Educate your users

Even with the best firewalls, antivirus products and other security hardware and software in place, no network or computer is 100% secure. Sadly, the weakest link in the security chain for corporate networks is often the users themselves. Ensuring that users have a basic understanding of information security and a little common sense can yield much higher dividends than the latest whiz-bang application.

Users sign up for spam. Maybe they install something like a free media player and are asked for their email address. Maybe they purchased something and ended up on a mailing list. Contact capture forms are usually positioned in such a way that people submit them as part of the normal workflow of the site or application. In short, users spam themselves and usually don't know when they're doing it. 30% of users will open an email even if they know it is malicious.

The most successful attacks against an organization are successful because they target the users. Usually, this involves a user clicking on a link that sends the user’s browser to a malicious webpage that looks like a site that they are familiar with visiting. Without looking at the URL, the user can be easily coerced into believing the website in front of them is legitimate. Now, with security tools such as the Social Engineer Toolkit (SET), attackers and security professionals have the ability to take an existing web page and make a clone of it in a matter of seconds. The only difference between the two is the source, which makes it all the more important to be educated on how URLs are structured.

This may be old news to some, but until these attacks become far less successful, it is important to educate our users, family, and friends on how to better protect themselves online. Even users who are aware of phishing attacks can still fall victim to the attacker techniques discussed below.

Strong passwords:

Users hear it constantly, but many still aren't listening.

User tip:  Passwords should contain a mix of uppercase and lowercase letters as well as numbers or special symbols (like % or $).

User tip:  Passwords should never be something simple like the name of your son or your birth date.

Avoid phishing scams:

User tip:  No reputable company or tech support department will ask you to provide your username, password, social security number or other sensitive information in an e-mail. Also, never click on Web links within unsolicited e-mail.

Protect your workspace:

At any given moment, your desk may have memos or documents that contain sensitive or confidential information or you might have classified information displayed on your computer monitor.

User tip:  Be aware of who is nearby, and secure information assets by locking your PC before you leave your desk.

It's probably a hoax:

Any e-mail message from a friend or family member claiming to be urgent news that you should distribute around the world is almost definitely a hoax. To verify, you can check the information on a site like However, even if it is legitimate, you should not use corporate resources to forward spam messages on to your friends and family.

User tip:  Don't use corporate resources to forward spam.

Don't open attachments:

User tip:  Unless you are 100% sure of whom the e-mail came from and what the attachment contains, do not open or execute an e-mail file attachment.

Keep your virus detection device turned on:

Antivirus scanning is only effective if it is turned on.

User tip:  Do not disable or deactivate your antivirus scanning engine.

Do not install unapproved software:

Even if software is free, it is not always free for use on corporate machines. Downloading software from the Internet is a primary source of viruses, spyware and Trojans, and even legitimate software may not be compatible with other software on your computer and could cause conflicts.

User tip:  Don't install unapproved software.

Beware of instant messaging:

Instant messaging can be a great communication tool, but it can also be a way to transfer viruses and other malware or initiate phishing attacks. Use instant messaging responsibly.

User tip:  Do not click on links sent from unknown instant messaging users.

When in doubt, call for support:

It is better to contact the pros to check it out than to be the root cause of a virus infection that takes down the corporate network.

User tip:  If you are suspicious of something or something just seems weird, contact tech support.