You are a problem. You are a risk to your employer. The actions you take and the activities you perform at work, online, and even in your personal life put your employer at risk. You need to know how you are a security risk to the organization and what you can do to reduce or eliminate those risks. In this paper, I discuss ten common risky behaviors that typical workers engage in and what you can do to avoid being the weakest link in your company.
1. Accessing the Spam Folder
It has become fairly standard to have a spam or junk filter operating on your email. Unfortunately, if you can still access messages placed in the spam or junk folders, then no security improvement has been achieved. A security solution would allow you to read the plain-text contents of a spam message but not execute any enclosed scripts, not open any attachments, and not visit any offered hyperlinks. However, this is rarely the case. So, you can avoid being a risk to your organization by staying out of the spam folder. If you have to look in the spam folder, then only look at the list of messages showing the subject lines. If you think there is a valid message in the spam folder, then reach out to your technical support team to inquire about the best procedure to follow to retrieve the message. Keep in mind, you could be wrong and the message really is a problem.
2. Delaying Updates and Patches
Updates and patches are an important part of security management. Most organizations perform testing on newly released updates before pushing them out to the production network. If your environment gives you the option to delay updates, then you should choose to let the updates install immediately. Yes, save and close your work but try not to delay the installation. Within hours of a patch release, hackers have examined the flaws it aims to correct and have written exploits to take advantage of those systems that do not have the update applied. Since your IT staff has already spent days or weeks evaluating new updates, any further delay to installing the updates keeps your system at risk for a longer period of time.
3. Opening Email Attachments
Email remains one of the primary means by which malware is distributed. Through the use of social engineering techniques, hackers craft messages encouraging or tricking you into opening the attachment. Malware can even come from those whom you trust, as their systems may have been compromised and used to send out harmful messages to everyone in their address book. Even well intentioned users might unintentionally send a malware infected file. It is always best to avoid sending or receiving files by email. If you receive an attachment that you believe is valuable and important, send a message back to the sender to confirm they sent the file intentionally. You can also recommend that a file-sharing service be used instead. By not opening attachments, your system will be infected by malware less often.
4. Using Portable Drives
Portable drives are often very convenient, but that convenience comes at a cost. Any portable drive can become infected with malware and then spread that infection to each new machine in which it is connected. Use a file-sharing service instead of a portable drive to avoid spreading malware across multiple systems. Another related problem can occur if you use a personal device to move company documents between business systems. Even after you delete the files off the drive, data remnants may allow the recovery of those files. If you lose the device, anyone with a data recovery tool (such as Pandora Recovery) can regain access to recently deleted files. So, don't use portable drives and you will avoid these two risks.
5. Bypassing Company Firewall Filters
Surfing the Internet from your work computer can be very frustrating, especially when the company implements strict domain, site, and content filters. It is in your best interest to abide by the company restrictions on company equipment. While it may be possible and easy to bypass such filters with tunneling tools, anonymous proxies, and VPN services-you should not do that. Don't be the employee that violates the Acceptable Use and Internet Policy and place the company at risk from malware infection or hacker intrusion. Use either a personal device with your own Internet connection through your wireless carrier or wait until you return home. Playing by the Internet rules of the organization will reduce your risk.