The Top Seven End User Risks

The top seven end-user risks found in most organizations have been identified by SANS, and are detailed herein along with relevant NYU resources to help you combat these risks and stay secure in your work and personal lives.

Lack of situational awareness

Refers to people not realizing that they are targets. Awareness of social engineering strategies being used by scammers and utilizing awareness resources are strategies that can be used to address a lack of situational awareness. For more information on social engineering, see the following Connect article, Social Engineering Attacks and How You Can Protect Yourself. For NYU awareness resources generally, see NYU’s Security Awareness web page.  Additionally, a subscription to this blog will provide you with up-to-date and timely information on information security threats and resources (the subscription option is visible along the right side of the blog).


Refers to the targeting of individuals or groups using email, text messaging, phone calls or social media updates/messaging. For more information on these types of attacks and recommendations on how to protect yourself, please see the following Connect article, Phishing, Spear Phishing, and Whaling.  

Password reuse

Refers to the same password being used for multiple accounts. Once a scammer steals one password, that password will be tried in a variety of sites. Do not let the compromise of one account occasion the compromise of other accounts. Each account password should be unique and lengthy (12+ characters). Password length vs. complexity has been shown as the primary password safeguard. Further, consider using passphrases instead of passwords. For more information on password best practices, please see the following Connect article, Under Lock and Passphrase.

Using Unpatched or Poorly Configured Devices (BYOD)

Secure your devices by performing application and system updates/patching frequently, or as updates become available. Updates address known vulnerabilities which scammers will attempt to exploit on unpatched devices. For  specific recommendations, please see the following blog post from the IT Security News & Alerts blog on Securing Your Mobile Device. Additionally, please see the following NYU KnowledgeBase articles, iPhone, iPod Touch & iPad security and Android security.

Indiscriminate Use of Mobile Media

Is a reminder to use WiFi and bluetooth best practices (for more information, see the above-referenced blog post). Additionally, 

  • no restricted data should be stored on your mobile devices. For information on NYU data classification and what comprises restricted data, please see the following webpage containing the NYU Data Classification Table.
  • install only well reviewed applications from reliable and trusted sources, such as Google Play or the App Store. Grant installed applications the minimum permissions necessary.  If you are not comfortable with the minimum permission levels, do not install the application. 

Data Leakage via Social Networking

Refers to the fact that social engineers regularly review social media sites and gather information on individuals and groups to target in attacks. For this reason, it is important to limit what you share about yourself yourself and others.  For example, none of your answers to security challenge questions, such as “what street did you grow up on?” should be posted on social media. For tips on social media use, see the following following blog post from the IT Security News & Alerts blog on Safe Social Networking.

Accidental Disclosure/Loss

Refers to the loss of mobile devices or physical media such as flash drives and to the unintended disclosure of information.

  • To avoid unintended email disclosure, a recommended best practice is to proofread the list of message recipients before sending an email as inadvertent disclosure sometimes occurs due to the auto-complete feature or use of “Reply to all” unintentionally.
  • With respect to flash drives, encrypted flash drives which require a PIN or password to access content are the most secure as the data will remain protected even if the drive is lost or stolen.
  • Please be reminded that any lost or stolen NYU provided mobile devices must be reported to NYU Public Safety at 2112-998-2222.