10 Security Practices Your Users Aren't Following

Behind the scenes, there's a lot that IT pros do to keep networks safe. But users also need to do their share. There are a lot of quick and easy things they can do, but there are also a lot of things they might be doing wrong.

Here are the top 10 security mistakes your users might be making, and some suggestions to help shore up your security to keep them and your company safe. 

1. Falling for phishing emails

This is number one for a reason, phishing has become a pandemic. Bogus emails posing as requests to login to your email or bank account with links to pixel-perfect copies of these sites are hard for even the tech-savvy to catch.

Even worse, a spoofed email, appearing to come from a C-level to the finance team, requesting a large wire transfer to an overseas account. If that's business as usual, no one might bat an eye. But millions havebeen lost recently in scams like these. Your SPF records are set up correctly to avoid someone spoofing your domain, right? No?!

Then, there are attachments. If some stranger on the street handed you a box and said "open this and eat whatever's in it," would you do it or throw it in the trash? The same common sense applies to email.

2. Sharing passwords

Of course, Sherry, Sharon, and Sheryl all know each other's passwords, how else are they going to log into each other's computers to get something when one is out? Or all share the same login to one site or application?

This applies to users telling you their passwords, as well. If you need to log in as a user, change it for them, do your work, then help them change it back. This covers you and helps emphasize to them that NO ONE, not even IT, ever needs to know their password.

3. Leaving their computer unlocked

Sure, give anyone who walks by access to your email or files or whatever sites you're logged into. If you need a mild prank to teach them a lesson, Windows 7 always includes this super creepy wallpaper, a quick change will get their attention.

4. Simple passwords

Could be their spouse's/kid's/dog's name, could be a single word, could be "password," none are a match for a brute force attack. How big of an issue are passwords? Read for yourself. Don't say we didn't warn you.

5. Ignoring system updates

"Reboot now to finish installing updates?! I'm in the middle of finishing this TPS report!  Rebooting will take whole minutes out of my day! I'll do it tomorrow." *clicks ignore*

The next day:

"Reboot now to finish installing updates?!?!"

6. That random USB drive they found in the parking lot

Yeah, just stick that thing in your computer and open anything that's on it, it's fine, thisisakittenvideoandtotallynotmalware.exe, sounds totally legit.

7. Disabling anti-virus

"But it slows my computer down!!" No, having 40 Chrome tabs and every Office program open at the same time slows your computer down. So does malware, spyware, and ransomware.

Wait Mr. IT Pro, your AV doesn't have central management that lets you lock down the AV application settings and lets you see that every computer actually has AV installed? Shame, time to shop for a better solution.

8. Not keeping a clean desk

We're not talking about those Coke cans and dirty mugs, we're talking about papers with confidential information and sticky notes with passwords out in plain sight. Paperwork needs to be locked up when you leave, sticky note passwords need to be burned. And do your dishes.

9. Installing any old software they want

Different companies will have different policies, some lock you down to a handful of apps and installing anything else is blocked. Some say "we use these apps, get approval from IT for anything else you want." (Pro tip: they won't). Sometimes it's free reign, who knows what they're installing.

10. Accessing company resources with personal devices

Again, companies will have their own policies for this, but letting personal computers, which you have zero security control over, onto your corporate network can be a real disaster. No AV authenticated to a file share, and ransomware strikes.

Or imagine a personal device with a weak (or nonexistent) password, no encryption, and super secret files on it, loaded to work on while traveling. Now imagine that device is lost With IT oversight not in place, who knows what havoc awaits? 

A lot of these issues can be avoided, but you can only do so much. Human nature will find a way around all the security measures you put into place, sometimes willfully, sometimes by someone just not knowing the most secure way of working. With a combination of sound information security training and the right infosec defenses in place, your IT team and your users can work together to keep networks healthy and protected.