Cyber Security Small Business Guide (NCSC)

Download as pdf or txt
Download as pdf or txt
You are on page 1of 16

Cyber Security Small

Business
Guide
Small Business Guide Collection

How to improve your cyber security;


affordable, practical advice for businesses
Contents
3 Foreword
4 Backing up your data
6 Protecting your organisation from malware
8 Keeping your smartphones (and tablets) safe
10 Using passwords to protect your data
12 Avoiding phishing attacks
15 Infographic summary

2 National Cyber Security Centre


Foreword
This guide has been produced to help The National Cyber Security Centre
small businesses protect themselves want to make it easy for people to
from the most common cyber attacks. understand how to protect their
If you’re a small or medium-sized information and IT against cyber
enterprise (SME) then there’s around a attack3, in the same way that everyone
1 in 2 chance that you’ll experience a understands how to protect their
cyber security breach. For micro / small property from other types of crime. The
businesses, that could result in costs of NCSC is not just here to look after the
around £900. IT systems of government and the UK’s
critical national infrastructure. Whether
Following the advice in this guide will you run a small business, a charity,
significantly increase your protection oversee the IT systems in a school, or
from the most common types of simply want to make sure your devices
cybercrime. The 5 topics covered are at home are more secure, our mission
easy to understand and cost little to is to make the UK the safest place for
implement. This guide can’t guarantee everyone to live and do business online.
protection from all types of cyber
attack, but it does show how easy it can
be to protect your organisation’s data, Sarah Lyons
assets, and reputation. You can find NCSC Deputy Director
more help in the ‘find out more’ section Economy & Society Engagement
at the bottom of each topic. If you need
to improve your cyber security further,
then you can also seek certification
under the Cyber Essentials1 scheme,
which has the benefit of demonstrating
to your clients (or prospective clients)
that you take the protection of their
data seriously. And if you’re a larger
business, or face a greater risk from
cybercrime, then the 10 Steps to
Cyber Security2 can further help your
approach to cyber security.

1 https://www.cyberessentials.ncsc.gov.uk/
2 https://www.ncsc.gov.uk/collection/10-steps-to-cyber-security
3 https://www.ncsc.gov.uk/blog-post/what-can-ncsc-do-you

National Cyber Security Centre 3


Backing up • are not accessible by staff
• are not permanently connected
your data (either physically or over a local
network) to the device holding the
Think about how much you rely on original copy
your business-critical data. Customer
details, quotes, orders, and payment Ransomware (and other malware)
details. Now imagine how long you can often move to attached storage
would be able to operate without automatically, which means any such
them. All businesses, regardless of size, backup could also be infected, leaving
should take regular backups of their you with no backup to recover from.
important data, and make sure that For more resilience, you should
these backups are recent and can be consider storing your backups in a
restored. By doing this, you’re ensuring different location, so fire or theft won’t
your business can still function following result in you losing both copies. Cloud
the impact of flood, fire, physical storage solutions (see below) are a
damage or theft. Furthermore, if you cost-effective and efficient way of
have backups of your data that you achieving this.
can quickly recover, you can’t be
blackmailed by ransomware attacks4. Tip 3
Consider
the cloud
This section outlines 5 things to
consider when backing up your data. You’ve probably already used cloud
storage during your everyday work
and personal life without even knowing
Tip 1 - unless you’re running your own email
Identify what data you server, your emails are already stored
need to back up ‘in the cloud’.

