Cyber security resource hub

Creating a strong password consists of four key steps.

(1) Making sure your passwords are different for each online service that you use - such as for your online banking, email, social media, etc.

(2) The longer your password, the harder it is for a cyber criminal to crack. For example, any 12 character password can be guessed by a powerful computer in a few days, but choosing a random 24 character phrase would take over 500 years! As computers get more powerful, this amount will reduce.

(3) Make it a phrase that you can remember. By combining three or more words that are not easily associated with you (e.g. not the name of your pet, children, favourite sports team, etc) can help increase the length, while keeping it memorable.

(4) Include capital letters and special characters such as numbers and symbols, but don't use numbers as substitutes for letters (e.g. don't use '3' instead of 'E'). An example could be: My1stjobsInCosta&BootswereFun£ (30 characters) or Panda!Movie4burger$Leaf35 (25 characters), however these may be harder to recall!

When you've created your strong passwords, and to save you having to remember lots of different ones, store them in a password manager app, save them to your web browser if it offers you the choice, or if you really must, then write it down but store them in a safe, locked place, out of sight and well away from your computer.

Using a password manager app is beneficial not only for storing passwords, but it can also generate and create strong passwords for you too. It does the remembering so that you won't have to, and then you can have longer and stronger passwords.

Finally - passwords, even good, strong ones are not really enough these days because they can be intercepted or stolen through a variety of common scams or phishing attacks. Read about 'enabling MFA' next.

Using a username (typically an email address) and password is no longer enough when logging into online services and accounts. These details can become widely known on the internet or may have already been published on the dark web as it is now highly likely that most people have had at least one set of their credentials stolen.

For that extra layer of security, enable multi-factor authentication (MFA), also known as two step verification or 2FA.

MFA is an essential second factor in confirming your identity when you try to sign in and preventing modern cyber-attacks. It requires users to provide multiple forms of identification to verify their identity, e.g. activating face or fingerprint ID, imputing a code from another device or account, or using an authentication app (such as Microsoft or Google) that generates a one-time code.

Why just secure your work accounts? Ensure MFA is enabled on ALL your personal accounts too. It should be enabled for every single online service you use from banking, your email to social media accounts.

Keep all software, devices and applications up to date by installing the latest updates. Each new update contains security patches for known vulnerabilities and new features that make it far more difficult for attackers to successfully compromise your devices.

As soon as they become available, apply updates promptly (don't ignore them!) as this helps protect your devices and accounts from cyber criminals. If you can turn on automatic updates in your device settings, do so. Updating and installing the latest software on your devices and across your systems is one of the most important, quick and easiest things that you can do when keeping yourself safe online.

Data is one of the most important aspects of IT security. Computers can be fixed, networks can be rebuilt, but data is much harder to recover if lost - especially in today’s digital workplace. A backup is a copy of this important data, that's stored in a separate and secure location, usually via cloud storage. When a backup has been made, you can restore a copy if the original data is no longer available.

It is critical that this data is kept well away from your main IT systems, and you should backup any data or files that are important. Think about the possibility of data loss, what that would mean and how much of a problem it would cause if you no longer had access.

To save you this significant stress, ensure that you backup your data regularly and set this up to happen automatically. For added peace of mind, ensure that you test that your backup files and data can be restored.

When carrying or using IT equipment outside of the safety of the office or your home, ensure that it is kept safe, hidden away, and secured with a lock or controlled access (if you're not using it) to prevent device and/ or data theft.

Laptops, tablets, mobile phone and other equipment should never be left on a vehicle seat or inside the vehicle overnight. Even when the vehicle is stationary and driver present, a device on the passenger seat is vulnerable.

Consider encrypting the storage of the device, either using something like Bit Locker or File Vault. If your laptop is lost or stolen, you would prefer to know that the data on the disk is not open for anyone to read. For larger IT estates this encryption process can be automated and managed centrally.

A Gartner report predicted that by 2025 "a lack of talent or human failure will be responsible for over half of all significant cyber incidents". Increasingly, we do, and will see, that humans are the most vulnerable point of exploitation. So what can we do to stop making ourselves the target?

The best method of prevention is through education. When users are aware of the risks and know how to be cyber safe, you can significantly reduce your risk of cyber attack and chance of a data breach.

Educate staff - at every level - through regular refresher training and you can build a resilient team who act as your first line of defence. Training could involve a phishing simulation, or enrolling staff onto a modern training package. Avoid tick box activities or an annual slideshow, these are not effective methods of training. If you'd like to learn more about receiving cyber awareness training for your team or a phishing simulation, get in touch with your Client Engagement Manager - we're happy to help.

