Run the data handling exercise¶
The data handling exercise tests how staff respond to sensitive material arriving by an unexpected route. The scenario is simple: a plausible-looking confidential document appears in an unexpected place, from an unfamiliar source, and appears to require action. What the participant does next is the data.
The exercise surfaces the gap between knowing the data handling policy and acting on it when the document looks genuinely important, the sender looks mostly legitimate, and nobody is obviously watching. That gap is where most accidental data exposure happens.
Formats¶
The exercise runs in three variants, each testing a different arrival route. Run one per cohort, or run all three in a single session with different participants assigned to each.
Email variant. A plausible-looking confidential document arrives by email from an address that is not in the directory. Examples: a draft salary review spreadsheet appearing to come from an external HR consultant; a donor data file appearing to come from Covenant with an unfamiliar sender address; a safeguarding report apparently from the Great Ledger Consortium, formatted correctly, sent from an address that is one character off.
Link variant. A shared link arrives by email or Teams pointing to a file hosted on a service the Home does not officially use: a Google Drive folder, a Dropbox link, a Sendstone transfer. The link description suggests the document is time-sensitive.
Physical variant. A USB drive is left in the meeting room, the communal kitchen, or near a workstation. It has a label: “DONOR DATA EXPORT Q1 - PRIVATE” or “IT TEAM ONLY”. The label is specific enough to be credible and urgent enough to be tempting.
Room setup¶
For email and link variants:
Participant workstations with access to the relevant inbox or Teams channel.
The facilitator prepares the document and the delivery mechanism before the session.
Participants are not told to expect anything during the session. The document arrives during normal working time, ideally mid-task.
For the physical variant:
The USB drive is placed before participants arrive. A standard USB drive with a printed label is sufficient.
Do not use a live USB drive with executable content. Use a blank drive or one containing only a text file explaining the exercise.
What participants are told¶
Nothing in advance. The exercise is announced as “we are reviewing our data handling procedures this month” without specifying when or what form it takes. This is the same framing used for the monthly phishing simulation: honest about the category of thing that might happen, silent about the specifics.
Observation¶
The facilitator observes from a distance: watching inbox behaviour for the email and link variants, watching whether the USB drive is picked up, plugged in, or reported. Do not intervene. Do not hover. The natural behaviour is the data.
For email and link variants, the facilitator has access to delivery confirmation and can see when the document was opened, forwarded, or left unread. For the physical variant, a brief conversation with the participant after the exercise is sufficient.
Debrief¶
Run the debrief as a group with all participants who encountered the exercise during the session. The debrief is not about who passed or failed. It is about the decision process.
For each participant, ask:
What did you notice when the document arrived?
What did you do first?
What made you uncertain?
What would you do differently now?
Then cover the correct procedure:
An unexpected document from an unfamiliar source, however plausible it looks, is reported to IT before being opened, forwarded, or acted on.
A shared link to an unofficial service is not clicked. The file is requested through an approved channel.
A USB drive found in the building is handed to IT without being plugged in. The curiosity about what is on it is exactly what the technique depends on.
The debrief also covers what to do after a mistake. If you opened it, say so immediately. If you forwarded it, say so. The response to a mistake caught quickly is remediation. The response to a mistake discovered weeks later, because nobody said anything, is considerably worse. The culture the exercise is building is one where early disclosure is the reflex, not the exception.