Trick 1: Pre-Access Training Applies to Third Parties Too
Pre-access training applies to ALL users who will receive access to organizational systems — employees, contractors, business partners, and suppliers. The boundary is access level, not employment status. Third parties who need access must complete training before access is granted.
Trick 2: Unknown USB Drives and Cables Are Unconditionally Prohibited
Never connect an unknown USB drive or cable to a work system. There is no safe visual inspection that can verify a USB device's firmware has not been reprogrammed for BadUSB or HID injection. The prohibition is unconditional: found in a parking lot, received in an envelope labeled with a familiar company name, or left on a conference room table.
Trick 3: OPSEC = Think Like the Attacker Before Posting
OPSEC asks users to consider what information they are exposing and whether an attacker could use it. Before posting about technology systems, job postings, conference talks, or project details publicly, consider: "Could an attacker use this to build a reconnaissance profile or plan an attack?"
Trick 4: Remote Work Removes the Physical Perimeter
Remote work means the endpoint device itself is the security perimeter. Without the office network's security controls (firewall, IDS, NAC), the remote device must carry equivalent security. This requires: VPN (for encrypted, controlled access), EDR/MDM (for endpoint visibility and control), and no family member access to work devices.