Top ten security tips for non-technical users

I'm giving a presentation later this week to the staff at the company where I work. The goal of the presentation is to serve as a refresher/remidner of good practices that can help keep our network secure. The audience is made up of both programmers and non-technical staff, so the presentation is geared for non-technical users.

I want part of this presentation to be a top list of "tips". The list needs to be short (to encourage memory) and be specific and relevant to the user.

I have the following five items so far:

  • Never open an attachment you didn't expect
  • Only download software from a trusted source, like download.com
  • Do not distribute passwords when requested via phone or email
  • Be wary of social engineering
  • Do not store sensitive data on an FTP server

Some clarifications:

  • This is for our work network
  • These need to be "best practices" tips for the end-user, not IT policy
  • We have backups, OS patches, firewall, AV, etc, all centrally managed
  • This is for a small business (less than 25 people)

I have two questions:

  1. Do you suggest any additional items?
  2. Do you suggest any changes to existing items?

It sounds like you may be a person outside of IT attempting to educate your peers. While this is a good thing and something I would encourage, your IT department should be driving the security standards and policies.

This training should serve as a means to re-enforce and educate on the reasons behind the security policies already in place. If there is not a written security policy document, there should be.

Many of the things you list should not be within the end-users control. For example, the average less technical end-user should not be able to install software on their workstation. I suspect there are numerous support, configuration, and malware issues within the company that could easily be prevented by policy if they can.

If the fundamentals are not already written and enforced by IT policy, these are issues that should be addressed before attempting to educate the users. Some of the end-user focused policies include:

  • Least privileges necessary to perform job function
  • Software updates automatically performed with attention to security risk
  • Security standards enforced by policy (IE. Web browser settings)
  • Password expiration (90-days)
  • Password strength enforcement (Alphanumeric, mixed case, 9+ characters, et cetera)
  • Unable to use last 5 passwords
  • Portable device (laptop) storage encryption
  • Data classification policy
  • Policy dictating handling restricted and confidential data as defined within classification policy.
  • Data disposal policy
  • Data access policy
  • Portable device policy

There are a myriad of additional policies and procedures that apply to both proper development and technical maintenance within the infrastructure groups. (Change control, code review, system standards, and much more.)

After all the foundation is in place, employees should be provided copies of the written security policy and training surrounding that policy would also be appropriate. This would cover end-user best practices both enforced technically and not. Some of these include:

  • Handling of restricted and confidential information as part of business.
    • Don't e-Mail or transmit unencrypted, dispose of properly, et cetera.
  • Handling of passwords.
    • Don't leave written under keyboard, on post it notes, share, et cetera.
  • Don't share accounts or authentication data. (Again)
  • Don't leave workstations unlocked or company property (data) unsecured (laptops)
  • Don't run software without consideration
    • Such as e-Mail attachments.
  • Risks and scenarios surrounding social engineering
  • Current malware trends applicable to the business or industry.
  • Policies and risks specific to the business or industry.
  • General education regarding how (if) they are monitored
  • How IT enforces the security policies technically and administratively.

The PCI DSS examples many best-practices concerning security policies. Additionally, the book the Practice of Systems and Network Administration covers fundamental best practices regarding IT security.


My top tip (that I am slowly managing to teach people) is a variation of your #1:

Know how to check where an email really comes from, and check any message that's the least bit strange.

For Outlook, that means knowing how to display the Internet headers and what the Received-From lines mean.

For non-technical staff, downloading and installing software isn't (and I'd say shouldn't be) an option, they shouldn't have admin access to install software. Even for programmers who we do give admin access to, we strongly, strongly urge them to check with IT before downloading and installing.

For passwords, I always repeat Bruce Schneier's advice: passwords should be strong enough to do some good, and to deal with the difficulty remembering them you can write them down on a piece of paper and keep that in your wallet - treat your password card like a credit card and know how to cancel (change) them if you lose your wallet.

Depending on how many laptops you have and how you back them up, I'd include a tip about keeping the data on laptops secure. If you don't have a system in place to back up/replicate data on laptops to your network, you should, and if you do have a system, you should make sure the laptop users know how it works. A lost or stolen laptop full of data is - at the very least - a pain in the ass.