Devices are more likely to be stolen or lost when home or remote working. To mitigate the risks, ensure devices encrypt data - most modern device have this built in, but ensure that its turned on and configured.

Devices that will be used for home working need to be set up with mobile device management software so that the device can be remotely locked or have data erased from it.

VPN (virtual private networks) allow remote workers to securely access your organisation's IT systems. When using a VPN, ensure that its patched and has the correct licenses, capacity and bandwidth to support home workers.

When work devices are not in use, staff should keep them somewhere safe and secure. If a device is lost or stolen, encourage users to report it as soon as possible.

Our tips on using video conferencing services securely, both for work purposes and to stay in touch with family and friends.

• Only download the software from trusted sources using your device's app store or from the service provider's official website.
• Check the privacy settings, making sure what, if any, data will be accessed by the service. Often, you may have the option to opt of of your data being shared.
• Make sure the video conferencing account you use is protected with a strong password and has MFA enabled.
• Consider your surroundings when making a call. Think about: what will your camera show about your environment? Would you want to share that information with strangers? If in doubt, consider blurring or changing your background. Instructions on how to do this will depend on the video conferencing service you use.
• Avoid setting calls to 'public' and only let people you know join the call. Consider using a lobby feature so you can vet who gains entry into the call and who doesn't. Alternatively, you could enable a password function that is only shared with people you want to be in the call.

For IT and security professionals looking to take a deeper dive into the topic, take a look at the NCSC's guidance for configuring and deploying video conferencing services within your organisation.

What is phishing?

Phishing is criminals attempt to trick people into carrying out an action the attacker needs them to do (e.g. click on a link to a dodgy website). It's conducted via text message, social media, phone calls or email. Typically, a phishing email will entice the reader in some way, to get them to do something that seems normal (e.g. open an attachment or click a link to a website). Often, they create a sense of urgency to distract the victim from doing commonsense checks. Then the reader is asked for sensitive information, such as login details (credentials) or to re-authenticate their MFA - or they might simply ask for bank details outright. The first site might be innocuous but contain further links to websites that contain viruses and malware.

What is SpearPhishing?

Most phishing is untargeted and comes in through mass emailing. SpearPhishing is targeted at a particular individual and is much harder to spot because it will look much more plausible to the recipient. It may contain details of friends or family, recently visited locations, or appear to come from an online service that the user has a real account with.

Reduce your chances of becoming a target

All information that you share online from a website or social media account is publicly available and can be exploited by criminals. 

To avoid becoming a target, review your privacy settings. Before posting, take the time to think about whether what you're sharing is personal information (about yourself, a friend, or a family member) and consider who has access to that information after you've posted it. 

Spot the signs of phishing

• A generic greeting
  Is the email addressed to you personally, or are you referred to as a 'valued customer', 'friend', 'colleague' or another unfamiliar greeting?
• Grammatical errors and misspelled words
• If the email address and domain name don't match - e.g. www.bluecube.tech and @technology.bluecube, here the email should be from '@bluecube.tech'
• Contains suspicious attachments or links
• Do the logos and graphics look official or legit or like they have been created to look real? Is the quality and design what you'd expect?
• Threats or sense of urgency
  Is the email asking you to act urgently or does it use suspicious language, such as 'needed within 24hrs' or 'click here immediately'.
• Requesting credentials, payment info or other personal details
  A bank, or other official organisation, will never ask you to send them personal information or payment info in an email. When in doubt, call the company directly to check.

Lastly, its best to remember that if it sounds too good to be true, it probably is.

What to do if you've clicked on a suspicious link and/or fallen victim to a phishing scam?

Firstly, don't panic! We're all human; we want to avoid the blame, fear and stigma that's often associated with unintentionally click on a 'bad' link. Instead, focus on how to manage the threat.

1) Promptly report that you've clicked on a malicious link to your internal IT security team or MSSP. They can then work swiftly on understanding the resulting exposure.

2) If you've shared sensitive information, take a look at the NCSC's guidance on what to do next.

Learn more about reporting phishing scams.

Don't wait for the inevitable to happen - start preparing for the unthinkable today.

Where should you start?

A good starting point when planning your response to a cyber security incident (such as a data breach or ransomware) is putting an incident response plan in place to help minimise the impact and resume normal business operations as quickly as possible.

An incident response plan sets out three key elements:

1) The severity of the incident
2) The delegation of authority to make key decisions
3) Responsibilities for contacting key individuals in the organisation to share information about the incident, such as board members, suppliers, and regulators

For more information and to help support you in setting up an incident plan for your organisation, speak to an expert MSSP or take a look at the NCSC's board toolkit.