...for your five-year-old to play over the weekend and then remove it before returning to the office on Monday.) When it comes to personal use of corporate IT resources, most organisations have some sort of policy, more or less stringently enforced, defining what is and is not acceptable usage. Generally speaking, such policies are put in place to protect the company from lawsuits and to protect the integrity of the IT infrastructure. To be effective, such policies must be appropriate for the environment, be clearly communicated, and be enforceable with well-defined consequences for violators.
Regardless of the strength or content of the policy, we would like our users to know that it is not acceptable to violate it, especially not in sneaky ways that insult our intelligence. In addition to knowing the policy, users need to know that we have measures in place for detecting attempts at violation. As much as we don't wish to play the role of compliance police, we are forced to do so to protect our network and our jobs. This information security policy includes sections on acceptable usage of company computer resources.
#8: Exercising care in sending emails
How many times have you been asked to recall an email accidentally sent to the wrong person or persons? Over the years I have seen the following messages misdirected: termination notices, pay raise denials, extremely personal medical information about a girlfriend sent to the user's wife, and images of a very questionable nature accidentally sent to the director of human resources. Regardless of an organisation's email policy, users need to be aware of this danger and be taught to exercise appropriate caution: Think before pressing Reply To All, double-check addressees before clicking Send, refrain from using the corporate email system for non-business related messages, and in general, regard email messages as postcards instead of letters.
#9: Protecting against viruses, phishing, malware, and other nasties
Although it is usually the responsibility of the IT professionals to protect corporate resources, this protection can never be 100 percent foolproof, so we are forced to depend on the vigilance of the user. Users need to be taught to recognise and handle threats and the consequences of not doing so. They need to be provided with specific information on how to identify phishing and how malicious email can appear to be from a legitimate contact. They should be warned not to open emails from unknown sources, not to open unidentified attachments, not to enter their corporate email address on Web sites, and not to turn off any protection on their computer. They should be understand the need to stay on top of antivirus updates. Frequent reports of new threats and statistics of how many viruses have been caught within your organisation can also help raise their security awareness.
#10: Remembering that support techs work most effectively when adequately supplied with chocolate
This requires no further explanation.
