Regardless of the size or type of organisation you work for, it's important to understand why you

Stay Safe Online might be vulnerable to cyber attack, and how to defend yourself. The advice summarised below is
applicable to your working life and your home life. You should also familiarise yourself with any
Top tips for staff cyber security policies and practices that your organisation has already put in place.

Who is behind Defend against Use strong

cyber attacks? phishing attacks passwords
Phishing emails appear genuine, Attackers will try the most
Online but are actually fake. They might common passwords (e.g.
criminals try and trick you into revealing password1), or use publicly
Are really good at identifying what can sensitive information, or contain links to a malicious available information to try and access
be monetised, for example stealing and website or an infected attachment. your accounts. If successful, they can use this
selling sensitive data, or holding same password to access your other accounts.
systems and information to ransom. Phishers use publicly available information about
you to make their emails appear convincing. Review Create a strong and memorable password for
your privacy settings, and think about what you post.
Foreign important accounts, such as by using three
governments Know the techniques that phishers use in emails. random words. Avoid using predictable
passwords, such as dates, family and pet names.
Generally interested in accessing really This can include urgency or authority cues that
sensitive or valuable information that pressure you to act. Use a separate password for your work account. If
may give them a strategic or political an online account gets compromised, you don’t
advantage. Phishers often seek to exploit ‘normal’ business
communications and processes. Make sure you want the attacker to also know your work password.
Hackers know your organisation’s policies and processes to If you write your passwords down, store them
Individuals with varying degrees of make it easier to spot unusual activity. securely away from your device. Never reveal your
expertise, often acting in an untargeted Anybody might click on a phishing email at some password to anyone; your IT team or other provider
way – perhaps to test their own skills point. If you do, tell someone immediately to reduce will be able to reset it if necessary.
or cause disruption for the sake of it.
the potential harm caused. Use two factor authentication (2FA) for important
websites like banking and email, if you're given the
Political option. 2FA provides a way of 'double checking'
!!!
activists Secure your that you really are the person you are claiming to
Out to prove a point for political or
ideological reasons, perhaps to expose or devices be when you're using online services.

discredit your organisation’s activities. The smartphones,

tablets, laptops or desktop
If in doubt,
Terrorists computers that you use can
be exploited both remotely
call it out
Interested in spreading propaganda Reporting incidents
and disruption activities, they generally and physically, but you can promptly - usually to your
have less technical capabilities. protect them from many common attacks. IT team or line manager - can massively reduce the
Don't ignore software updates - they contain potential harm caused by cyber incidents.
Malicious patches that keep your device secure. Your
organisation may manage updates, but if you're
Cyber attacks can be difficult to spot, so don't
insiders prompted to install any, make sure you do.
hesitate to ask for further guidance or support
Use their access to an organisation’s data when something feels suspicious or unusual.
or networks to conduct malicious activity, Always lock your device when you're not using it.
such as stealing sensitive information to Report attacks as soon as possible - don't assume
Use a PIN, password, or fingerprint/face id. This that someone else will do it. Even if you've done
share with competitors. will make it harder for an attacker to exploit a something (such as clicked on a bad link), always
Honest device if it is left unlocked, lost or stolen. report what's happened.
mistakes Avoid downloading dodgy apps. Only use official
Don't be afraid to challenge policies or processes
Sometimes staff, with the best of intentions just app stores (like Google Play or the Apple App
that make your job difficult. Security that gets in the
make a mistake, for example by emailing Store), which provide some protection from
way of people doing their jobs, doesn't work.
something sensitive to the wrong email address. viruses. Don't download apps from unknown
vendors and sources.
© Crown Copyright 2018 www.ncsc.gov.uk @ncsc National Cyber Security Centre