Start Here
Think about a normal working day. You log in to your computer. You check your email. Maybe you sign in to a system to look something up, send a message in Teams, take a photo on your work phone, or jump on the wi-fi at a community office. Every one of those is a small door. Most of them are fine. But each one is a place where someone could try to get in.
This session is about those doors. Not to scare you, but to show you which ones matter most and how to put a simple lock on each. None of it is hard. Most of it takes a few minutes once, and then protects you for a long time.
You do not need to know how a lock is made to use one. The same is true here. You only need to know which habits keep you safe, and how to switch them on.
A worry we hear a lot is "what if I press the wrong thing?". Turning on the protections in this session does not break anything, and you cannot do harm by being cautious or by asking a question. The only real mistake in cyber safety is staying quiet when something looks wrong, and we get to that in Session 4. So have a go; you are safe to.
Your Digital Footprint at Work and at Home
Your digital footprint is just the trail of accounts, devices, and logins that make up your life online. Your work email. Your personal email. Online banking. MyGov. Facebook. Your phone. The apps on it. Each one holds a little piece of you, and each one is protected by a login.
Here is the part that surprises people: attackers usually do not break in. They log in. They get hold of one password, often from a completely different website that was hacked, and they try it everywhere else. If you used the same password on your work email and on some shopping site that got breached, you have handed them both.
This is why the same good habits protect your personal email and your work account at the same time. The attacker does not care which door they come through. So we lock all of them the same way.
Most accounts are not stolen by clever hacking. They are opened with a password that leaked somewhere else, or one that was easy to guess. Fix that, and you have closed the most common way in.
Passwords, Passphrases, and Password Managers
Two things make a password weak: it is short, or you have used it somewhere else. Most people worry about the wrong one. A password full of symbols like P@ssw0rd! feels strong, but it is short and a computer can guess it quickly. A long, simple phrase is far harder to crack.
Length beats complexity
Instead of a password, use a passphrase: four random words strung together, like copper-emu-lantern-river. It is long, easy for you to remember, and would take a computer a very long time to guess. You do not need capital letters and symbols sprinkled through it if it is long enough, though adding one or two does no harm.
Reusing a password is the real danger
Using the same password in more than one place is the single riskiest habit. When one site is hacked, and sites are hacked all the time, that password is now on a list that criminals share and try everywhere. One leak becomes ten break-ins. Every important account should have its own, different passphrase.
Your email above all, because whoever controls your email can reset the password on everything else. Then your banking, your MyGov, and your work login. These four deserve their own unique passphrase each, no exceptions.
A password manager remembers them for you
If every account needs a different long passphrase, how is anyone meant to remember them? You are not. A password manager is a free app that acts like a locked notebook. It makes a strong, different password for each site, stores them all, and fills them in for you. You remember one strong passphrase to open the manager, and it handles the rest.
It sounds like putting all your eggs in one basket, but a good password manager is far safer than the two things people do instead: reusing one password everywhere, or keeping them on a sticky note or in a phone note anyone could read.
Try this the same day
1. Pick your most important account, your email, and give it a brand new four-word passphrase that you use nowhere else.
2. Have a look at a free password manager. Bitwarden is free, well regarded, and works on phone and computer. Your web browser also has one built in.
3. Let it generate and save the password for the next new account you make. See how it feels before moving the rest across.
Two-Step Login, in Plain Terms
You will see this called multi-factor authentication, or 2FA, or two-step verification. They all mean the same simple thing: as well as your password, the account asks for a second proof that it is really you. Usually that is a code from an app or a text message, or a tap on your phone.
Why it matters so much: even if someone steals or guesses your password, they still cannot get in, because they do not have your phone in their hand to approve the second step. It stops the large majority of account takeovers on its own. If you do one thing from this session, do this.
Here is the idea in one line. To prove who you are, you use two of these three things: something you know (your password), something you have (your phone, or a small security key), and something you are (your fingerprint or face). A password on its own is just one of the three. Two-step login adds a second, and that is what makes it strong.
Think of a bank card. A thief needs both the card in their hand and the PIN in their head; one without the other is useless. Two-step login does exactly that for your online accounts.
What the second step usually looks like
A code by text. The account sends a number to your phone, and you type it in. Easy to start with, and far better than nothing.