Your first step is to identify your Using cloud storage (where a service
essential data. That is, the information provider stores your data on their
that your business couldn’t function infrastructure) means your data is
without. Normally this will comprise physically separate from your location.
documents, photos, emails, contacts, You’ll also benefit from a high level
and calendars, most of which are kept of availability. Service providers can
in just a few common folders on your supply your organisation with data
computer, phone or tablet or network. storage and web services without
you needing to invest in expensive
Tip 2 hardware up front. Most providers offer
Keep your backup separate a limited amount of storage space for
from your computer free, and larger storage capacity for
minimal costs to small businesses.
Whether it’s on a USB stick, on a
separate drive or a separate computer,
access to data backups should be
restricted so that they:

4 https://www.ncsc.gov.uk/guidance/mitigating-malware-and-ransomware-attacks

4 National Cyber Security Centre


Tip 4
Read our cloud
security guidance Find out more

Not all service providers are the same, For further guidance on backups,
but the market is reasonably mature please see our Securing Bulk
and most providers have good security Data guidance6, which discusses
practices built-in. By handing over the importance of knowing what
significant parts of your IT services data is most important to you,
to a service provider, you’ll benefit and how to back it up reliably.
from specialist expertise that smaller
organisations would perhaps struggle The Information Commissioner’s
to justify in terms of cost. However, Office website also has a useful
before contacting service providers, introduction to cloud computing7.
we encourage you to read the
NCSC’s Cloud Security Guidance5.
This guidance will help you decide
what to look for when evaluating their
services, and what they can offer.

Tip 5
Make backing up part of your
everyday business

We know that backing up is not a very


interesting thing to do (and there will
always be more important tasks that
you feel should take priority), but the
majority of network or cloud storage
solutions now allow you to make
backups automatically. For instance,
when new files of a certain type are
saved to specified folders. Using
automated backups not only saves
time, but also ensures that you have
the latest version of your files should
you need them.

Many off-the-shelf backup solutions 5 https://www.ncsc.gov.uk/collection/cloud-security


are easy to set up, and are affordable
6 https://www.ncsc.gov.uk/collection/protecting-
considering the business-critical
bulk-personal-data
protection they offer. When choosing
a solution, you’ll also have to consider 7 https://ico.org.uk/for-the-public/online/cloud-
how much data you need to back up, computing/
and how quickly you need to be able to
access the data following any incident.

National Cyber Security Centre 5


Protecting your Tip 2
Prevent staff from
organisation downloading dodgy apps

from malware You should only download apps for


mobile phones and tablets from
manufacturer-approved stores (like
Malicious software (also known as Google Play or Apple App Store). These
‘malware’) is software or web content apps are checked to provide a certain
that can harm your organisation, such level of protection from malware that
as the recent WannaCry outbreak8. might cause harm. You should prevent
The most well-known form of malware staff from downloading third party apps
is viruses, which are self-copying from unknown vendors/sources, as
programs that infect legitimate these will not have been checked.
software. Staff accounts should only have
enough access required to perform
their role, with extra permissions (i.e. for
This section contains 5 free tips that administrators) only given to those who
can help prevent malware damaging need it. When administrative accounts
your organisation. are created, they should only be used
for that specific task, with standard user
accounts used for general work.

Tip 3
Tip 1 Keep all your IT equipment
Install (and turn on) up to date (patching)
antivirus software
For all your IT equipment (so tablets,
Antivirus software - which is often smartphones, laptops and PCs), make
included for free within popular sure that the software and firmware is
operating systems - should be used always kept up to date with the latest
on all computers and laptops. For your versions from software developers,
office equipment, you can pretty much hardware suppliers and vendors.
click ‘enable’, and you’re instantly safer. Applying these updates (a process
Smartphones and tablets might require known as patching) is one of the most
a different approach and if configured important things you can do to improve
in accordance with the NCSC’s EUD security - the IT version of eating your
guidance9, separate antivirus software10 fruit and veg. Operating systems,
might not be necessary. programmes, phones and apps should
all be set to ‘automatically update’
wherever this is an option.
At some point, these updates will no
8 https://www.ncsc.gov.uk/guidance/mitigating- longer be available (as the product
malware-and-ransomware-attacks
reaches the end of its supported life),
9 https://www.ncsc.gov.uk/guidance/end-user- at which point you should consider
device-security replacing it with a modern alternative.
For more information on applying
10 https://www.ncsc.gov.uk/blog-post/av-or-not-av
updates, refer to the NCSC’s guidance
11 https://www.ncsc.gov.uk/guidance/vulnerability- on Vulnerability Management11.
management

