General And Local Security course
Key takeaways.
Security is a continuous process: assets change, threats evolve, controls must be maintained.
Identity is the frontline, unique passwords, password managers, 2FA, and reliable recovery routes.
Least privilege reduces blast radius and prevents “one mistake breaks everything”.
Phishing and urgency tactics remain the most common entry points; train for recognition and reporting.
Extensions, downloads, and public Wi-Fi are routine risks; limit permissions and trust carefully.
Hygiene wins: updates, backups, and disciplined browsing prevent a large share of incidents.
HTTPS is a baseline trust signal; mixed content undermines both security and user confidence.
Detection and response matter: define what “unusual” looks like and how to act calmly.
Governance supports resilience: risk assessment, change logs, and compliance-aware processes.
On Squarespace, security is operational: control access, audit scripts/integrations, and keep SSL and core user journeys stable.
In-depth breakdown.
General And Local Security [WC - C9] treats cybersecurity as routine operations, not a one-off project. It starts by framing security in risk terms: what the assets are (accounts, data, devices, domains), what threats target them, and where vulnerabilities expand the attack surface. From there, it focuses on identity discipline, password managers, unique credentials, recovery routes, and least privilege, because compromised accounts are the fastest path to real damage.
The course then maps common attack surfaces that catch teams out in everyday work: phishing and social engineering, risky browser extensions, untrusted downloads, and public Wi-Fi. Practical hygiene is positioned as the highest ROI defence: updates, backups, clean browsing habits, and small controls that reduce exposure. Encryption and HTTPS are covered as trust and confidentiality baselines, alongside basic network security concepts and common vulnerability types relevant to websites and small organisations.
Beyond prevention, the course introduces a defence methodology: detect unusual activity, respond with a simple plan, and learn from incidents via drills and documentation. Governance topics, risk assessment, tool selection, and compliance awareness (including GDPR and NIS2 conceptually), support sustainable security over time. A dedicated Squarespace module translates these ideas into platform reality: SSL and mixed content, access control and contributor roles, offboarding checklists, admin audits, and strict caution around third-party scripts.
Course itinerary.
-
Basic networking for security
Accounts and identity basics
Common attack surfaces
Common web and network risks
Defence methodology
Practical hygiene
Encryption and safe browsing
Cyber hygiene overview
Network security basics
Common types of network vulnerabilities
Website security threats
Cybersecurity awareness
Incident response planning
Compliance and regulations
Risk assessment and management
Security tools and technologies
User education and training
Conclusion and next steps
-
HTTP vs HTTPS
Mixed content issues
Trust signals
Access control
Contributor roles and least privilege
Handover and offboarding checklist
Operational best practices
Admin hygiene and audit habits
Third-party script caution
Security measures and safeguards
Digital hygiene habits
Conclusion and next steps
Course requirements.
The requirements necessary for this course include:
Technology
You need a computer/smart device with a decent internet.
Account
No account is required as the lectures are free to view.
Viewing
This course is taught via a blog article format.
Commitment
You will need to dedicate time and effort, at your own pace.
Frequently Asked Questions.
What does “defensive-first” cybersecurity mean?
It prioritises reducing exposure (prevention), noticing problems early (detection), and recovering quickly (response) over chasing advanced attacks.
What are the biggest everyday risks for small teams?
Phishing, password reuse, weak recovery methods, risky extensions/downloads, and poor access control.
Is 2FA really necessary if passwords are strong?
Yes, passwords leak. 2FA reduces the impact of credential theft significantly.
Why are browser extensions a security issue?
They can read page data, inject scripts, and become a silent supply-chain risk if compromised or over-permissioned.
How often should security checks happen?
Small monthly audits (access, scripts, core flows) plus ad-hoc checks after changes or suspicious signals.
What is mixed content and why does it matter?
It’s when an HTTPS page loads HTTP assets; it weakens security indicators and can cause modern browsers to block resources.
What’s the practical difference between least privilege and “everyone is admin”?
Least privilege limits blast radius: fewer people can install scripts, change DNS, or alter billing, reducing accidental or malicious damage.
Why treat third-party scripts as “trust decisions”?
Scripts can affect performance, collect data, and introduce vulnerabilities; one bad script can undermine an otherwise secure site.
What should a Squarespace offboarding checklist include?
Revoke contributor access, rotate credentials, confirm billing/admin email ownership, review integrations, remove old scripts, and retest forms/checkout.
How do incident response drills help if nothing has happened yet?
They reveal missing access, unclear roles, and broken recovery routes—before an incident forces rushed decisions.
