Security guidelines and requirements at work can often seem burdensome and intentionally inconvenient. This feeling may exist because employees don’t understand the risks facing the organization or be aware of the decision process used to craft the security policy.
As an end user or middle manager, you can help to create a culture of cybersecurity at work. By modeling good cybersecurity practices, you can protect your company’s resources while also encouraging others to comply as well. In the world of security, if you are not actively and intentionally using best practices, then your normal or default choices may leave you vulnerable to malware or legal action.
There are five common security policies that organizations use that cover the use of personal equipment at work, prohibited websites, protecting user account information and end users installing software. By becoming familiar with these policies, it can help you to act in a manner that helps support organizational security.
Filtered/Prohibited Site Policy
Many organizations have an acceptable use policy and/or a filtered-prohibited site policy. These policies define what type of content is inappropriate to be accessed, viewed, or used while on the company network. Often these policies are enforced with content filters and domain name/IP address blocks. However, it is sometimes easy to bypass these blocks to reach the content anyway.
If an organization has a prohibited site policy, it is your duty to respect it. These rules apply to all employees and are not designed to single you out. They attempt to keep a respectful and productive environment without offending others, wasting bandwidth, or potentially entangling the organization in malicious or pirated content. Even if your personal devices connect you to an data service that will allow you to visit these sites while sitting at your desk, do not do so. If you must visit these sites or locations during work hours, choose to take your breaks outside of the building and view the content there. If you are unable to respect these policies, then you should discuss the restrictions with your manager or consider seeking employment elsewhere.
A bring your own device (BYOD) policy dictates whether or not personal devices, such as notebooks, tablets, and smartphones, can be used on company premises and whether or not they can connect to the private internal network. It is important to review this policy and comply with its restrictions. If you are not allowed to bring personal equipment to work, then don’t. Don’t sneak it in. Don’t assume you and your devices are safe and the rule is for everyone else.
You may ask if you can bring your equipment inside if it is left in a powered off state, but otherwise leave it in your vehicle or at home. If personal devices are allowed into the building, then respect the level of network access provided. Some organizations block access to the work network, but provide a commercial Internet service. Whatever the BYOD policy defines as the boundaries, be aware of them and respect them. Don’t be the one who breaks the rules and enables an intrusion.
User Account Policy
As an employee you are issued a network user account. There is a computer user policy which states the account is for you to use and not to allow anyone else to use it. So, do not share user accounts. Never allow anyone else, such as a family member, friend, to log into your account or share access. Do no give others the details of your account credentials. Do not log into your account, then walk away from the system. A unique user account is issued to each employee for the purposes of auditing and accountability. When you allow someone else to user your account, you will be taking on the responsibility and consequences of their actions while using your account.
Acceptable Use Policy/Computer User Policy
Another common aspect of company security policies, sometimes as part of the acceptable use policy or possibly the computer user policy, is a restriction regarding performing personal tasks or running your own small business on the company’s equipment and network. Be sure to read and understand this policy thoroughly. It is never acceptable to run your own business on your employer’s systems. If you are not being kept busy enough at work, ask for more work or a promotion. Otherwise, you are technically stealing from your employer.
As for personal tasks, stay within the boundaries defined by the policy. You may be allowed to check personal email, perform online shopping, and visit social networks, but only while on breaks. If personal tasks distract you from being productive and meeting your goals and deadlines, you are in violation of the company policy.
End User Software Installation Policy
Due to the risk of installing malicious code or unwanted hacker tools, most organizations prohibit end users installing software. If there is such as policy at your work, then respect it. Even if technology is not being used to enforce the written restriction, you should still abide by it. By limiting your system to running only approved applications, you minimize the chance that you will be the cause or source of a malware infection or security breach due to extraneous software installs.
The task of creating a culture of cybersecurity at work is mostly about knowing the company security policies and then staying in compliance with them. This is the responsibility of every employee. So, stand out amongst your peers and be an example of a cyber-safe worker instead of a worker who takes unwarranted risks.
Building Cybersecurity Champions