Our user device policy outlines the following which may be useful additions to your own policies. They are definite security practices which will protect IT and IS assets.
Phishing attacks
- If you receive an email with a link from someone you don’t know, then think twice.
- Report it to your helpdesk.
- If you know them but was not expecting a link or attachment then do not click on the link, contact the sender to check.
- Don’t forward any email around to helpdesk or others – take screen shots and make phone enquiries.
Removable media
- Plugging in any device should be done with caution.
- Know where the media has come from.
- Have a process for scanning for viruses and malware.
Physical security
- Keep a clean desk and not leave sticky notes with passwords around.
- Keep sensitive physical documents secured.
- Lock workstations when unattended – especially if in a place the public can access. This is necessary for privacy, but also enhances security.
Mobile device security
- Do not install apps from websites or non-approved stores on organisation provided mobile phones.
- Mobile devices should always have sensitive information password-protected, encrypted or with biometric authentication in the event of the device being lost or stolen.
Public Wi-Fi
- When using Wi-Fi in public areas to be aware that there are fake public Wi-Fi networks which sometimes are posing in coffee shops as free Wi-Fi. These can leave end-users vulnerable to entering information into non-secure public servers.
- Don’t give away too much information - like your email address or your phone number.
- If you absolutely must connect to networks like this, stick to places you trust (see above) and consider using an alternative email address that isn't your primary one.
- Stores and restaurants that do this want to be able to recognise you across multiple Wi-Fi hotspots and tailor their marketing accordingly. Decide if the trade-off is worth it for some free internet access?
- Limit the amount of different public Wi-Fi platforms you sign up for. Does your phone or cable carrier offer free Wi-Fi hotspots in your current location, for example? If you can get connected through a service that you're already registered for, then that's usually preferable to giving up your details to yet another group of companies.
Social media and social engineering considerations
- Social engineering is the use of deception to manipulate individuals into divulging confidential or personal information that may be used for fraudulent purposes.
- A common technique that malicious actor uses to gain the trust of employees is to offer lures, for example posing as an employee of a company that wants to work with your practice and may offer incentives to instigate communication. Or they might impersonate someone to gain access to valuable personal information. Private information can unwittingly be handed over to these malicious actors during these types of exchanges.
- We all share large parts of our lives on social media: from holidays to events and work. But oversharing can lead to sensitive information being available, making it easy for a malicious actor to pose as a trusted source. This is also social engineering.
- Protect your privacy when using social media by enabling privacy settings.
- Consider how much you share about where you work on social media. Keeping your workplace out of the picture can reduce the risk of the potential leverage that hackers can gain from this access to your personal network.
Internet and email use
- Don’t save passwords in browsers like Microsoft Edge or Google Chrome.
- Consider asking your IT company to change this setting so the browser doesn’t offer to save passwords.