An app that makes codes. A free app such as Google Authenticator or Microsoft Authenticator shows a fresh six-digit code every 30 seconds. A little safer than text messages.
A tap to approve. The account sends a notification to your phone and you tap "yes, that's me". The simplest of all once it is set up.
A security key. A small physical key, often like a USB stick, that you plug in or tap on your phone. It is the strongest option of all, and because many keys do not need internet or a texted code, they suit places with poor phone signal. See Tech Words, in Plain English for more on these.
If the connection allows, we will turn on two-step login together, on one account, during the session. Start with your email or your MyGov. Once you have done it once, the rest follow the same pattern.
Your work account has an IT team watching over it. Your personal email, your banking, your Facebook, and your MyGov mostly have only you. That is why turning on two-step login on your personal accounts is, if anything, even more important. It is the same few taps. Start with your personal email, because whoever controls your email can reset the password on everything else.
The code is the key. No real bank, agency, or workplace will ever ring you and ask you to read out a code that was just sent to your phone. If someone does, it is a scam, every time. Hang up. We come back to this in Session 2.
Devices, Public Wi-Fi, and Working Remotely
A lot of work in the Territory happens on the move: out in communities, in the car, from home, on a phone as much as a computer. The habits that keep a device safe are the same wherever you are.
Lock your devices
A PIN, fingerprint, or face unlock on your phone and laptop. A lost phone is a worry. A lost unlocked phone is an open door to your email, messages, and accounts. Set it to lock by itself after a minute or two.
Keep software updated
Those update reminders are not just new features. Most updates quietly fix security holes that attackers already know about. Turn on automatic updates for your phone, computer, and apps, and restart when asked. Updating over wi-fi rather than mobile data saves your allowance.
Be careful on public and shared wi-fi
Free wi-fi at an airport, shop, or shared venue is handy, but you cannot be sure who else is connected or who set it up. Avoid banking or logging in to important accounts on it. Your own phone's mobile data, or your phone as a hotspot, is safer for anything sensitive. If your workplace gives you a VPN (a private, protected path for your connection), use it when working remotely. More on VPNs in Tech Words.
Look for the padlock, but do not trust it blindly
Before you type a password or card number into a website, check the address starts with https (with an "s") and shows a small padlock. That means your connection is private, so nobody in between can read what you send. But a padlock does not mean the site is honest; scam sites can have one too. No padlock: do not enter anything. A padlock: private, but still check who you are dealing with.
Log out of shared and community devices
On any computer or tablet that other people also use, always log out when you finish, or the next person is using your account. Never let the browser "remember" or "save" your password on a shared machine; say no to that pop-up. And do not tick "keep me signed in".
Watch what is on the screen and who is nearby
In a shared office or a public place, be aware of who can see your screen or hear a call. Lock your computer when you walk away from it, even for a minute. On a Windows machine, the Windows key plus L locks it instantly.
What Counts as Personal and Sensitive Information
A workplace, and especially a council, holds a lot of information about people: residents and staff alike. Names, addresses, dates of birth, phone numbers, payment details, health and family information. The law calls this personal information, and some of it is treated as especially sensitive.
You do not need to be a privacy expert. You only need to recognise this kind of information when it is in front of you, and handle it with a bit of care. The simple test: if this got out, could it embarrass, harm, or be used against the person it belongs to? If yes, treat it carefully.
Personal information
Anything that identifies a person: name with address, phone number, email, date of birth, photo, or an ID number. On its own it may seem harmless, but pieced together it is exactly what a scammer needs to impersonate someone.
Sensitive information
A smaller group that needs extra care: health and medical details, racial or ethnic background, religious beliefs, and financial details like bank or payment information. Getting this wrong can cause real harm, so it gets handled with extra care.
In Australia, the Privacy Act and its privacy principles set the rules for handling this information, and the Northern Territory has its own information privacy rules for public bodies on top of that. The detail is a job for your workplace's policies. What matters for you day to day is small and practical:
- Only look at the information you actually need for your job.
- Only share it with people who are meant to have it, through approved channels.
- Do not send it to your personal email or save it to a personal device to "finish at home".
- If you are not sure whether something is okay to share, ask before you send it, not after.