6 National Cyber Security Centre


Tip 4
Control how USB drives (and
memory cards) can be used Find out more

We all know how tempting it is to More detailed, technical advice


use USB drives or memory cards to on preventing malware is
transfer files between organisations available from the NCSC’s 10
and people. However, it only takes a Steps to Cyber Security13.
single cavalier user to inadvertently
plug-in an infected stick (such as a For detailed information on
USB drive containing malware) to removable media, refer to the
devastate the whole organisation. removable media section of
the NCSC’s 10 Steps to Cyber
When drives and cards are openly Security14.
shared, it becomes hard to track what
they contain, where they’ve been, and How to protect your PC from
who has used them. You can reduce viruses (Microsoft guide)15.
the likelihood of infection by:

• blocking access to physical ports


for most users
• using antivirus tools
• only allowing approved drives
and cards to be used within your
organisation - and nowhere else

Make these directives part of your


company policy, to prevent your
organisation being exposed to
unnecessary risks. You can also ask
staff to transfer files using alternate
means (such as by email or cloud
storage), rather than via USB.

Tip 5
Switch on
your firewall
12 https://www.ncsc.gov.uk/guidance/10-steps-
Firewalls create a ‘buffer zone’ between network-security

your own network and external networks 13 https://www.ncsc.gov.uk/guidance/10-steps-


(such as the Internet). Most popular malware-prevention
operating systems now include a
firewall, so it may simply be a case of 14 https://www.ncsc.gov.uk/guidance/10-steps-
removable-media-controls
switching this on. For more detailed
information on using firewalls, refer 15 https://support.microsoft.com/en-us/help/17228/
to the Network Security section of the windows-protect-my-pc-from-viruses
NCSC’s 10 Steps to Cyber Security12.

National Cyber Security Centre 7


Keeping your Tip 2
Make sure lost or stolen devices
smartphones can be tracked, locked or wiped

(and tablets) safe Staff are more likely to have their tablets
or phones stolen (or lose them) when
they are away from the office or home.
Mobile technology is now an essential Fortunately, the majority of devices
part of modern business, with more of include free web-based tools that are
our data being stored on tablets and invaluable should you lose your device.
smartphones. What’s more, these You can use them to:
devices are now as powerful as
traditional computers, and because • track the location of a device
they often leave the safety of the office • remotely lock access to the device
(and home), they need even more (to prevent anyone else using it)
protection than ‘desktop’ equipment. • remotely erase the data stored on
the device
• retrieve a backup of data stored on
With this is mind, here are 5 actionable the device
tips that can help keep your mobile
devices (and the information stored Setting up these tools on all your
on them) secure. organisation’s devices may seem
daunting at first, but by using mobile
device management software17, you
Tip 1 can set up your devices to a standard
Switch on configuration with a single click.
password protection
Tip 3
A suitably complex PIN or password16 Keep your device
(opposed to a simple one that can up to date
be easily guessed or gleaned from
your social media profiles) will prevent No matter what phones or tablets your
the average criminal from accessing organisation is using, it is important that
your phone. Many devices now include they are kept up to date at all times. All
fingerprint recognition to lock your manufactures (for example Windows,
device, without the need for a password. Android, iOS) release regular updates
However, these features are not always that contain critical security updates to
enabled ‘out of the box’, so you keep the device protected. This process
should always check they have is quick, easy, and free; devices should
been switched on. be set to automatically update, where
possible. Make sure your staff know
how important these updates are,
and explain how to do it, if necessary.
At some point, these updates will no
16 https://www.ncsc.gov.uk/blog-post/three- longer be available (as the device
random-words-or-thinkrandom-0
reaches the end of its supported life),
17 https://www.ncsc.gov.uk/blog-post/ncsc-it-mdm- at which point you should consider
products-which-one-best-1 replacing it with a modern alternative.

