Good Security Practices for Users - Mitigating User Risks


What can users do to mitigate their share of the organization’s risk? The first – and arguably most important – step is to start exercising good security practices: sometimes referred to as security hygiene

While organizations often focus on company-level implementations of their security, such as Incident Response Planning and implementing endpoint and network security products, like Microsoft Defender, data from the Verizon 2021 Data Breach Investigations Report shows that 85% of breaches still involve a human element and 61% involved either stealing or exploiting login credentials

Users are commonly seen as the weak link in an organization’s security because they are often not even given the tools to properly mitigate the risks to which they are exposed day in and day out. Hence, security professionals have become accustomed to the inherent weakness associated with users, often describing them as the "weakest link" in an organization.

What is Security Hygiene? 

“Security hygiene” is one of many blanket terms used to describe a simple process: adopting well-informed security practices to support and improve security. While there is no standard list that fully encompasses security hygiene for end users, there are many tasks individuals can adopt as part of their routine to greatly decrease their risk to the organization and their personal information. 

Use Strong, Unique Passwords 

As stated before, 61% of breaches involve credentials, such as a username and password. It is not only important to use a strong password – requiring multiple types of characters (e.g., numbers, special characters) and a minimum length, – but it is equally important to not reuse a password across multiple applications, websites, email accounts, etc. 

Attackers will sometimes use what is called a password spray attack, which takes passwords obtained from prior data breaches and tries those on different accounts. Since many accounts use your email address as the username, it is easy for an attacker to connect the dots between accounts, and if you are using the same password across multiple accounts, that can make you an easy target. 

Practice a Clean Desk Policy 

You can tell a lot about a person just by looking at their workspace and even more if they leave their work on their desk. While we live in a digital age, there is still a lot of information we receive in paper form. This, along with USB dongles containing sensitive or other non-public information, notepads containing work-related or other sensitive information, and other items could give an attacker enough information to leverage an attack on your organization or obtain sensitive information. 

Not only does a clean desk policy (ensuring your desk is cleared of all portable items – e.g., papers, folders, digital items, personal effects) help keep your personal environment more secure, but it also helps keep your desk clean and presentable. Organizations can benefit from implementing a clean desk policy as part of their security policy, requiring documents and mediums containing sensitive information to be properly secured, such as in a locked desk drawer. 

Lock When You Leave (even for a minute) 

What’s even less secure than a weak password? No password. 

This is the opportunity you provide to an attacker when you walk away from your computer without locking it. If your company doesn’t enforce a screen lock policy, the risk can persist throughout the night and weekend. 

On Windows 10, you can easily lock your computer in three ways: 

  1. Go to your Start Menu, select the user tile (with your name/icon), and select Lock 
  2. Press and hold the Windows Key and ‘L’ 
  3. Press and hold the Ctrl, Alt, and Del keys, then select Lock 

Whichever is your preference, locking your computer whenever you step away (even for just a minute) can go a long way in protecting your account and the organization. Organizations should still implement screen lock policies with technical controls, as this can greatly reduce the risk associated with an unsecured computer. 

Protect Your PINs and Passwords 

Shoulder surfing may sound like a daring summer recreational activity, but it is an attack method that is commonly used by criminals. This phrase describes the action of someone spying on you while you use a device (e.g., to type your computer password or debit card PIN.) 

Make a habit of checking your surroundings before entering your passwords or PINs. When in doubt, using your body or hand to block view of your entry can make all the difference. 

Read the Message; Update the Software 

There is not one person among us who has not clicked past an on-screen notice at some point. Sometimes it is a nuisance that has been pestering you for months with no resolution, and other times it is that software you only use to meet with one customer every few months.  


Kaspersky’s IT Security Economics 2020 report shows outdated software and hardware can cause the average cost of a data breach to increase 47%, and that businesses using outdated technology are more than twice as likely to suffer a breach in the first place. Two of the main reasons given for using outdated software in this report include “…employees refuse to work with new software and devices…” and “they belong to C-level staff…”. 

Many users react to updates, or – to be even more precise – reboots necessary to complete updates, are to postpone or avoid the immediate inconvenience caused by the reboot. Once you are practicing good security hygiene, you can better understand the even greater inconvenience that outdated software poses when it is used as part of an attack on you or your organization. 

So, the next time you see the “Update” message on the top-right of your browser, or receive the prompt to reboot your computer to install updates, exercise good security hygiene by acting on the information promptly – updating at your next break or at the end of the workday. 

Ensure Your Data is Protected

Backups are an integral part of a business’s survivability in the digital world. Having a working backup can be the difference between self-recovery from a ransomware event and being forced to pay a million-dollar ransom. 


Each company’s backup plan can differ, but it is still important for you, as the user, to understand where your data needs to be so it is covered by that plan. Recovery of data that isn’t backed up can often be a time-consuming, costly, and sometimes impossible task. 


If your company hasn’t provided you with information on where to store your data, you should ask your manager or IT team to make sure your work is being protected. 


Likewise, important data like family photos, financial documents, and other valuable data should be backed up periodically. Cloud services like OneDrive and iCloud are popular, while offline options like backup software using an external hard drive may be preferable for those not comfortable with storing such information in the cloud. 

Be a Security Advocate

Now that you have made strides to help keep you and your organization more secure, the next step is to help others! Sharing security knowledge – like that discussed here – by email, on social media, word of mouth, or even practically can go a long way to making everyone more secure.  

Talk To A Professional.


Bridgehead IT specializes in Incident Response, Cyber Security and Compliance, Industry-Specific Security Compliance, and On-Demand Cyber Security Expertise. Don’t wait until it is too late to address gaps in your company’s cyber security plan.


Connect with us by clicking on the button below to review your businesses cyber security needs.

TIPS & TRICKS

Use Strong, Unique Passwords.

Practice a Clean Desk Policy. 

Lock Your Device When You Leave.

Protect Your PINs and Passwords.

Read the Message; Update the Software.

Ensure Your Data is Protected.

Be a Security Advocate.

Questions About A Security Risk Assessment For Your Business?

Contact Bridgehead IT.

(210) 477-7900

[email protected]