Safe Tools, Downloads & Devices

Every program you install and every device you plug in is a doorway into your work machine — and not all doorways are safe to open. Attackers know this, which is why so many threats arrive disguised as a handy free tool, a forgotten USB stick, or a convenient website. The guiding principle is refreshingly simple: use what’s approved, and be suspicious of the rest. You don’t need to become a software expert; you just need to know where the safe paths are and why the shortcuts are risky.

Software: stick to the approved source

Only install software from your company’s approved source — usually a portal, software centre, or app catalogue managed by IT. Those apps have been vetted, kept up to date, and confirmed not to carry hidden surprises. By contrast, “free” downloads off the open web are one of the most common ways malware gets in. A tool that promises to convert your PDFs, speed up your computer, or unlock a premium feature for nothing may quietly bundle spyware, a keylogger, or ransomware alongside whatever it claims to do. Cracked or pirated software is worse still: tampering is practically the point of it.

If you genuinely need a tool that isn’t in the approved catalogue, the move is to ask IT rather than installing it yourself. It’s a five-minute question that often ends with the tool being approved and added for everyone — and it spares you from being the person who let something nasty in.

Devices: the USB you didn’t buy

Never plug in an unknown USB or flash drive. Attackers really do scatter infected drives in car parks, lobbies, and conference rooms, counting on curiosity or kindness — “maybe I can find the owner” — to do their work. A malicious USB can install malware the instant it connects, sometimes by pretending to be a keyboard that types commands faster than you can see. The same caution extends to chargers and cables from untrusted sources. If you find a stray drive, don’t plug it in to investigate; hand it to IT or security and let them deal with it safely.

Wherever possible, do your work on company-issued, managed devices. They’re configured to be protected, monitored for threats, and patched automatically — which is exactly the safety net you want behind you.

Shadow IT and the convenience trap

Reaching for an unapproved app to get something done quickly is so common it has a name: shadow IT. Maybe it’s a free file-sharing site to send a big document, a personal cloud drive to sync work files, or a browser extension that promises to tidy your inbox. It feels efficient, but every one of these moves company data somewhere IT can’t see or protect. If that service is breached, or simply shuts down, your data goes with it — and nobody on your security team even knew it was there.

Be especially careful with public AI chatbots

Third-party AI chatbots deserve their own warning, because they’re so useful that it’s easy to forget the risk. Anything you paste into a public AI tool may be stored on someone else’s servers, reviewed by their staff, or used to train future versions of the model. That means confidential code, customer records, contracts, financial figures, or private documents should never go into a public AI tool — once it’s pasted, you can’t pull it back. Imagine dropping a customer list into a free chatbot to “clean it up”: you may have just handed that personal data to an outside company with no agreement and no control over where it ends up. Use only AI tools your company has approved and sanctioned, and keep sensitive material out of the rest.

Spot it: Approved vs. Risky Tools

Read each situation and decide for yourself, then tap a card to flip it and check your answer.

Sort the Tools & Sources

Drag each tool or action into the bucket it belongs to — or tap an item, then tap a bucket. Hit Check placement when you’re done.

How to use it

Install software only from the approved portal, and ask IT before reaching for anything that isn’t there. Never plug in a USB drive you didn’t buy or aren’t sure about — hand strays to security. Resist the shadow-IT shortcut: if an unsanctioned app feels necessary, that’s a signal to ask, not to install. And before you paste anything into a public AI chatbot, stop and check whether it’s an approved tool and whether the content is safe to share.

Why it matters

The tools and devices around you are a favourite route for attackers precisely because they look harmless. A vetted app, a managed laptop, and a moment’s hesitation before plugging in or pasting are what keep that route closed. Choosing the approved path costs you almost nothing — and it prevents the kind of leak or infection that can cost the whole organisation a great deal.