8 National Cyber Security Centre


Tip 4 The simplest precaution is to not
Keep your apps connect to the Internet using unknown
up to date hotspots, and instead use your mobile
3G or 4G mobile network, which will
Just like the operating systems on have built-in security. This means you
your organisation’s devices, all the can also use ‘tethering’ (where your
applications that you have installed other devices such as laptops share
should also be updated regularly your 3G/4G connection), or a wireless
with patches from the software ‘dongle’ provided by your mobile
developers. These updates will not network. You can also use Virtual
only add new features, but they will Private Networks (VPNs), a technique
also patch any security holes that that encrypts your data before it
have been discovered. Make sure is sent across the Internet. If you’re
staff know when updates are ready, using third party VPNs, you’ll need the
how to install them, and that it’s technical ability to configure it yourself,
important to do so straight away. and should only use VPNs provided by
reputable service providers.
Tip 5
Don’t connect to unknown
Wi-Fi Hotspots
Find out more
When you use public Wi-Fi hotspots
(for example in hotels or coffee shops), If you’re about to invest in a new
there is no way to easily find out who device, we recommend you read
controls the hotspot, or to prove that it the Buyer’s Guide to Choosing
belongs to who you think it does. If you and Using Mobile Devices18
connect to these hotspots, somebody produced by the Home Office.
else could access:
For more technical information
• what you’re working on whilst about how to ensure your
connected staff can work safely whilst on
• your private login details that many the move or at home, please
apps and web services maintain refer to the 10 Steps: Home and
whilst you’re logged on Mobile Working Guidance19.

18 https://tinyurl.com/y9hgclg4

19 https://www.ncsc.gov.uk/guidance/10-steps-
home-and-mobile-working

National Cyber Security Centre 9


Using passwords Tip 2
Use two factor authentication
to protect your data for ‘important’ accounts

If you’re given the option to use two-


Your laptops, computers, tablets and factor authentication (also known
smartphones will contain a lot of your as 2FA) for any of your accounts,
own business-critical data, the personal you should do; it adds a large amount
information of your customers, and also of security for not much extra effort.
details of the online accounts that you 2FA requires two different methods to
access. It is essential that this data is ‘prove’ your identity before you can use
available to you, but not available to a service, generally a password plus
unauthorised users. one other method. This could be a code
that’s sent to your smartphone (or a
Passwords - when implemented code that’s generated from a bank’s
correctly - are a free, easy and effective card reader) that you must enter in
way to prevent unauthorised users addition to your password.
accessing your devices.
Tip 3
Avoid using predictable
This section outlines 5 things to keep passwords
in mind when using passwords.
If you are in charge of IT policies within
your organisation, make sure staff are
Tip 1 given actionable information23 on
Make sure you switch setting passwords that is easy for
on password protection them to understand.

Set a screenlock password, PIN, or Passwords should be easy to


other authentication method (such remember, but hard for somebody else
as fingerprint or face unlock). The to guess. A good rule is ‘make sure that
NCSC blog20 has some good advice somebody who knows you well, couldn’t
on passwords. If you’re mostly using guess your password in 20 attempts’.
fingerprint or face unlock, you’ll be Staff should also avoid using the most
entering a password less often, so common passwords24, which criminals
consider setting up a long password can easily guess. The NCSC have some
that’s difficult to guess. useful advice on how to choose a non-
predictable password25.
Having said this, password protection
is not just for smartphones and tablets. Remember that your IT systems should
Make sure that your office equipment not require staff to share accounts or
(so laptops and PCs) all use an passwords to get their job done. Make
encryption product (such as BitLocker sure that every user has personal
for Windows) using a Trusted Platform access to the right systems, and that
Module (TPM)21 with a PIN, or FileVault the level of access given is always the
(on macOS)22 in order to start up. Most lowest needed to do their job whilst
modern devices have encryption built minimising unnecessary exposure to
in, but encryption may still need to be systems they don’t need access to.
turned on and configured, so check
you have set it up.

