MFA adds a critical second layer of security. Even if your password is stolen, MFA can prevent unauthorised access.

• A I don't know what MFA is.
• B I use MFA on all accounts that support it, preferring authenticator apps over SMS.
• C I've heard of it but haven't set it up.
• D I use it on some accounts like email and banking.

Your company enforces a 90-day password rotation. How do you handle creating new passwords?

Predictable password patterns (Password1, Password2…) defeat the purpose of rotation policies.

• A Add a number to the end of my current password.
• B Create a passphrase using several random words.
• C Let my password manager generate a strong random password.
• D Pick a new memorable word each time.

A delivery person asks you to hold the secure door open because their hands are full. What do you do?

Tailgating using props like packages is a classic social engineering technique to bypass physical access controls.

• A Hold the door but ask which company they're delivering for.
• B Direct them to reception and let front desk handle the delivery.
• C Hold the door — they clearly have their hands full.
• D Offer to take the delivery at the door instead of letting them in.

A senior executive emails you urgently requesting a wire transfer to a new vendor. What do you do?

Business Email Compromise (BEC) costs organisations billions annually. Always verify financial requests through a second channel.

• A Check the email headers for signs of spoofing before acting.
• B Call the executive directly on a known number to verify before processing.
• C Reply to the email to confirm the details.
• D Process it immediately — it's from the CEO.

Someone calls you claiming to be from IT support and asks for your login credentials to fix a problem. What do you do?

Legitimate IT departments will never ask for your password over the phone. This is a classic social engineering tactic.

• A Refuse to give credentials and tell them I'll call the IT helpdesk myself.
• B Refuse, hang up, call IT through the official number to verify, and report it.
• C Give them my credentials — they sound professional and urgent.
• D Ask them to explain the problem first, then decide.

You want to download free software and find it on a third-party download site. What do you do?

Third-party download sites often bundle malware or adware with legitimate software.

• A Download only from the vendor's official site and verify the file hash.
• B Search for the software's official website and download from there.
• C Download it but scan the file with antivirus before installing.
• D Download it — the site has a big green download button.

You need to use public Wi-Fi at a coffee shop to check your work email. What precautions do you take?

Public Wi-Fi networks are easy to intercept. Using a VPN encrypts your traffic and prevents eavesdropping.

• A I use a VPN, avoid sensitive tasks, and use my mobile hotspot when possible.
• B I connect and use it normally — Wi-Fi is Wi-Fi.
• C I avoid online banking but check email freely.
• D I use a VPN before accessing anything sensitive.

A website asks for permission to show notifications. What do you do?

Browser notification permissions are abused to deliver spam, scareware, and phishing lures.

• A Deny it unless it's a site I use regularly and trust.
• B Deny by default and configure my browser to block notification requests.
• C Allow it — notifications can be useful.
• D Allow it only if the site looks trustworthy.

A client asks you to send their contract via personal WhatsApp. What do you do?

Sending sensitive documents through unapproved personal messaging apps bypasses corporate data controls.

• A Send it on WhatsApp but delete the chat afterwards.
• B Send it on WhatsApp — the client prefers it.
• C Share through the company's approved secure portal and explain why.
• D Explain the policy and offer to send via company email instead.

How do you share sensitive documents with colleagues?

Email attachments can be intercepted. Encrypted file sharing and access-controlled platforms are safer alternatives.

• A I use encrypted, access-controlled sharing and set expiry dates on links.
• B I use a cloud drive link but don't restrict access.
• C I email them as attachments — it's the easiest way.
• D I share via a company-approved platform with access controls.

You discover a shared drive folder containing files you shouldn't have access to. What do you do?

Accidental access to restricted data is a permissions issue that should be reported, not exploited.

• A Do not open any files, report to IT immediately, and document what you found.
• B Report it to IT so they can fix the permissions.
• C Ignore it and move on without telling anyone.
• D Browse the files out of curiosity.

Someone you don't recognise follows you through a secure door. What do you do?

Tailgating is one of the simplest ways to bypass physical security. Politely challenging unknown individuals protects everyone.

• A Hold the door open for them — it would be rude not to.
• B Let them through but feel uneasy about it.
• C Ask them to badge in separately and report the incident to security if they can't.
• D Politely ask if they have a badge or are visiting someone.

At the end of the workday, what do you do with sensitive printed documents on your desk?

A clean desk policy prevents unauthorised viewing of sensitive information left in plain sight.

• A Turn them face down.
• B Lock them in my desk drawer.
• C Leave them on my desk — I'll need them tomorrow.
• D Lock them away or shred them if no longer needed.

You notice a colleague's password written on a sticky note on their monitor. What do you do?

Visible passwords are one of the easiest ways for an attacker or insider to gain unauthorised access.

• A Privately advise them to remove it and use a password manager.
• B Ignore it — it's their business.
• C Advise them, and if they don't act, report it to the security team.
• D Mention it casually but don't follow up.