Some employees are not as well-versed in their company’s security policy as they should be. This may result in workers performing tasks that might seem innocent on the surface, but they put the organization at risk of a security breach.
Understanding what you are doing (as an employee) or what your users are doing (as an IT manager), can help you work toward a viable solution. In most cases, changes in user behavior and implementation of new technical solutions will curb exposure to risk and increase security policy compliance.
Opening Email Attachments
One common user behavior that may be a violation of company policy is the opening of email attachments. Attachments are a common means of distributing malware. Opening attachments from any source email address — whether it’s known or unknown — is risky.
A better option would be for an organization to implement an email server security filter to strip off attachments and provide workers with a secure file exchange service to use instead. The reason this may be a policy violation is that email attachments are a common malware infection vector. Workers should avoid opening attachments except where there is confirmation of source and intention. For example, when the source has a verified digital signature and the recipient was expecting the attachment based on a prior conversation.
Accessing Social Networks
A second common risky user behavior is accessing social networks from work computers. Social networks can be used as part of a social engineering attack, leading to information leakage, or the installation of remote control malware.
Workers should not perform personal tasks on company equipment. Workers should use their personal devices, such as a smartphone, to access social networks and then only do so during breaks. Companies should implement DNS and IP blocks against social networking sites and services to prohibit the activity with logical barriers.
A third risky user behavior that violate company policy is the re-use of passwords. Never re-use passwords. Don’t re-use old passwords on the same system or different systems. Don’t use the same passwords on multiple systems at the same time. Adversaries are aware that password re-use is convenient and commonplace, so don’t do it.
Always use a unique, long, and random password. This may require you to use a password manager (aka, password vault and credential manager), which you should already be using to minimize your account takeover and impersonation risk by maximizing the entropy of your account passwords.
A fourth problematic user activity is that of syncing online media to personal devices over company networks. Downloading files of any type through the company's Internet connection to a personal device is usually a disallowed activity. This could be a violation of the terms of service of the ISP or simply waste bandwidth on personal data transfers. Additionally, by downloading unauthorized and business irrelevant files exposes the organization to malware infection. File syncing between company equipment and personal devices may result in accidental exfiltration or disclosure of confidential, private, or secret data to outsiders.
Large data transfers could even interfere with essential business tasks. If the transferred files are stored or cached on company equipment, it could be a violation of terms of service or copyright. Users should simply avoid syncing, downloading, or transferring personal files and media across company networks. Companies can monitor data transfers for suspicious activity and block access to well-known media sources.
Personal Device Connections
A fifth example of risky user behaviors is connecting personal devices to company equipment without authorization. Whether linking to the company network, tethering a phone to a desktop, or just plugging in a USB device to charge, these actions are likely company policy violations as they place the company at risk.
Portable devices can transfer malware to the company equipment. Tethered connections allow for data transfers outside the control and filtering of the network security services. Workers should check with their IT department before connecting any personal device to company equipment, even if they only intend to charge their device.
Know Company Policies and Abide By Them
Employees should be more proactive in reading and comprehending company security policies. Staying in compliance will reduce unnecessary risk to the organization as well as to the individual. If company security policies seem too restrictive or burdensome, workers should discuss the issues with their IT departments. Suggesting alternatives or improvements to existing security mechanisms may help the company improve its security stance while offering a wider range of benefits to employees.
Now that you know more about company security policy violations and compliance, you should recognize that this is just a starting point of obtaining security knowledge. There are many other important security concerns that you need to be aware of. Because only with knowledge can you make a change for the better. Everyone has security responsibilities, both for themselves and for their employer. That responsibility starts with knowing more and seeking out the means to gain more knowledge.
One source of additional knowledge is the educational materials made available from Global Knowledge. Global Knowledge offers a wealth of online resources such as this white paper and other online materials. Global Knowledge is also a world leader in training, both live and on-demand courses.