10 National Cyber Security Centre


Tip 4
Help your staff cope with
‘password overload’ Find out more

If you’re in charge of how passwords If you’re in charge of setting


are used in your organisation, there’s up passwords in your
a number of things you can do that organisation, please refer to our
will improve security. Most importantly, password policy guidance27.
your staff will have dozens of non-work
related passwords to remember as well,
so only enforce password access to a
service if you really need to. Where you
do use passwords to access a service,
do not enforce regular password
changes. Passwords really only need
to be changed when you suspect a
compromise of the login credentials.

You should also provide secure storage


so staff can write down passwords for
important accounts (such as email and
banking), and keep them safe (but not
with the device itself). Staff will forget
passwords, so make sure they can reset
their own passwords easily.

Consider using password managers26,


which are tools that can create and
store passwords for you that you
access via a ‘master’ password. Since
the master password is protecting all
of your other passwords, make sure 20 https://www.ncsc.gov.uk/blog-post/three-
it’s a strong one, for example by using random-words-or-thinkrandom-0
three random words.
21 https://technet.microsoft.com/en-us/library/
cc766295(v=ws.10).aspx
Tip 5
Change all default 22 https://support.apple.com/en-gb/HT204837
passwords
23 https://www.ncsc.gov.uk/guidance/helping-end-
users-manage-their-passwords
One of the most common mistakes
is not changing the manufacturers’ 24 https://www.teamsid.com/worst-
default passwords that smartphones, passwords-2015/

laptops, and other types of equipment 25 https://www.ncsc.gov.uk/blog-post/three-


are issued with. Change all default random-words-or-thinkrandom-0
passwords before devices are
distributed to staff. You should also 26 https://www.ncsc.gov.uk/blog-post/what-does-
ncsc-think-password-managers
regularly check devices (and software)
specifically to detect unchanged 27 https://www.ncsc.gov.uk/guidance/password-
default passwords. guidance-simplifying-your-approach

National Cyber Security Centre 11


Avoid Phishing changes that will affect other users.
Administrators can change security
Attacks settings, install software and hardware,
and access all files on the computer.
So an attacker having unauthorised
In a typical phishing attack, scammers access to an Administrator account
send fake emails to thousands of can be far more damaging than
people, asking for sensitive information accessing a standard user account.
(such as bank details), or containing
links to bad websites. They might Use two factor authentication (2FA) on
try to trick you into sending money, your important accounts such as email.
steal your details to sell on, or they This means that even if an attacker
may have political or ideological knows your passwords, they still won’t
motives accessing your organisation’s be able to access that account.
information.
Tip 2
Phishing emails are getting harder to Think about how
spot, and some will still get past even you operate
the most observant users. Whatever
your business, however big or small it Consider ways that someone might
is, you will receive phishing attacks at target your organisation, and make
some point. sure your staff all understand normal
ways of working (especially regarding
interaction with other organisations),
This section contains the first steps you so that they’re better equipped to spot
need to take to help you identify the requests that are out of the ordinary.
most common phishing attacks, but be Common tricks include sending an
aware that there is a limit to what you invoice for a service that you haven’t
can expect your users to do28. used, so when the attachment is
opened, malware is automatically
installed (without your knowledge)
Tip 1 on your computer.
Configure accounts to reduce
the impact of successful attacks Another is to trick staff into transferring
money or information by sending
You should configure your staff emails that look authentic. Think about
accounts in advance using the principle your usual practices and how you can
of ‘least privilege’. This means giving help make these tricks less likely to
staff the lowest level of user rights succeed. For example:
required to perform their jobs, so if they
are the victim of a phishing attack, the • Do staff know what to do with unusual
potential damage is reduced. requests, and where to get help?
• Ask yourself whether someone
To further reduce the damage that impersonating an important
can be done by malware or loss of individual (a customer or manager)
login details, ensure that your staff via email should be challenged
don’t browse the web or check emails (or have their identity verified another
from an account with Administrator way) before action is taken.
privileges. An Administrator account is
a user account that allows you to make

