End-user training is often the one area of a good security policy that is given the least amount of attention....
When end users are not properly trained on how to use and maintain security, breaches will result.
Here is a list of some of the security mistakes that end users make, especially when they are not properly trained:
- Opening attachments on e-mails from unknown and unexpected sources
- Not installing necessary and recommended security patches, such as for Office and Internet Explorer
- Installing games, screen savers, or other Internet downloaded programs without verifying that they are safe and do not contain viruses or Trojan horses
- Not making backups of their local data or not verifying and testing such backups when made
- Using a modem from their LAN client while still connected to the LAN without an Internet firewall and without organizational permission
- Using a password-saving utility to retain logon credentials for local, LAN and Internet sites
But, before you begin pointing the blame finger at your end users, IT professionals are not without their own faults, oversights and outright mistakes. Here are some of the top security mistakes made by IT people who should know better:
- Placing a system online (LAN or Internet) before hardening and testing it
- Not installing necessary and recommended security patches and OS upgrades
- Using insecure remote management tools, such as telnet, on servers, routers, firewalls, etc.
- Giving out passwords or changing passwords over the phone
- Performing an administrative-level operation based on a request from someone without properly verifying their identity or authority
- Not making backups of the LAN data or not verifying and testing such backups when made
- Running unnecessary and insecure protocols and services
- Deploying firewalls, proxies, etc. with default settings
- Not installing and maintaining antivirus software