Module 01 — Foundations

Why security matters

The vast majority of security incidents trace back to a single human moment — a clicked link, a reused password, an unlocked screen. Understanding what's at stake makes those moments easier to spot.

Most breaches start with a person, not a system

You'll occasionally read a headline about a "sophisticated cyberattack." Most of the time, that headline is hiding something simpler: someone clicked a link they shouldn't have, used a password they'd used elsewhere, or sent a file to the wrong place. Technology defenses matter, but the front line of every organization's security is its people.

That's not a criticism — it's just where the work has shifted. Spam filters and antivirus software now block the obvious threats automatically. What gets through is what's been designed to look legitimate, and that's where human judgment becomes the deciding factor.

What's at stake when something goes wrong

A successful attack on a single account can lead to several different kinds of damage, often at the same time:

• Data theft — customer records, internal documents, source code, or credentials extracted and either sold or held for ransom.
• Financial loss — fraudulent wire transfers, ransom payments, regulatory fines, and the cost of incident response itself.
• Operational downtime — systems taken offline for days or weeks while the response unfolds, blocking your work and everyone else's.
• Legal and contractual penalties — many client contracts include security requirements; breaches can trigger penalties, lost contracts, and litigation.
• Reputation damage — once trust is lost with a client or the public, it's slow and expensive to rebuild.

Why contractors are a deliberate target

If you've wondered why contractor security gets so much attention, the short answer is: attackers think about it more than most contractors do. From the attacker's point of view, contractors often have:

• Real access to client systems and data, sometimes equivalent to internal staff
• Less day-to-day visibility from the security team
• A mix of personal and work devices, on personal and public networks
• Multiple clients, which means a single compromised contractor can be a path into many organizations at once

None of this means contractors are the weakest link — well-prepared contractors are often more security-aware than full-time staff, because they're handling so many different environments. It does mean attackers will try, and that the defaults you set for yourself matter.

Module 02 — Your Role

Your responsibilities
as a contractor

A short, practical list of what's expected of you. Everything in later modules is just detail on these basics.

What you're responsible for

As a Savas Software contractor, you're responsible for the security of the access we've given you. Concretely, that means:

• Protecting your account credentials. Your username and password belong to you alone. They aren't shared with assistants, partners, family members, or anyone else — even temporarily.
• Using only the account assigned to you. Don't borrow or use someone else's login, even if it's faster or more convenient.
• Keeping company data in approved places. If Savas Software issued or pointed you to a tool, that's where the data goes — not personal email, personal cloud drives, or your own backup tools.
• Staying alert and reporting things that look wrong. A suspicious email, a strange login prompt, a missing file — when something feels off, it usually is. Speak up early.

Acceptable use, in plain terms

The systems and data you've been given access to are tools to do contracted work. Use them for that. Don't use them as personal storage, don't use them for side projects, and don't use them to test things outside the scope of your engagement.

Module 03 — Threats

Phishing &
social engineering

Phishing is the single most common way attackers get a foothold. Recognizing it isn't about being clever — it's about slowing down enough to notice the signals.

What phishing actually is

Phishing is the use of fake messages — usually email, but increasingly text messages, phone calls, and chat apps — to trick someone into doing something harmful. That "something" is typically one of three things: clicking a link that captures your credentials, opening an attachment that installs malware, or responding to a request to transfer money or data.

The defining trait of phishing isn't that it looks fake. Modern phishing looks remarkably real. The defining trait is that it tries to short-circuit your judgment by creating urgency, fear, authority, or curiosity — emotions that make you act before you think.

The red flags worth memorizing

You don't need to memorize every phishing technique. You do need to recognize the patterns that nearly always show up:

What to do when something looks off

1. Don't click. Don't reply. Don't open the attachment. If you've already clicked, that's not the end of the world — but stop now and skip to step 3.
2. Verify through a different channel. If "your bank" emails about a problem, log in directly to your bank — don't follow the email's link. If "the CEO" texts an urgent request, call the number you already have on file.
3. Report it. Forward the message to itsecurity@savassoftware.com. Even if you're not sure — especially if you're not sure. Reporting a false alarm has zero cost; failing to report a real one is how breaches happen.

Module 04 — Account Security

Passwords &
account security

Strong passwords and a second factor are the two cheapest, highest-leverage things you can do for your account. Most credential attacks are stopped at one of these two doors.

What makes a password actually strong

The old advice — eight characters, a number, a symbol — has been outdated for years. What matters now is length and uniqueness:

• Length over complexity. A 16-character passphrase like copper-lantern-skyline-7843 is dramatically stronger than P@ssw0rd! and far easier to remember.
• Unique per account. Every system gets its own password. The single biggest cause of account compromise is reused credentials — when one site is breached, attackers immediately try those credentials everywhere else.
• Use a password manager. No one can remember dozens of unique long passwords. A password manager solves this — it generates and stores them for you. If you don't have one yet, ask Savas IT for the approved option.

Things that are never okay

• Sharing your password with anyone — including IT, your manager, a teammate, or your own assistant. Real IT never asks for your password.
• Reusing your Savas password on a personal site, or vice versa.
• Storing passwords in plain text — sticky notes, a Notes app, a spreadsheet, a text message to yourself.
• Letting someone "borrow" your logged-in session to do something quickly.

Multi-factor authentication (MFA)

MFA adds a second proof to your login — usually a notification on your phone or a code from an app. Even if an attacker has your password, they can't log in without that second factor. MFA is required for all Savas Software contractor accounts.

