Your knowledge workers (users) are probably the most important asset in your defense in-depth strategy, teaching them how to treat, react and respond, to information security incidents should be top priority for any organization. Knowledge Workers should be taught to: recognize phishing emails, social engineering attempts, best practices of handling personally identifiable information (PII) and how to respond if they feel the business information security defences have been compromised, Information Security is not only a problem for the technology department! it is a all hands on deck business issue.
A few tips:
- Store company data only on approved company devices.
- Users should be taught to lock their workstations, when not in use (Windows Key and “L” is a good shortcut) generally users should not leave their information processing devices unattended.
- Endpoint security software should be installed on all systems.
- Users should attend security awareness training on a scheduled, that matches the organization’s risk posture.
- Use fine-grained password policies to apply different restrictions for password and account lockout policies to different sets of users in your domain.
- Knowledge Workers should use complex passwords, Upper case alpha, lower case alpha, numeric (0-9) non-alphabetic characters (~!#$%^&*)
- Operating System, Applications and Security software should be updated as often as possible using a industry standard change control model to ensure they perform optimal with your line-of-business (LOB) applications.