Many employees are not as well-versed in their company’s security policy as they should be. This may result in workers performing tasks that might seem innocent or benign on the surface, but which actually put the organization at risk of a security breach. Understanding what you are doing (as an employee) or what your users are doing (as a boss or manager), can help you work toward a viable resolution to these situations. In most cases, user behavior changes as well as implementation of new technological solutions can curb exposure to risk and increase security policy compliance.
One common user behavior that may be a violation of company policy is the opening of email attachments. Attachments are a common means of distributing malware. Opening attachments from any source email address — whether it’s known or unknown — is risky. A better option would be for an organization to implement an email server security filter to strip off attachments and provide workers with a secure file exchange service to use instead.
A second common risky user behavior is accessing social networks from work computers. Social networks can be used as part of a social engineering attack, leading to information leakage or the installation of remote control malware. Workers should not perform personal tasks on company equipment. Workers should use their own personal devices, such as a smart phone, to access social networks and then only do so during breaks. Social networks are also a serious distraction, causing significant loss of productivity. Companies should implement DNS and IP blocks against social networking sites and services.
A third concerning activity is using company voice services for extended personal use. Using a company phone for brief personal phone calls during breaks is usually reasonable behavior. However, placing personal calls that cause you to spend hours on the phone or trigger long-distance toll charges without authorization is likely a violation of the acceptable use policy. Workers should use their personal cell phones for non-work-related calls and keep calls short during work hours. Companies can implement a calling code-based system where call toll charge activities require an authorization or billing code.
A fourth problematic user activity is that of syncing online media to personal devices over company networks. Downloading files of any type through the company's Internet connection to a personal device is usually a disallowed activity. This could be a violation of the terms of service of the ISP or simply waste bandwidth on personal data transfers. Large data transfers could even interfere with essential business tasks. If the transferred files are stored or cached on company equipment, it could be a violation of terms of service or copyright. Users should simply avoid syncing, downloading or transferring personal files and media across company networks. Companies can monitor data transfers for suspicious activity and block access to well-known media sources.
A fifth and final example of risky user behaviors is connecting personal devices to company equipment without authorization. Whether linking to the company network, tethering a phone to a desktop or just plugging in a USB device to charge, these actions are likely company policy violations as they place the company at risk. Portable devices can transfer malware to the company equipment. Tethered connections allow for data transfers outside the control and filtering of the network security services. Workers should check with their managers before connecting any personal device to company equipment, even if they only intend to charge their device. Companies might consider providing a commercial Internet connection for personal portable device use that is independent of the company's private network as well as changing stations or connections distinct from the production IT equipment.
Employees should be more proactive in reading and comprehending company security policies. Staying in compliance will reduce unnecessary risk to the organization as well as to the individual. If company security policies seem to restrictive or burdensome, workers should discuss the issues with their managers. Suggesting alternatives or improvements to existing security mechanisms may help the company improve their security stance while offering a wider range of benefits to employees.