12 National Cyber Security Centre


• Do you understand your regular • Is it addressed to you by name, or
business relationships? Scammers does it refer to ‘valued customer’, or
will often send phishing emails from ‘friend’, or ‘colleague’? This can be a
large organisations (such as banks) sign that the sender does not actually
in the hope that some of the email know you, and that it is part of a
recipients will have a connection to phishing scam.
that company. If you get an email • Does the email contain a veiled
from an organisation you don’t do threat that asks you to act urgently?
business with, treat it with suspicion. Be suspicious of words like ‘send
• Think about how you can encourage these details within 24 hours’ or ‘you
and support your staff to question have been a victim of crime, click
suspicious or just unusual requests, here immediately’.
even if they appear to be from • Look out for emails that appear to
important individuals. Having the come from a high-ranking person
confidence to ask ‘is this genuine?’ within your organisation, requesting a
can be the difference between payment is made to a particular bank
staying safe, or a costly mishap. account. Look at the sender’s name.
• You can test how resilient your Does it sound legitimate, or is it trying
organisation is to phishing attacks by to mimic someone you know?
carrying out cyber security exercises. • If it sounds too good to be true,
The NCSC’s free Exercise in a Box it probably is. It’s most unlikely that
tool29 includes scenarios that include someone will want to give you money,
phishing. or give you access to some secret
part of the Internet.
Tip 3
Check for the obvious signs It is also important to integrate phishing
of phishing guidance into your ‘business as usual’,
so look to include messages across
Expecting your staff to identify and your company communications. This
delete all phishing emails is an can include induction/onboarding
impossible request and would have a processes, security news bulletins,
massive detrimental effect on business communication campaigns,
productivity. However, many phishing management training courses,
emails still fit the mould of a traditional prompts/banners on email, and more
attack, so look for the following warning formal security refresher training.
signs: This will help to reinforce a culture of
security mindedness.
• Many phishing scams originate
overseas and often the spelling,
grammar and punctuation are poor.
Others will try and create official
looking emails by including logos and
graphics. Is the design (and quality)
what would you’d expect from a large
organisation?

28 https://www.ncsc.gov.uk/guidance/phishing
https://www.ncsc.gov.uk/guidance/suspicious-
email-actions

29 https://exerciseinabox.service.ncsc.gov.uk/

National Cyber Security Centre 13


Tip 4 Tip 5
Report all Keep up to date
attacks with attackers

Make sure that your staff are Attackers are always trying different
encouraged to ask for help if they think methods of attack, even when tools
that they might have been a victim like automatic email protection have
of phishing, especially if they’ve not prevented previous attempts. So it’s
raised it before. It’s important to take worth keeping on top of the techniques
steps to scan for malware and change used by attackers, to try and stay one
passwords as soon as possible if you step ahead. Consider signing up for
suspect a successful attack the free Action Fraud Alert service31
has occurred. to receive direct, verified, accurate
information about scams and fraud in
Do not punish staff if they get caught your area by email, recorded voice and
out. It discourages people from text message.
reporting in future, and can make them
so fearful that they spend excessive Monitor the advice from your local
time and energy scrutinising every Police Service, and Regional &
email they receive. Both these things Organised Crime Unit (ROCU), who
cause more harm to your business in will put out warnings of specific cyber
the long run. crime activity in your area. Join CiSP32
which provides a forum for cyber
If you believe that your organisation security discussion from beginner
has been the victim of online fraud, through to expert level. It’s also a
scams or extortion, you should report platform where organisations can
this through the Action Fraud share intelligence gathered from their
website30. Action Fraud is the UK’s own computer networks.
national fraud and cyber crime
reporting centre. If you are in Scotland
contact Police Scotland on 101.

A final word
Don’t leave the responsibility for cyber
30 http://www.actionfraud.police.uk/report_fraud security with a single person. Every
member of the team (including board
31 https://www.actionfraud.police.uk/sign-up-for-
action-fraud-alert
members) needs enough knowledge to
understand how cyber security impacts
32 https://www.ncsc.gov.uk/cisp on their area of focus.

