Social engineering
Social engineering is the act of obtaining or trying to get information by tricking and convincing an individual to reveal sensitive information.
In this section, you will learn how to identify these tricks and avoid sharing sensitive information with unauthorized persons.
• Attackers establish a trusting relationship
then abuse it to gain access to sensitive
information.
Attackers try to establish a trusting relationship
then abuse it to gain access to sensitive
information and even passwords. A very
popular social engineering method is contacting
the victim via telephone.
THE RISK
!
• Attackers establish a trusting relationship
then abuse it to gain access to sensitive
information.
THE RISK
• If in doubt, end the call
If you get a suspicious call from an unknown
person, end it by telling the caller that you’re
under time pressure and that you’ll get back to
them.
1
WHAT CAN I DO?
!I’ll call
back
• Attackers establish a trusting relationship
then abuse it to gain access to sensitive
information.
THE RISK
• Verify the caller’s identity
You can check if the caller really is who they claim
to be by calling the switchboard of the alleged
company and asking to be put through. Do not
call a mobile number given to you by the
suspicious caller.
2
WHAT CAN I DO?
!
• Attackers establish a trusting relationship
then abuse it to gain access to sensitive
information.
THE RISK
• Do not share any information
Never share sensitive information with unverified
people, either on the phone or by e-mail. Never
share your password with anyone, not even with
an IT administrator or your manager.
3
WHAT CAN I DO?
!
Manager Assistant IT
• Attackers establish a trusting relationship
then abuse it to gain access to
confidential information.
THE RISK
• Report potential attacks
Always report social engineering and other
potential attacks immediately as a security
incident. Multiple employees in a company may
be targeted at the same time and it is essential
for us to react. Please use the incident reporting
tool or – in the case of a critical incident – also
inform your local security staff right away.
4
WHAT CAN I DO?
!SOS
• Theft or loss of equipment
• Disclosure of information
• Hacking or malware attacks
• Unauthorized access to IT systems
• Physical harm
• Disclosure of your password
• More
Quick link: go/incident-reporting
Quick link: go/emergencies
Well done! You now know:
• If in doubt, end the call
• Verify the caller’s identity
• Do not share any information
• Report potential attacks
2
1
3
4
Social engineering
Passwords
Your passwords are keys to accessing our systems and information.
In this section, you will learn how to create good, safe passwords for your work and private life.
• Unauthorized individuals can access
company information in your name.
• Simple or short passwords are very easy
to guess or to crack.
Passwords protect your digital identity. Disclosed
passwords can give unauthorized people access
to your personal and company information.
Simple or short passwords, with just a few digits
or which can be found in the dictionary, are
very easy for hackers to guess or to crack.
THE RISK
!
!
• Unauthorized individuals can access
company information in your name.
• Simple or short passwords are very easy
to guess or to crack.
THE RISK
WHAT CAN I DO?
• Never share your password with anyone
Not even with IT staff or a manager. For
privileged users with administrative access,
specific requirements apply. If you suspect that
your password has been disclosed, please reset
it immediately and open a security incident
ticket.
1
!
!
Manager Assistant IT
• Unauthorized individuals can access
company information in your name.
• Simple or short passwords are very easy
to guess or to crack.
THE RISK
• Always use secure passwords
Use secure passwords, which cannot be found in
the dictionary, and are comprised of at least 3 of
the following 4 types of characters:
Latin uppercase letters, Latin lowercase letters,
base 10 digits and non-alphanumeric characters.
Also remember that the longer the password is
the stronger it will be. Your password must at
least meet SAP’s minimum requirement.
2
WHAT CAN I DO?
!
!
123..&#@
ABC xyz
**********
• Unauthorized individuals can access
company information in your name.
• Simple or short passwords are very easy
to guess or to crack.
THE RISK
• Store your standard user passwords in
Password Depot
Don‘t ever leave your passwords lying around.
Store your standard user passwords in Password
Depot which we recommend be installed on
your computer. You can also use Password
Depot to create strong passwords. Please do not
use any other online password generators which
are not approved by SAP.
3
WHAT CAN I DO?
!
!
Password Depot
SAP Jam: Password Depot
• Unauthorized individuals can access
company information in your name.
• Simple or short passwords are very easy
to guess or to crack.
THE RISK
• Use a different password for each system
Use unique passwords for all important systems.
Never reuse your SAP or Windows password for
other systems, and especially, do not use your
SAP password for private accounts. Don’t forget
to use unique passwords for your important
private accounts too.
14
WHAT CAN I DO?
!
!
Different password for each system
Company E-Mail Online Banking
^^
Well done! You now know:
• Never share your password with anyone
• Always use secure passwords
• Store your passwords in Password Depot
• Use a different password for each system
2
1
3
4
Passwords
Information classification
Due to the nature of our business, we work with a lot of sensitive information.
In this section, you will learn how to classify data and how to handle it with care.
• Information often fails to get the right
protection because it is either left
unclassified or classified incorrectly.
• In the wrong hands, confidential
information can cause considerable
damage.
Incorrectly classified or non-classified
information will likely be handled in an incorrect
manner.
We can be greatly harmed in terms of money
and reputation if confidential information ends
up in the wrong hands.
This is why it is essential that data is correctly
classified and handled in the right way.
THE RISK
!
!
• Information often fails to get the right
protection because it is either left
unclassified or classified incorrectly.
• In the wrong hands, confidential
information can cause considerable
damage.
THE RISK
• Always classify information
The more damage a piece of information could
cause if it gets wrongly disclosed, the more
protection it needs.
Classify and label data according to our
information classification levels: Public, Internal
and Confidential.
1
WHAT CAN I DO?
!
!
Public
Damage
Level
Internal
Confidential
• Information often fails to get the right
protection because it is either left
unclassified or classified incorrectly.
• In the wrong hands, confidential
information can cause considerable
damage.
THE RISK
• Use the “Sensitivity” button in Office365 to
protect information
By using the “Sensitivity” button, you can classify,
label, and encrypt your office documents.
Please make yourself familiar with this solution
and use it, especially for confidential information.
22
WHAT CAN I DO?
!
!
More information: SharePoint
• Information often fails to get the right
protection because it is either left
unclassified or classified incorrectly.
• In the wrong hands, confidential
information can cause considerable
damage.
THE RISK
• File it in the right place
Confidential information must only be stored in
the designated company IT environment, which
is specified for this type of information.
Never store business information on a private
computer or self-subscribing cloud.
23
WHAT CAN I DO?
!
!
• Information often fails to get the right
protection because it is either left
unclassified or classified incorrectly.
• In the wrong hands, sensitive information
can cause considerable damage.
THE RISK
• Handle it with care
Always label it according to its classification level.
Store it locked, either in digital or paper form.
Don’t transfer it unencrypted.
Dispose it properly using a shredder or secure
data bin.
Always consider the need-to-know principle. Tell
others only what they need to know to carry out
their tasks.
WHAT CAN I DO?
!
!
4
Document classification: Confidential
Well done! You now know:
• Always classify information
Use the “Sensitivity” button in Office365 to protect
information
• File it in the right place
Handle it with care
2
1
3
Information classification
4
Secure workplace
Information left lying on your desk is vulnerable to prying eyes and sticky fingers.
In this section, you will learn how to keep sensitive and private information secure.
• Unauthorized access to buildings is
always possible. Attackers can then
easily get access to confidential
information.
We are customer and business-oriented, not
Fort Knox.
Attackers will always find a way to enter our
buildings and can easily access sensitive data
left lying around
THE RISK
!
• Unauthorized access to buildings is
always possible. Attackers can then
easily get access to confidential
information.
THE RISK
• Keep confidential data under lock and key
When away from your workplace, lock your
office if possible or lock away sensitive
information in a cabinet.
And please: Lock your computer screen, even if
you just step away briefly.
At your unlocked PC, an attacker can easily
access sensitive data or install malware.
No one will take care of your PC when you’re
not around.
1
!
WHAT CAN I DO?
L+
+ +or
and
Mac users: + +Control Command Q
• Unauthorized access to buildings is
always possible. Attackers can then
easily get access to confidential
information.
THE RISK
• Always use Badge Printing
For printing sensitive information, use badge
printing. The printer will not start printing until
you login.
2
!
WHAT CAN I DO?
• Unauthorized access to buildings is
always possible. Attackers can then
easily get access to confidential
information.
THE RISK
• Accompany visitors
Pick up visitors at the reception and accompany
them back or to their next meeting. Make sure
that the visitors wear their visitor badge visibly.
You should also always wear your badge visibly if
you are on site at SAP.
3
!
WHAT CAN I DO?
• Unauthorized access to buildings is
always possible. Attackers can then
easily get access to confidential
information.
THE RISK
• Work securely at home and while travelling
And remember: Security also applies when
travelling and in the home office. Even there,
lock away sensitive documents, lock your PC and
do not leave SAP IT devices with anyone,
including family members.
1
!
WHAT CAN I DO?
4
Well done! You now know:
• Keep confidential data under lock and key
• Always use Badge Printing
• Accompany visitors
• Work securely at home and while travelling
2
3
Secure workplace
1
4
Phishing
Phishing is the attempt by a hacker to acquire sensitive information or to establish permanent access to your computer.
It often starts with an e-mail impersonating a trustworthy entity. In this section, you will learn how to recognize and protect yourself against phishing attacks.
• Phishing e-mails can trigger infections that
damage our entire corporate IT and can
lead to the loss of confidential information.
Clicking on links or attachments in phishing e-
mails can cause infections. The infections can be
caused by harmful software that our antivirus
software might not detect.
In the worst case, the infection will be spread to
your colleagues and can even compromise our
entire network.
This situation can lead to leakage of confidential
information and huge business and reputational
loss.
THE RISK
!
Customer
information
Employee
information
Business
information
Your
colleagues
Network
• Phishing e-mails can trigger infections that
damage our entire corporate IT and can
lead to the loss of confidential information.
THE RISK
• Double-check the e-mail sender
Keep the following indicators of phishing in
mind. Double-check the e-mail sender and see if
it is in any way suspicious. Don‘t forget that e-
mail addresses can be easily spoofed.
1
!
WHAT CAN I DO?
• Phishing e-mails can trigger infections that
damage our entire corporate IT and can
lead to the loss of confidential information.
THE RISK
• Double-check the greeting
Check and see if there is a personal greeting.
Are you being addressed by name?
2
!
WHAT CAN I DO?
• Phishing e-mails can trigger infections that
damage our entire corporate IT and can
lead to the loss of confidential information.
THE RISK
• Double-check links and attachments and
do not activate macros
Phishing e-mails nearly always contain a sense of
urgency, requiring you to click on a link or open
an attachment. If it seems suspicious, do not
click on the link or open the attachment. Also,
be extremely cautious when activating macros in
Microsoft Office programs, such as Excel or
Word as they might contain malware.
3
!
WHAT CAN I DO?
• Phishing e-mails can trigger infections that
damage our entire corporate IT and can
lead to the loss of confidential information.
THE RISK
• If in doubt, report it!
If you are in doubt about an e-mail and you
know the sender, call and ask if he/she actually
sent it.
Suspicious e-mails should be forwarded as an
attachment to [email protected] or using the
Phishing Reporter button in Outlook. If you do
not have the button installed yet you can find it
with the Get Add-ins button in your Outlook
ribbon.
4
!
WHAT CAN I DO?
PhishingWell done! You now know:
• Double-check the e-mail sender
• Double-check the greeting
• Double-check links and attachments and do not activate macros
• If in doubt, report it!
2
1
3
4
Social media
As a company, we have no problem with social networks, as long as you stick to our rules.
In this chapter, we give you the most important guidelines for social networking.
• The reputation and image of SAP could
be damaged.
Attackers could obtain valuable internal
information.
The reputation of a company can be severely
damaged very quickly by ill-considered posts
and information on social networks.
In addition, professional attackers search social
networks for key information they can use for an
attack.
THE RISK
!
!
• The reputation and image of SAP could
be damaged.
Attackers could obtain valuable internal
information.
THE RISK
• Never set up user profiles or groups in
SAP's name
Our marketing department is responsible for this
task.
Always act responsibly and behave
appropriately. The network does not distinguish
between you as a private individual and you as a
SAP employee.
1
WHAT CAN I DO?
!
!
fSAP YOU
Traverses one another and gives a picture
SAP Travel Group
• The reputation and image of SAP could
be damaged.
Attackers could obtain valuable internal
information.
THE RISK
• Don’t share internal information
Never share internal or confidential company
information.
Even seemingly harmless information, for
example project names, software used or a
photo of your badge, is often exploited for
targeted phishing or social engineering attacks
2
WHAT CAN I DO?
!
!
• The reputation and image of SAP could
be damaged.
Attackers could obtain valuable internal
information.
THE RISK
• Never use your SAP passwords on social
networks and only use your SAP e-mail
address if officially approved by SAP
If the social network has a security gap, there’s
no need for us to have one too.
3
WHAT CAN I DO?
!
!
