Employee Security Responsibilities

What You'll Learn

• Apply the principle of least privilege in daily work by refusing credential sharing and limiting data access to what your role requires
• Identify and respond to physical security lapses including tailgating, unattended documents, and unsecured workstations
• Use your organization's incident reporting channels to escalate suspicious activity, even when uncertain whether it qualifies as an incident
• Recognize the specific security obligations tied to your role, including acceptable handling of credentials, devices, and sensitive information
• Distinguish between helpful cooperation and security violations when colleagues request access, files, or workarounds

Training Steps

1. A Normal Monday at Meridian Healthcare

   Welcome to Meridian Healthcare! You are Alice, a patient services coordinator who handles appointment scheduling and patient records. It's a normal Monday morning. You've just settled in with your coffee and logged into the patient management portal.

2. An Urgent Phone Call

   Alice's phone rings. The caller ID shows 'Dr. Rajan Mehta - Cardiology.' A man's voice comes through — urgent, almost panicked. He says a patient is coding in the ER and he desperately needs access to their records, but his portal account is locked out.

3. The Verification Trick

   The caller offers to 'verify' his identity. He gives Alice the first few digits of his employee ID and asks her to look up and read back the rest. It feels like proof — but he just tricked Alice into completing his identity for him.

4. Directed to the "Quick-Reset Tool"

   Now that Alice believes the caller is legitimate, he directs her to an 'IT quick-reset tool' at meridianhc-portal.net/reset. He says she needs to enter her own credentials to authorize the reset for his account.

5. Entering Credentials on the Phishing Page

   Alice opens the URL the caller provided. The page looks like a Meridian Healthcare IT tool — but the domain is meridianhc-portal.net, not the real meridianhc.com. She doesn't notice the difference in her rush to help the 'dying patient.'

6. "Processing" the Authorization

   The page shows a 'Processing Authorization' message and says Alice will receive a confirmation email within 24 hours. It looks routine — but her credentials have just been captured by the attacker.

7. Consequences Revealed

   Three hours later, an urgent email arrives from the CISO. Unauthorized access has been detected on the patient management system. 2,300 patient records — names, Social Security numbers, insurance data, medical histories — have been exported to an external server. The credentials used: Alice's.

8. The Breach Investigation

   Alice's stomach drops. She clicks the link to the breach investigation dashboard and logs in to see the full scope of the damage.

9. Understanding the Attack Chain

   The breach dashboard reveals the full attack chain. Every step is laid out: the spoofed caller ID, the fake verification trick, the phishing URL on an external domain, and the credential capture.

10. What Should Alice Have Done?

    Now that the full attack chain is visible, let's reflect on the critical moment where Alice could have stopped this.