14 National Cyber Security Centre


This advice has been produced to Control access to removable
help small businesses protect media such as SD cards and
Using passwords to
themselves from the most common USB sticks. Consider disabling protect your data
cyber attacks. The 5 topics covered ports, or limiting access to Passwords - when implemented
are easy to understand and cost little sanctioned media. Encourage correctly - are a free, easy and
Cyber Security to implement. Read our quick tips staff to transfer files via email effective way to prevent unauthorised
below, or find out more at or cloud storage instead. people from accessing your devices
Small Business Guide www.ncsc.gov.uk/smallbusiness and data.
Switch on your firewall (included
with most operating systems) Make sure all laptps, Macs and
Configure devices so that to create a buffer zone between
Backing up your data when lost or stolen they can PCs use encryption products
your network and Internet. that require a password to
Take regular backups of your be tracked, remotely wiped or
important data, and test they can remotely locked. boot. Switch on password/
be restored. This will reduce the PIN protection or fingerprint
inconvenience of any data loss from Avoiding phishing attacks recognition for mobile devices.
theft, fire, other physical damage, Keep your devices (and all
installed apps) up to date, using In phishing attacks, scammers send
or ransomware. fake emails asking for sensitive Use two factor authentication
the ‘automatically update’
information (such as bank details), (2FA) for important websites
option if available.
or containing links to bad websites. like banking and email, if you’re
Identify what needs to be given the option.
backed up. Normally this will When sending sensitie data,
comprise documents, photos, don’t connect to public Ensure staff don’t browse the web
emails, contacts, and calendars, or check emails from an account Avoid using predictable
Wi-Fi hotspots - use 3G or
kept in a few common folders. with Administrator privileges. passwords (such as family
4G connections (including
Make baking up part of your This will reduce the impact of and pet names). Avoid the
tethering and wireless dongles)
everyday business. successful phishing attacks. most common passwords
or use VPNs.
that criminals can guess
(like passw0rd).
Ensure the device Replace devices that are Scan for malware and change
containing your backup is no longer supported by passwords as soon as possible
not permanently connected to manufacturers with up-to- if you suspect a successful If you forget your password
the device holding the original date alternatives. attack has occured. Don’t (or you think someone else
copy, neither physically nor over punish staff if they get caught knows it), tell your IT department
a local network. out (it discourages people from as soon as you can.
reporting in the future).
Consider backing up to Preventing Change the manufacturers’
the cloud. This means your data Check for obvious signs of default passwords that devices
malware damage are issued with, before they are
is stored in a seperate location You can protect your organisation phishing, like poor spelling
(away from your offices/devices), and grammar, or low quality distributed to staff.
from the damage caused by
and you’ll also be able to access ‘malware’ (malicious software, versions of recognisable logos.
it quickly, from anywhere. including viruses) by adopting some Does the sender’s email address Provide secure storage so
simple and low-cost techniques. look legitimate, or is it trying to staff can write down passwords
mimic someone you know? and keep them safe (but not
with their device). Ensure staff
Keeping your Use antivirus software on
can reset their own passwords,
all computers and laptops.
smartphones easily.
Only install approved software
(and tablets) safe on tablets and smartphones,
Smartphones and tablets (which and prevent users from Consider using a password
are used outside the safety of the downloading third party apps manager, but only for your
office and home) need even more from unknown sources. less important websites and
protection than ‘desktop’ equipment. accounts where there would be
no real permanent damage if
Patch all software and
the password was stolen.
Switch on PIN/password firmware by promptly applying
protection/fingerprint the latest software updates
recognition for mobile provided by manufacturers and
devices. vendors. Use the ‘automatically
update’ option where available.
For further information, or to contact us, please visit: www.ncsc.gov.uk

@NCSC

National Cyber Security Centre

@cyberhq

© Crown copyright 2020. Photographs produced with permission from third parties.
NCSC information licensed for re-use under Open Government Licence
(http://www.nationalarchives.gov.uk/doc/open-government-licence).

Information correct at the time of publication - October 2020

Designed and created by Agent Marketing Ltd.


agentmarketing.co.uk

You might also like