We’ve all been cautioned for years never to open files from suspicious sources. And even if a file is from a trusted source it’s best not to open it until it’s been scanned with antivirus software. Otherwise you run the risk of installing malware, like a Trojan horse, spyware, or ransomware. Opening a file—or even clicking a link—can be one of the easiest ways for hackers to gain control of your computer.
But what if you’re a call admin or reviewer? It’s difficult to assess the quality of submissions without opening documents or following links. This is the security dilemma inherent to every call for proposals: You have to collect content but the only sure-fire way to avoid harm from that content is never to open it.
Unfortunately there is no bulletproof solution. There are, however, a few best practices call admins and reviewers can observe to help reduce their risk:
- Collect information using text fields instead of file-upload fields.
- This actually has two benefits: Not only does it remove the risk someone might upload a file containing malicious code, it also makes it easier for reviewers to access the content. Instead of downloading a file, scanning it, then opening it in a specific application, they can simply view the content directly in their browser alongside the review form. And with the WYSIWYG (“Multiple Lines of Text with an Editor”) option for text fields, authors can format answers with virtually all the same tools available in word-processing software (bold, italic, etc.). It’s important to note, however, that using a WYSIWYG text field does not prevent someone from including a link to a malicious site in the text.
- Limit the types of files authors are allowed to upload.
- If a text field won’t cut it and you need to allow authors to upload files, use the Filetypes setting in the form builder to limit the types of files that can be uploaded. For example, if you’re asking for an abstract you could configure the field to accept only PDF documents. Likewise, if you’re collecting headshots you could limit the field to accept only JPEGs. Limiting the filetypes not only makes things more secure, it also can save you from having to follow up by keeping someone from uploading something useless, like an image embedded in a Word doc.
- Inspect submissions before approving them for review.
- It’s never a bad idea to have someone check submissions before sending them to reviewers. Usually the goal is to ensure a proposal doesn’t include something like “TBD” in a required field, but it’s also a prime opportunity to check for malicious files and links. If you a come across a submission that seems suspicious, you can postpone approving it until you’ve investigated the matter or you can ignore it altogether so that your reviewers never see it.
- Report suspicious content.
- In the rare case a proposal includes a malicious file or link, the author is usually unaware of its presence. They’re probably just an innocent pawn in an attacker’s scheme. That doesn’t minimize the potential for damage, of course. It just means the author might want to be made aware of the situation. If, on the other hand, the underlying proposal appears to be suspicious you might want to report it to the team at ProposalSpace for further investigation.