What to do if you suspect a password is compromised

If you think any account password may have leaked — you saw it on a list, you typed it on a phishing site, you used it somewhere that just had a breach — change it immediately, then email itsecurity@savassoftware.com if it was your Savas account. Speed matters more than certainty.

Module 05 — Devices

Device &
remote work security

The device you work from is part of the security perimeter. The remote and public spaces you work in extend that perimeter — sometimes farther than you intend.

The devices you're allowed to use

Use only devices that meet Savas Software's requirements for your contracted work. If you've been issued a device, use that. If you're using your own, it must have:

• Current operating system updates installed (no postponed updates that have been pending for weeks)
• Active, up-to-date security software (anti-malware)
• Disk encryption enabled (FileVault on Mac, BitLocker on Windows)
• A strong device password or biometric login — no devices left unlocked or with no password set
• An automatic screen lock after no more than 5 minutes of inactivity

Updates aren't optional

The "remind me later" button on update prompts is one of the most exploited weaknesses in personal computing. Most malware that successfully runs in 2026 is exploiting vulnerabilities that were patched months — sometimes years — earlier. Install updates promptly, and reboot when asked.

Working in remote and public spaces

Working from a coffee shop, a co-working space, an airport, or a hotel is fine — and probably unavoidable — as long as you take a few precautions:

• Mind your screen. The person behind you can read what you're working on. Sit with a wall behind you when handling sensitive material, and consider a privacy filter for your screen.
• Lock your screen every time you stand up. Even for a 30-second coffee refill. Win+L on Windows or Ctrl+Cmd+Q on Mac.
• Be cautious on public Wi-Fi. Public networks aren't inherently dangerous, but they aren't trustworthy either. If Savas has provided you with a VPN, use it whenever you're not on your home network.
• Don't leave devices unattended. Not under a coat at the table, not "just for a minute" at a charging station, and never visible in a parked car.

Module 06 — Data

Data protection
& privacy

Data is the asset most attacks are after. Handling it well is mostly about a few simple defaults: only access what you need, keep it where it belongs, and let go of it when you're done.

What counts as sensitive data

You should treat the following as sensitive — meaning it gets stored only in approved systems, shared only with people who need it, and never copied somewhere casual:

• Customer information — names, contact details, account data, anything you encounter about Savas Software's clients or their users
• Personal information — anything that identifies a real person (employees, contractors, end users): names with emails, phone numbers, addresses, identification numbers
• Credentials — passwords, API keys, tokens, certificates, connection strings — even your own
• Internal documents — strategy, financial data, contracts, source code, anything marked confidential or restricted
• Engagement specifics — work product you're producing for Savas Software or its clients

If you're not sure whether something is sensitive, treat it as if it is. The cost of being too careful is approximately zero.

Need-to-know access

Access only the data you actually need to do your assigned work. If you have access to more than that — many systems give broader access than any individual job requires — don't browse it. "Curiosity" reads of customer data are exactly the kind of thing that creates legal and contractual exposure, even when no harm is intended.

Storage and sharing

Returning and disposing of data

When your engagement ends — or when you no longer need a particular dataset — return or delete what's no longer needed. Don't keep "just in case" copies. The fact that you might be re-engaged in the future is not a reason to retain client data on a personal device or account.

Module 07 — When Things Go Wrong

Incident
reporting

Almost every published breach post-mortem includes the same line: "the warning signs were present hours or days earlier, but went unreported." Reporting fast is the single most useful thing you can do.

What counts as a security incident

A security incident is any event that could compromise — or has compromised — the confidentiality, integrity, or availability of Savas Software systems, data, or accounts. In practice, that includes things like:

• You clicked a link in a phishing email, even if "nothing happened"
• You typed your password on a page that turned out to be fake
• You received an MFA prompt you didn't trigger
• A device with Savas access is lost, stolen, or briefly out of your sight in a way that matters
• A file or system is behaving strangely — locked, encrypted, populated with unfamiliar files, or running unusually slowly
• You accidentally sent sensitive data to the wrong person, posted it to the wrong location, or shared it more broadly than intended
• You suspect — even without certainty — that an account or system has been accessed by someone who shouldn't have access

How to report

Don't try to fix it yourself

Once you've reported, step back. Don't run a scan, don't delete the suspicious email, don't restart the machine, don't try to "clean up" before help arrives. Well-intentioned cleanup destroys evidence the response team needs to understand the scope of the problem and contain it.

Specifically: do not reply to the suspicious sender, log in to "see if your account still works," forward the email to colleagues, or post about it in chat channels. Those actions either spread the problem or help the attacker confirm they've reached you.

Why fast and honest matters

The damage from a security incident scales with time. A compromised account caught in the first hour is usually contained with no real impact. The same compromise discovered a week later may have moved laterally, exfiltrated data, and triggered regulatory disclosure obligations.

Fast reporting also requires honesty. If you clicked something, say so. If you can't remember the exact time, give your best guess. If you've already taken some action, say what. The team can work with imperfect information; they cannot work with information that isn't shared.

Module 08 — Assessment

Knowledge check

Ten questions, randomized from a larger bank, drawn from everything you've just covered. You need 80% to pass. You can retake as many times as you need.

Module 09 — Sign Off

Policy acknowledgment

Last step. The acknowledgment below summarizes what you're agreeing to; the form on the next page captures the official record.