Staff are usually the first line of defence against cybercrime. With the right training and guidance, employees can help prevent cyber attacks against your organisation.
It is important that your staff know what to do if they receive a suspicious email:
- Exercise caution when dealing with any unsolicited emails. Look carefully at spelling and grammar – poor spelling and bad grammar is an indication that the email is unlikely to be from a genuine company.
- Check the sender’s email domain by hovering your mouse over the sender’s name.
- Do not click on any links in a suspicious email.
- Do not reply to the email or contact the senders in any way.
- Do not open any attachments or download content or images if you are prompted to do so.
- Permanently delete the email.
- Apply the usual processes when making changes or payments. Contact the organisation or person requesting the change using established contact details and verify the authenticity of the change. Do not make contact by replying to the email and do not respond using any of the contact details, such as phone numbers, shown in the email.
- Immediately contact your IT team, and your bank if payment has been made.
- Apply the Cyber Security Incident Response Plan.
Staff will also need to have in place strong passwords that are different for each account, and use the following as a guide:
- Avoid using predictable passwords: Try to make sure that even somebody who knows you well couldn't guess your password in 20 attempts. A good way to create a strong and memorable password is to use three random words. Numbers and symbols can still be used if needed, for example 3redhousemonkeys27! or use a long and unique passphrase like We-Love-the-Summer-2022!
- Only store passwords in a secure location, such as on a secure password manager program – not near the device on a piece of paper.
- Use two-factor authentication (also known as 2FA) for any of your accounts where that option is available. It adds a lot of security for little extra effort. 2FA requires two different methods to 'prove' your identity before you can use a service, generally a password plus one other method.
- Change all passwords on a regular basis.
- Do not share any of your passwords with anyone else – if anyone else knows your password, it is no longer secure.
- Switch on password protection: Set a screen lock password, PIN, or other authentication method (such as fingerprint or face unlock).
- Only use answers to security questions that are not available online/on social media accounts.
- Only log into accounts from computers or devices that you trust.
- Consider extra security for highly privileged accounts used by the organisation, IT and third parties.
Scams and phishing attempts are not always in the form of an email, but can be a text message, phone call or social media contact.
You can report all suspicious forms of contact to Action Fraud.
If you have inadvertently clicked on a link or provided your details, advise the IT Security team at the earliest opportunity, and consider changing passwords immediately. If you have made payment and are concerned, you must contact the bank without delay as they can sometimes put a stop to the payment.
For more information or help for your organisation, please contact: