2026 Information Security Training & Awareness

2026 Information Security Training & Awareness. Audience: BSP General Staff (PNG & Pacific Markets) Prepared by: Information Security Business Unit.

2. Overview 3 Introduction to Information Security Awareness 4 Information Security Policy Overview 5 Information Security Regulatory Overview 6 Social Engineering & Phishing Awareness 7 Password and Authentication 8 Data Protection and Privacy 9 Data Protection and Privacy 10 Secure Use of Email, Internet & Devices 11 Identity & Access Management 12 Incident Reporting & Escalation 13 Physical Security 14 Secure Remote Work & Cloud Safety 15 Ransomware & Malware Prevention 16.

3. This training and awareness is designed to give you practical skills and knowledge that will help protect you, your colleagues, and BSP Financial Group as an organization from security risks. The more engaged you are today, the more empowered you will be to make security a part of your daily routine..

Why Cyber OR information Security Matters to BSP Financial Group.

Information security policy. 5. This policy protects BSP Financial Group information assets, supporting technology from threats that could compromise confidentiality, integrity, availability, and accountability..

PCI-DSS obligation (Do’s). 6. Ensure full card numbers are masked Ensure emails from customers continuing full card information's are deleted Ensure secure bins are used for disposal of card information on paper Ensure EFTPOS/ATMs are not tempered Report suspicious activity immediately. Ensure 2FA is setup for PCI systems (OWCC-PCI & Postilion Web Portal).

Key Focus area. 7. Phishing Emails: Spelling errors, strange sender addresses, unexpected attachments. Spoofed domains and urgent requests to click links or update passwords. Smishing & Vishing: Fake SMS or calls pretending to be the bank, IT, or delivery services. Requests for OTPs, MFA codes, or personal info are always suspicious. Business Email Compromise (BEC) Impersonation of executives or suppliers to trick you into approving payments or sharing info..

Strong password & passphrases. 8. Your password must be 12 characters long. It must contain uppercase letters, lowercase letters, base 10 digits (0 to 9) and special characters. It must not contain same Account Name, (Your name) or any dictionary words..

BSP Data Classification. 9. Public – Information published for the public. Internal Use Only - For any internal news, documents or postings. External Confidential – Data that is privately disclosed to external entities. Internal Confidential – Sensitive data that is restricted to specific internal groups/ people. Customer Legal – Sensitive data received from external entities. Restricted – Highly Sensitive data that is protected by law or regulatory standards..

Do’s. 10. Don’ts. Data Protection and Privacy. Data Loss Prevention (DLP) is the practice of detecting and preventing confidential data from being “leaked” out of an organization’s boundaries for unauthorized use. BSP uses this technology for internal security and regulatory compliance..

Email and internet safety. 11. Emails: Do NOT use non BSP email for official use (i.e.: a retail branch violated the information security policy by using a GMAIL account for official use). Safe browsing: Stick to trusted websites, avoid suspicious links. Malicious attachments: Never open unexpected files or emails from unknown senders. Corporate device usage: Keep software updated and use only approved business applications. USB devices: Never plug in unknown or found USBs. Use only corporate approved removal media. Personal cloud storage: Do not upload or store corporate data on personal Google Drive, Dropbox, etc..

12. Every login and access request plays a role in protecting BSPFG’s most valuable information asset. Identity & Access Management ensures the right people have the right access at the right time. Weak passwords, shared accounts, and excessive or outdated access create serious risks. Security starts with identity and strong IAM practices protect our organization, colleagues, and customers..

13. Security incidents can happen at any time, a suspicious email, a lost device, unusual system activity, or accidental data exposure. What makes the difference is how quickly and appropriately we respond. Early reporting helps contain threats, reduce impact, and protect our organization. It is essential to know how to recognize potential security incidents, report them promptly, and understand the proper escalation process. Remember, reporting a concern is not about blame, it’s about protection. What is a security incident? A security incident is any event that compromises or has the potential to compromise the confidentiality, integrity, or availability of information, systems, or devices..

Why physical security matters. 14. Prevents data breaches caused by physical access Protects confidential information & assets Reduces risk of theft, vandalism, and disruption Supports overall information security strategy.

VPN & Wi-Fi Security. 15. Always connect to the corporate VPN when working remotely. Never access internal systems without VPN. Disconnect when not in use Do NOT use public Wi-Fi without VPN Avoid unsecured or unknown networks Secure home Wi-Fi with strong password & WPA3/WPA2 encryption.

How Ransomware Enters Environments:. 16. Phishing emails and malicious attachments Infected downloads and software Compromised websites and links Using unpatched or outdated software.