Calling all IT staff: check out the Sophos security manifesto

As many IT gurus know, security is not just about technology. It’s also about teaching the user about safe computing. No matter how many security policies you have in place, if the users don’t know right from wrong, a company can find itself in vat of nastiness.

Unfortunately, many IT teams suffer the reputation of being the office cops. The problem here is that if a user does screw up, they sometimes shy away from reporting it to IT. Maybe they do this because they are afraid of getting in trouble.

To deal with this problem, we are trying to find a way to help the heroes in the IT department get the respect they deserve. One way of doing this is to dismantle the myth that they are there to punish or forbid. We also know that user education sounds very nice in theory, but can be a slog in reality.

So, we have been thinking up a way to help IT educate users in a friendly way, and we came up with the idea of launching the Sophos security manifesto.

This would include ten top tips, written simply and clearly to explain to users not only the right way to do things, but why it is important to do so. The idea is that these tips would be part of a kit that includes a presentation, some posters for your walls, and other goodies.

Sophos Security Manifesto

Cyber attacks can happen to anyone. Our job is to make it as difficult as possible for someone to attack you and your company. With your help, we can become much less attractive targets.

Follow these rules to help you and us prevent any nasties from getting in:

1. Don’t be tricked into giving away confidential information
Don’t respond to emails or phone calls requesting company confidential information – including employee information, financial results or company secrets. There is nothing easier for someone who wants unauthorised information than to call us up and pretend to be an employee or a legitimate user of this information. Keep on guard about these types of tricks to avoid falling for a scam, and report any suspicious activity to IT.

2. Avoid using an unprotected computer – is the computer you are using secure?
If you access sensitive information from a non-secure computer, like one in an internet café or a shared machine at home, your might put the information you are viewing at risk. Ensure your company is running the latest approved security patches, anti-virus and firewall. Also be sure to work in user mode, rather than administrator mode, where possible.

3. Don’t leave sensitive info lying around the office
Don’t leave print-outs containing private information on your desk. Lock it in a drawer or shred it. It is very easy for a visitor to glance down at your desk and see sensitive documents. Keeping your desk tidy and documents locked away not only makes the office look more organised, but reduces the chance of an information leak.

4. Lock your computer and mobile phone when not in use
Always lock your computer and mobile phone when they are not in use. You work on important things, and we want to make sure they stay safe and secure. Locking your phone and computer ensures that your data and contacts stay safe from prying eyes.

5. Stay alert and report suspicious activity
Always report any suspicious activity to your IT team. Part of their job is to stop an attack from infiltrating the company. In the horrible situation that something does go wrong, the faster IT know about it, the faster they can deal with it and close down the leak.

6. Password-protect and encrypt sensitive files and devices
Always password protect and encrypt sensitive files on your computer, USB, smart phone, etc. Losing items like phones, USB keys and laptops can happen to anyone. While we all want to look after our belongings, things sometimes get stolen or misplaced. Protecting the data on the system with encryption and passwords means you make it incredibly difficult for anyone to break in and steal data.

7. Always use difficult-to-guess passwords
Many people use obvious passwords, such as “password”, “cat”, or obvious character sequences on the Qwerty keyboard, like “asdfg” and “12345”. It is much wiser to use difficult-to-guess passwords. Include different letter cases, numbers, and even punctuation. Try to use different passwords for different sites and computers, which means that if one gets hacked, your other accounts are not compromised.

8. Be cautious of suspicious emails and dodgy links
Don’t let curiosity get the better of you. Suspicious emails and links should be deleted. Even opening or viewing these emails and links can compromise your computer and invite in an unwanted problem without you even noticing it happening.

9. Don’t plug in personal devices without the nod from IT
Don’t plug in personal devices like USBs, MP3 players and smart phones without permission. These devices can be compromised with code waiting to launch as soon as they are plugged into a computer. Talk to IT about your devices and let them make the call to keep you and your computer safe.

10. Avoid installing unauthorised programs on your work computer
Don’t install unauthorised programs on your work computer without permission. Malicious applications often pose as legitimate programs, like a game, a tool and even anti-virus! They aim to fool the person into infecting their computer or network. If you like an application and think it will be useful, contact IT to look into it for you.

Let us know what you think
We would love to know what you think of the concept and the tips that we have come up with. Is this useful? Have we missed any that are more important? Is anything too obvious or not clear enough? Leave us a comment below and let us know

And thanks – we appreciate your help!