Skip to content

Cybersecurity best practices: An open letter to end users

In an effort to make IT pros’ jobs easier, Jack Wallen offers cybersecurity tips to end users–in particular, what not to do to keep company networks, equipment, and data secure.


Image: iStockPhoto/1550539

More about cybersecurity

First, a note to IT admins about this open letter. The admin’s job is never done. Ever. Period. End of story. You work all day, you go home, you think about work, you dream about work, you eat your work feelings, and you do it all over again.

Part of the reason for this is because you’re always fighting an uphill battle named end users. I hope the following security advice for end users (which you might consider passing along to the people you support) helps make your job easier. And seeing as how it’s Cybersecurity Awareness month, this is the perfect time to remind your end users just how important it is that they do their part to keep the company’s data safe from harm. Now that we’re on the same page, let’s jump on this hayride and see how fast we can go. (Also read: Cybersecurity Awareness Month: Train employees to be first line of defense.)

SEE: Security Awareness and Training policy (TechRepublic Premium)

Dear end users,

It is not with any pleasure that I write this to you, nor is it intended to make you feel like you’ve done anything wrong. You might have–you just didn’t realize it, but don’t worry, you’re not alone. In fact, I imagine many employees that you work with have fallen prey to one or more of the behaviors that I mention.

With that said, when it comes to keeping your computer safe from malware, ransomware, evening wear… scrap that last bit. My intended pun will probably confuse you. Just in case, there is no threat against your PC called “evening wear,” but you see how easy it is to fall victim to such nonsense? It’s really easy.

Back to the point. You probably believe magic goes on behind the velvet curtain labeled IT that protects your computers from harm–and, in a way, there is. Your IT staff works tirelessly to prevent all of those desktops and servers from getting hacked or infected with malware, ransomware, and other security threats. The truth is, those desktops, servers, and networks are only as secure as you allow them to be.

That’s right, in many instances the burden falls on your shoulders. Don’t worry–it’s not that hard. 

Instead of couching this advice in terms you may or may not understand, I’ll make it as clear as possible. The best piece of cybersecurity advice I can give you is this: When in doubt, don’t do it. Such generalities could leaving you staring blankly at your monitor and unable to function, so here are specific security best practices. 

  • Don’t click suspicious links. If you don’t know if a link is suspicious, ask.

  • Don’t install any software on your PC or phone unless it comes from the operating system’s built-in software store.

  • Don’t install browser add-ons unless they are sanctioned by your company.

  • Don’t visit websites that seem dodgy. What is a dodgy website? Products advertised on social media, sites that advertise products or services that sound too good to be true, sites that want to install applications on your computer, or any domain found on a list like the Fake Sites Database.

  • If you absolutely must visit a dodgy site (say you’re doing research for your marketing department and want to know why a product is listed as must have), do it on a tablet that can easily be reset to factory default and doesn’t contain company data.

  • Update your passwords with really strong ones that you can’t memorize. I know that’s a pain, but there’s a solution: Ask your IT staff about how to use a password manager.

  • Don’t open email attachments that haven’t been checked by your antivirus.

  • Don’t open text messages from unknown senders.

I know this list seems daunting, but it all supports the original idea of, “When in doubt, don’t do it.”

SEE: Social engineering: A cheat sheet for business professionals (free PDF) (TechRepublic)

It is no secret that, among IT pros, the pervading feeling is that the weakest link in a company’s security is the end users, but it doesn’t have to be that way. All you have to do is stick to the above list of cybersecurity best practices, and you’ll make the lives of your IT staff exponentially easier.

I don’t mean to lay this all at your feet, but those admins who’ve been working day and night to keep your PC up and running need a bit of help, and chances are pretty good they know they can’t look you in the eye and say, “This is your fault,” without risking their jobs. So I take that burden upon myself.

But don’t take this personally. It’s not you, it’s… okay, it might be you. But not 100% of the time… more like 80-90%.

Just remember, it’s not that hard to keep those PCs safe from evening wear and formalwear… got you again! Come on, end users… keep up with me.

You can do this. I have faith in you. But just in case, repeat to yourself, “When in doubt, don’t do it.”

Also see