Cybersecurity Training for Managers
Warning! This is not a comprehensive cybersecurity training. We are applying the Pareto principle 80:20. We've distilled it down to: one technical measure and one habit, the implementation of which will significantly increase your level of cybersecurity. In addition, we’ll provide a few tips on what you can do for yourself and your subordinates.
Cybersecurity today is not just a matter of technology. Even the best protection can fail if users are not cautious. Technical measures are not foolproof – each of us must take active steps to stay secure. And for managers, this is twice as important.
University leadership, as well as managers and academic staff with decision-making authority, are increasingly becoming targets of attacks. The greatest threat is not just viruses and other malicious files, but manipulation through social engineering. The most common form of this is phishing – fraudulent emails designed to trick victims into revealing sensitive information or taking specific actions.
Fast and slow thinking – or why attacks work
Attackers rely on the fact that the victim often reacts intuitively (on autopilot). This is based on the well-known principles of how the human mind works, as described and popularized by Daniel Kahneman, known as fast and slow thinking:
- System 1: Fast, intuitive = autopilot – decision-making is based on experience and emotions. It is quick and effortless, but at the same time, it is easily manipulable and prone to cognitive biases. This is the system attackers target – they use time pressure, fear, or seemingly trustworthy cues to get the victim to react impulsively
- System 2: Slow, analytical – decision-making is conscious, requiring focus and careful consideration of information. This system is more resistant to manipulation because it can critically analyze situations and verify facts
- What is the problem: Phishing – currently the most popular social engineering technique, where the attacker tries to get the victim to take action
- Why is it a problem: Phishing attacks at the university are recorded on a daily basis. Victims often unknowingly share their login credentials for systems and lose access to their accounts
- What we want to achieve: A significant reduction in the risk of login credential leaks and the subsequent loss of access (not only) to the university identity
- How we want to achieve this: Password managers combined with multi-factor authentication
Phishing at MU
The attacker purchased a domain (munl.cz) for less than 200 CZK, which mimicked the legitimate domain of Masaryk University (muni.cz). Using a publicly available guide on the internet, they set up an email server on this domain and sent phishing emails that closely resembled messages from INET. In these emails, the recipient was prompted to click on a fraudulent link leading to a fake login page.
This page visually replicated the legitimate MUNI Unified Login portal. Users who rely on multi-factor authentication and the verification code method (TOTP), believing they were logging into the real university website, entered their code – thereby handing it directly to the attacker. The attacker then gained access to their accounts and could immediately misuse them.
Lesson learned: Even weaker methods of multi-factor authentication won't protect you. Replace TOTP with a security key.
Password Manager
It fills in details only on legitimate websites and helps to identify fraudulent websites.
Multi-Factor Authentication
Using a security key stops attackers from accessing your account, even if they know your password.
Multi-Factor Authentication can also be set up in the MU Information System (IS MU) using either of the following methods:
- After entering your UČO (university identification number) and password, you will be asked to confirm your login using an identification method that you have activated. Choose it, scan the QR code, and confirm the login on your mobile device.
- When logging in, you will also enter a one-time six-digit code from your authentication app. However, be cautious about the website where you enter the code – the legitimate site will always have the address islogin.cz.
- What is the problem: Spear phishing – targeted phishing aimed at selected individuals, typically in high managerial positions
- Why is it a problem: Technical solutions can never guarantee 100% protection. Spear phishing is difficult to recognize. There is a significant risk of reputation loss, financial damage, and loss of know-how. This happens even at MU
- What we want to achieve: Turning off the "autopilot" in decision-making. Verifying the truthfulness of requests
- How we want to achieve this: Systematic habit-building to "turn off autopilot" using a STOP technique
Spear-phishing at MU
What happened: Attackers used publicly available data for a targeted spear-phishing attack. They focused on the membership fees of an organization where Masaryk University is listed as a member. About a month before the actual payment deadline, they initiated communication with the correct contact person at MU, and under the pretext of administratively handling the payment, exchanged several emails. Through this conversation, they gained trust and were able to convince the university employee to pay a fake invoice worth several thousand euros. The fraud was only discovered when the real invoice arrived.
