Certified: The Security+ Prepcast

Security awareness training is most effective when it goes beyond policies and into real, everyday habits. What employees carry in their pockets, what they click on in their inbox, and what they say when no one’s watching—it all matters. That’s why training programs must include the physical, social, and operational dimensions of cybersecurity. In this third episode on user guidance and training, we’re focusing on three areas that are often underestimated but critically important: the safe handling of removable media and cables, protection against social engineering, and building a strong foundation in operational security, or OPSEC.
Let’s start with removable media and cables. These may seem like small details, but they can be major vulnerabilities if not handled properly. Removable media includes things like USB flash drives, external hard drives, SD cards, and even smartphones when connected to a computer. Cables, especially those used for data transfer, can also become attack vectors. A malicious USB drive can carry malware. A charging cable can be modified to act as a keylogger. And a device left plugged into a public port can be accessed remotely without anyone noticing.
Training users to be cautious with removable media starts with helping them understand the risk. Most people have no idea how easy it is to weaponize a USB stick. A file that looks like a document might actually launch a script. A drive that appears empty could run code as soon as it’s inserted. And in many cases, endpoint protection systems don’t trigger until after the damage is done.
Let’s walk through a practical example. A team member finds a USB drive in the office parking lot. Thinking it belongs to a coworker, they plug it into their work laptop to see what's inside. Instead of documents, the drive contains a hidden script that installs malware and creates a backdoor into the company’s internal systems. This is not just a hypothetical. It’s a well-documented attack method that’s been used by red teams and real adversaries alike.
To prevent situations like that, training should stress that unknown devices should never be plugged in. If a device is found, it should be turned in to the IT or security team for safe handling. Some organizations even go a step further by disabling USB ports on certain systems or using endpoint controls to block unauthorized removable media entirely.
Training should also address secure handling of known devices. That includes labeling approved devices, encrypting storage when appropriate, scanning for malware regularly, and avoiding the use of personal storage devices for work-related tasks. Even charging cables should be treated with care. Public charging stations, sometimes called “juice jacking” points, can be used to install spyware or steal data from connected devices. Employees should be taught to use their own charging bricks or power-only USB cables when traveling.
Now let’s shift to social engineering. This is one of the most successful and dangerous attack methods because it targets people—not systems. Social engineering involves manipulating someone into doing something they wouldn’t normally do, like giving up credentials, clicking on malicious links, or revealing sensitive information.
Common tactics include phishing emails, pretexting phone calls, fake tech support chats, baiting with fake documents, and even in-person impersonation. The attacker’s goal is to exploit trust, urgency, or confusion.
Training employees to resist social engineering starts with awareness. They need to know that just because someone sounds confident—or seems helpful—doesn’t mean they’re trustworthy. If a caller asks for credentials, insists on bypassing policy, or creates pressure to act fast, that’s a red flag.
Let’s walk through another scenario. An employee receives a phone call from someone claiming to be from the IT department. The caller says there’s an urgent issue with the employee’s laptop and needs their username and password to “reset” the system remotely. The caller sounds professional. They even mention the employee’s manager by name. But the employee remembers their training and refuses to share their credentials. Instead, they contact the IT department directly and learn that no such request was made. A potential breach is stopped cold—not because of a firewall or a patch—but because of awareness and assertiveness.
Effective social engineering training uses real examples and roleplay. Teach users to slow down, verify identity, and report suspicious interactions. Reinforce that no legitimate IT request will ever involve asking for a password or sharing sensitive information over the phone. Encourage a culture where it’s okay to question requests—even if they come from someone who appears to be in authority.
Finally, let’s talk about operational security, or OPSEC. This concept comes from military operations, but it’s just as relevant in business environments. OPSEC is about protecting sensitive information by being careful about what’s said, shared, or left exposed—especially in environments where adversaries might be listening or watching.
Operational security includes small but important habits. It means not discussing confidential projects in public places like elevators, hallways, or airports. It means being cautious about what’s written on whiteboards, left on desks, or shown in photos. It means double-checking who’s on a conference call before sharing sensitive updates. It even means thinking twice before posting a team selfie that might include security badges or computer screens in the background.
Here’s a real-world example. A traveling executive posts a photo on social media of a conference badge and their hotel room key—excited about a big industry event. In the background of the photo is their open laptop, with a project dashboard on the screen. The post goes viral. A competitor sees it and recognizes several project names, clients, and internal tools. Without realizing it, the executive has just leaked operational details. Again, there was no intent to harm. But lack of operational awareness led to a real risk.
Training in OPSEC helps employees become more mindful of their surroundings and the information they carry. It doesn’t require paranoia—just awareness. Help employees recognize what’s sensitive, understand what could be used against them, and learn to think like an attacker when it comes to information exposure.
This kind of training can be done through short videos, real-world examples, or quizzes. It’s also a great topic for refresher emails and security newsletters. Reinforce the idea that OPSEC is everyone’s responsibility, not just something for senior leaders or the IT team.
As you prepare for the Security Plus exam, expect to see questions related to all three areas. If the scenario describes mishandling USB drives or inserting unknown devices, it’s testing your understanding of removable media risks. If it involves suspicious messages or identity scams, it’s pointing to social engineering. And if it’s about careless communication, photo sharing, or exposed information, it’s likely referring to operational security practices.
For user training modules, OPSEC handouts, and removable media guidelines you can use in your own organization, visit us at Bare Metal Cyber dot com. And for the most comprehensive Security Plus study guide available—packed with real-world context and exam-ready content—go to Cyber Author dot me and get your copy of Achieve CompTIA Security Plus S Y Zero Dash Seven Zero One Exam Success.