The
SANS Institute lists the most
common mistakes made by end users, executives, and IT people on their website.
In an effort to provide assistance in addressing these mistakes; I am going to take you through each mistake and provide you with some basic mitigation strategies.
1. Failing to Install Anti-Virus and Keeping it Up to Date
In a small corporate environment, products such as
AVG and others can go a long way in protecting your computers. However, the individual setup of anti-virus software can quickly become unmanageable. In larger offices; a centralized anti-virus management solution is the only feasible way to maintain the installation, configuration, and maintenance of the anti-virus software. Consider the
five top features when choosing a central anti-virus management solution.
2. Opening Unsolicited Email Attachments Without Verifying Their Source
End Users do not set out to cause problems. They quite often use computers for their business purposes and may not have a deep knowledge of the computer beyond that purpose. This means end users do not always think about the security ramifications of opening unsolicited email, installing screen savers, or running games. User awareness campaigns increase the visibility of these risks and end users that understand better the risks are empowered and will not hinder the security of your environment. There are also technological controls such as anti-spam, anti-virus, and content filters that can be implemented by the IT staff to reduce the ability for end users to have to make the decision as to whether or not to open a file/program.
3. Failing to Install Security Patches - Especially for Microsoft Office, Microsoft Internet Explorer, Firefox, and Netscape
End users at home need to learn how to update their software to protect themselves but every office runs slightly differently and as such end users will look to the experienced IT staff for guidance. Is it reasonable to require a tax accountant to know all the accounting rules and procedures as well as maintain the computer they use? The only manageable solution is to have a central update control such as Windows Update Services, Microsoft System Management Server, Bernard Software, Shavik Software or others to distribute updates from a central source to your desktops and server.
4. Not Making and Testing Backups
Not making and testing backups. This should not be the responsibility of the end user in a corporate environment and is much more applicable to a home user. However, what is applicable in this case is educating, encouraging, and requiring users to store all their information on file servers so that it can be backed up by system administrators.
5. Being Connected to More Than One Network
This used to be an issue when a user connected to the corporate network and would also dial up their ISP via modem for personal use, effectively join the two networks. Modem and dial up use are rapidly declining so this issue is decreasing as well. This issue has simply shifted from dial up connections to wireless connections. Wireless networks are becoming ubiquitous and some are secured and others are not. Corporate security not only faces the challenges of setting up and securing their own wireless networks but also the challenges of preventing their users from joining other wireless networks. Policy and user education will certainly help in this case but if users wish to leverage an outside wireless network to circumvent your carefully thought out security process, what do you do? Locking the user out of the wireless configuration utilities of the operating system as well as leveraging a form of network access control are two ways to attempt to reduce this difficult security challenge.
Conclusion
Having IT and security educate end users with these computing mistakes can be used to create a bridge between IT operations and its end users. End users are really the customers of the IT operations and should take due care to educate and support end users to ensure a safer computing environment for everyone.