Well done! You now know:
• Never set up user profiles or groups in SAP's name
• Don’t share internal information
• Never use your SAP passwords on social networks and only
use your SAP e-mail address if officially approved by SAP
2
1
3
Social media
Secure communication
We all need to transfer information for our daily work.
In this section, you will learn how to do this safely and securely in your working environment.
• Unencrypted e-mails and public cloud
storage services are not secure.
Sensitive information may be lost or can
even end up in the wrong hands.
If you transfer unencrypted information, for
example by e-mail, it is about as secret as a
message on a postcard and can be read by
many people.
THE RISK
!
• Unencrypted e-mails and public cloud
storage services are not secure.
Sensitive information may be lost or can
even end up in the wrong hands.
THE RISK
• Never use unauthorized cloud services
Our business information must always remain in
our business IT environment. Any business
information outside of this environment is out of
our control and therefore considered vulnerable.
Accordingly, never use unauthorized cloud
services for business data.
1
WHAT CAN I DO?
!
Public
Cloud
• Unencrypted e-mails and public cloud
storage services are not secure.
Sensitive information may be lost or can
even end up in the wrong hands.
THE RISK
• Use approved exchange tools
Only use SAP-approved solutions for
exchanging business data, such as OneDrive for
Business.
You can even transfer confidential information
with many of them.
WHAT CAN I DO?
!
2
Link: https://go.sap.corp/secure-communication
SharePoint Online
OneDrive for Business
SAP Jam
More
• Unencrypted e-mails and public cloud
storage services are not secure.
Sensitive information may be lost or can
even end up in the wrong hands.
THE RISK
• Always encrypt sensitive data
Because unencrypted information can be easily
read by many people, it is essential that you
transfer sensitive information encrypted.
Microsoft Office Data Level Encryption with
Azure Rights Management is the best way to
secure your Microsoft Office data at SAP. It is
enabled for all SAP employees and is available in
Microsoft 365 applications.
WHAT CAN I DO?
!
3
• Unencrypted e-mails and public cloud
storage services are not secure.
Sensitive information may be lost or can
even end up in the wrong hands.
THE RISK
• Never use personal e-mail accounts
Please also do not use private e-mail accounts
for our business data and never set up
automatic forwarding rules to private accounts.
Data will be transferred unencrypted and the
private client can be infected with malware.
4
WHAT CAN I DO?
!
^^
Well done! You now know:
• Never use unauthorized cloud services
• Use approved exchange tools
• Always encrypt sensitive data
• Never use personal e-mail accounts
2
3
1
4
Secure communication
Secure Mobile Devices
Our know-how is not only stored in data centers and computers – we take it with us on smartphones and tablets.
In this chapter you will learn how to protect our information on mobile devices.
• Company tablets and smartphones can
also be subject to various malicious
threats.
Company tablets and smartphones can be
subject to threats such as: malicious apps,
phishing attacks, data leakage, malware or even
unsecure WiFi.
THE RISK
!
• Company tablets and smartphones can
also be subject to various malicious
threats.
THE RISK
• Use trusted WiFi connections
Check the available WiFis carefully. Be cautious
of WiFi networks you don‘t recognize and free
WiFi networks that don‘t require a password.
We recommend using iPass. With iPass, you can
automatically log-in with your SAP device to
trusted iPass WiFi networks, which are available
in hotels, airports, flights, and other locations.
1
WHAT CAN I DO?
!
• Company tablets and smartphones can
also be subject to various malicious
threats.
THE RISK
• Use apps from official stores and update
your device
Only install apps from official stores like Apple
Store or Google Play or from the SAP IT app
store.
And please ensure that your device is always
updated to the latest software version approved
by SAP IT.
WHAT CAN I DO?
!
2
• Company tablets and smartphones can
also be subject to various malicious
threats.
THE RISK
• Prevent data leakage
Please avoid copying SAP data to local apps like
your personal contacts. They could be read by
apps such as WhatsApp or synchronized with
rental cars via Bluetooth.
WHAT CAN I DO?
!
3
• Company tablets and smartphones can
also be subject to various malicious
threats.
THE RISK
• Immediately report lost devices
Don’t leave your devices unattended on a desk
or packed in luggage. If your mobile device is
lost or stolen, immediately remotely lock the
device and report the incident by creating a
security incident ticket.
4
WHAT CAN I DO?
!
Well done! You now know:
• Use trusted WiFi connections
• Use apps from official stores and update
your device
• Prevent data leakage
• Immediately report lost devices
Secure Mobile Devices
3
1
4
2