Similar frauds have been recorded for at least five years. The same attack vector was used against other entities, such as airline companies. Even though more people were involved in the payment approval process, no one found it suspicious.
Lesson learned: Manipulation of the victim ("gaining trust") and the abuse of the "autopilot" in decision-making cannot be solved with technical measures, but by building the right habits.
Build the Habit...
For three weeks, apply the STOP technique when handling emails – four steps for safely assessing a message:
- Step back – pause before reacting
- Test – check the address, links, and attachments
- Overcheck – if in doubt, verify through another channel
- Proceed – report the fraud or continue working
Why it works: The STOP technique creates a brief pause that activates analytical thinking (System 2) instead of quick, instinctive reactions (System 1). It’s similar to stopping at an intersection, looking around, and only then taking action.
... and place it in front of your monitor
To ensure you don't forget this measure, we've prepared a tool (a reminder) that you can print out and place in front of your monitor. You can also mark the days when you've successfully applied the STOP technique at least once.
Cybersecurity Recommendations for Leaders
Security Starts with You.
That's why we've compiled a list of specific measures that you can easily implement on your own. You likely already have a password manager and use multi-factor authentication. Additional measures can be implemented using the guides linked. Besides technical measures, it’s also important to focus on the right habits, whether it’s using the STOP technique or regular training.
Be a Role Model and Inspire Others.
Cybersecurity is a process that will always involve people by its nature. If an incident occurs in your workplace, as a leader, you are naturally part of its resolution. This also applies to cybersecurity incidents. Require the same measures and habits from your employees. Help us and be ambassadors for a secure cybersecurity environment at the university.
-
Lead by Example and Implement Technical Measures
- Activate multi-factor authentication
- Use a password manager
- Set up automatic screen lock
- Use antivirus software
- Enable automatic program and operating system updates
- Activate disk encryption
- Use university cloud services (M365, Google Workspace) for data storage and sharing
- Use the official university storage
- Back up data regularly and automatically
- Always use eduVPN on public Wi-Fi networks
-
Build Habits for Safe Navigation in the Online Environment
- Process emails and other communication consciously (tools like our STOP approach can help)
- Complete annual cybersecurity training (it’s just 90 minutes of your time per year)
- Replace your phone and computer at least once every five years
- Report any suspicions of a cybersecurity incident
-
Remind Yourself of the Responsibilities of Leaders
- Familiarize yourself with and follow the IT MU Rules
- You are jointly responsible for resolving incidents involving your employees or workplace
- Respond promptly to the instructions of the MU Cybersecurity Team when handling incidents
- If a decision is expected from you, ask for an explanation of the issue to ensure your decision is well-informed
When to Contact the MU Cybersecurity Team?
The MU Cybersecurity Team (CSIRT-MU) coordinates the resolution of security incidents caused by phishing or malware, data breaches, or login credential leaks. Technical issues (e.g., forgotten passwords or non-functioning VPN) are handled by technical support.
-
Be a Role Model, Set the Direction, and Support Education
- Insist that your employees are familiar with and adhere to the IT MU Rules
- Require the implementation of the same technical measures that you apply. We can assist with monitoring compliance
- Support the education of your employees (at least once a year):
- Cybersecurity Minimum for MU Employees (online, self-paced)
- Processing and Protection of Personal Data for MU Employees (training in IS MU)
- Additionally, we highly recommend:
- Secure Your Devices (practical workshop at your workplace)
- Arrange a phishing simulation campaign (testing resilience to phishing)
- Microsoft 365 Basics course (online, self-paced, basic work with M365)
- Our colleagues offer a range of specialized training for Microsoft 365 applications
Final Word
We hope that our training will help improve cybersecurity not only for you but also at your workplace. Remember that even small changes can significantly reduce the risks associated with successful attacks, and only together can we make the university safer. Therefore, don’t hesitate to contact us in the future with any cybersecurity questions. We are here for you.