There is a deeper way to think about this that often makes it click. The information a council holds is not really the council's; it belongs to the people and the community it is about. Information about Aboriginal and Torres Strait Islander people and communities is part of that community's own knowledge, and the community has a right to have it looked after and kept safe. This is the idea of Indigenous data sovereignty: the mob's data belongs with the mob.
When you handle a resident's details with care, you are not just following a rule. You are acting as a custodian of the community's information, the same way people have always looked after what is important to the community. Keeping data safe is keeping the mob safe.
These handling habits set up everything the rest of the series builds on. Sessions 2 and 3 are largely about people trying to trick this information out of you, or out of your workmates.
Your Free Toolkit
Three free, trusted resources worth saving today. No cost, no catch.
cyber.gov.au
The Australian Government's cyber security site for everyday people and small organisations. Plain-language guides on passphrases, two-step login, updates, and what to do if something goes wrong.
Have I Been Pwned
Type in your email address and it tells you if your details have turned up in a known data breach. A free, safe way to check whether it is time to change a password. (Pwned just means "caught out".)
A password manager
Bitwarden has a solid free version and works on phone and computer. Your web browser also has one built in. Pick one, and let it carry your passwords so you do not have to.
What to Take Away
A short cyber hygiene checklist you can work through in your own time. Tick each off as you go; click an item to mark it done.
- Give my email account its own brand new four-word passphrase, used nowhere else.
- Turn on two-step login for my email and my MyGov.
- Turn on two-step login on my personal accounts too, starting with my personal email.
- Set up a password manager, even if I only move a few accounts across to start.
- Check my main email on Have I Been Pwned, and change any password it flags.
- Turn on automatic updates for my phone, computer, and apps.
- Set my phone and laptop to lock themselves after a minute or two.
- Avoid banking and important logins on public wi-fi; use my own mobile data instead.
- Log out of shared or community computers, and never let the browser save my password on them.
- Check for the https padlock before typing a password or card number, knowing it means private, not automatically safe.
- Save cyber.gov.au somewhere I can find it again.
You do not have to do all of it today. Even the first two, a unique email passphrase and two-step login, put you ahead of most break-ins.
Knowledge Check
Five quick scenarios to see what has landed. Read each one, have a think about what you would do, then click to reveal the answer. There is no score and no wrong answer here; it is just a way to check your thinking.
01You use the same password for your work email and a shopping website. The shopping website is hacked and its passwords are leaked. Is your work email at risk?Answer
Yes, it is at risk. Criminals take leaked passwords and try them on other accounts, especially email. Because you reused the same one, the leak from the shopping site has effectively handed over your work email too. The fix is to give your email its own unique passphrase, and never reuse it anywhere. This is why reuse, not complexity, is the real danger.
02Which of these is the stronger choice: Tk7$x or copper-emu-lantern-river?Answer
The four-word passphrase is far stronger. It looks simpler, but it is much longer, and length is what makes a password hard for a computer to guess. The short one with symbols feels secure but can be cracked quickly. Long and memorable beats short and complicated.
03Someone rings, says they are from your bank's fraud team, and asks you to read out the code that was just texted to your phone so they can "stop a suspicious payment". What do you do?Answer
Do not read out the code. Hang up. That code is the second step that protects your account, and a real bank will never ring and ask you to read it back. The caller is trying to get past your two-step login. If you are worried it might be real, hang up and call the bank yourself on the number on the back of your card. We go deeper on this in Session 2.
04You are at a cafe with free public wi-fi and want to quickly check your bank balance. Is that a good idea?Answer
Better to wait, or use your own mobile data. On public wi-fi you cannot be sure who else is on the network. For anything sensitive like banking or important logins, use your phone's own mobile data, or your phone as a hotspot, rather than the free wi-fi. Checking the news or a map on public wi-fi is fine; banking is the kind of thing worth keeping off it.
05A workmate asks you to email a resident's file to your personal Gmail so you can "finish it at home tonight". What is the problem, and what is the better option?Answer
That file holds personal, and probably sensitive, information, and it should stay inside approved workplace systems. Sending it to a personal email moves it somewhere with weaker protection and outside the workplace's control, which can breach privacy rules. The better option is to use your workplace's approved way to work remotely. If there is not an easy one, that is a question for your manager or IT, not a reason to use personal email. When in doubt, ask before you send.