Use strong passwords

Use three random words to create strong, long and memorable passwords

• For example: carrot phone window

• Add punctuation and/or numbers as necessary: 20carrot.phone.window24

• Don't use any predictable words e.g. your pets, children's names, favourite football teams etc

Read the National Cyber Security Centre(NCSC's)logic behind the three random words

Don't reuse passwords

Don't use the same passwords for personal and work accounts and ideally, have unique passwords for all of your accounts, but especially for:

• Work device accounts
• Email accounts
• M365 or Google Workspace accounts
• Financial accounts
• Social Media accounts

Keep your passwords safe

• Don't reveal your passwords to anyone.  If you do need to write them down, keep them securely away from your device.
• You could use a password manager - read guidance from the NCSC here to find out more.
• When you're logging into your online accounts, most web browsers (such as Chrome, Safari and Edge) will offer to save passwords for you. It's safe for you to do this on your own device if you have a secure login.  Do not do this on shared devices, unless everyone logs in with their own account and always logs out.

Use Multi Factor Authentication

When you use Multi Factor Authentication (MFA) on something like your M365 account, you reduce your chances of the account being hacked by 99.99%

MFA is a method of verifying a user's identity using more than one piece of evidence. Typically, MFA involves a combination of:

• something the user knows (such as a password)
• something the user has (such as a smartphone or a token)
• something the user is (such as a fingerprint or a face scan) 

Popular MFA methods:

• SMS codes - good but the other methods are more secure
• Authenticator Applications on your phone - Microsoft Authenticator or Google Authenticator (both can be used) and downloaded from your app store
• Biometrics - great on your own devices but may raise privacy concerns elsewhere
• Hardware Tokens - need to be bought so not commonly used in charities

For more information about implementing solid passwords and Multifactor Authentication, visit Cyberaware at the NCSC.

Use Windows Hello

Windows Hello is an authentication feature that allows you to sign into a Windows device with your face, fingerprint, or a PIN.

It's more secure than a password as it'll only work on that device.  The information is securely encrypted on the device and isn't stored elsewhere and if e.g. someone sees you add your PIN - they woudn't be able to log on to your account from their device.

Phishing is when someone pretends to be someone else to get your personal information
or harm your device.

They might send you a fake email, message, text or call and ask you to share your details
or click on a bad link or file. Some are just trying their luck; others are more clever and
sneaky.

How to spot a phishing email

Whilst you used to just have to look for bad spelling and grammar, cyber criminals have got much more sophisticated, so watch out for these three signs:

• Urgency - the message makes you feel like you must act fast and not think about other
  things.
• Authority - the sender tries to trick you by acting like someone you trust or respect, so
  you believe the message is real and you should act on any instructions.
• Imitation - using common things you do or see at work to make you open a message.
  Look at who sent the email, if it says 'friend' or 'valued customer', they might not know
  you.

What else should you check for?

Here are some tips on how to spot a potential phishing email once you have it open on
your laptop:

• Check the email address. Is it from a trusted domain, such as your bank, your
  employer, or a reputable company? Or is it from a suspicious or unfamiliar domain, such
  as a random combination of letters and numbers, or a misspelt version of a legitimate
  domain? If the sender's address looks fishy, it probably is.

• Check the subject line and the message body. Is the email personalised with your name,
  or does it use generic salutations, such as "Dear Customer" or "Hello User"?

• Check the links and attachments. Before you click on any link or open any attachment in
  an email, hover your mouse over it and look at the URL that appears on the bottom left
  corner of your screen. Does the URL match the sender's domain, or does it redirect you to
  a different or unknown website?

• Does the URL start with "https", which indicates a secure connection, or with "http",
  which is not secure?

This is a great quiz from a team at Google that shows you what to look for in different potential phishing emails.

But if you do click on a suspicious link

If you think you have been phished, do these things as soon as possible:

• Write down what happened, what information you shared, and where it happened (for
  example, Teams or Outlook)
• Tell someone at your charity and your IT support service if you have one
• Change your passwords for all the accounts that may be affected, and use different
  passwords for each account when you reset them
• Sign out of accounts on any devices (this can often be done automatically e.g. if you are using Microsoft 365)
• Turn on Multi Factor Authentication for your accounts. This means you need more than
  just a password to sign in, such as a code or a fingerprint and will safeguard your accounts even if your password has been compromised
• Run a virus scan on your device

See also this guidance from the National Cyber Security Centre.

How to protect your computers, phones and other devices from common cyber attacks.

Always lock your devices

• Ensure that you have to log in to all your devices, using a PIN, Password, Fingerprint or Face recognition.
• Set your devices to log out if not used for a while.

Run software updates

Keeping your software up to date ensures that the latest security patches are installed, which can fix vulnerabilities and prevent hackers from exploiting them.

• Always run updates for your operating systems on your phone, laptop, tablet and desktops e.g. Windows, Android or iOS and set these to happen automatically to always be up to date.

• Use a supported version of the operating system (IOS or Android), i.e. a version that is still getting security updates. Information on the latest supported versions of IOS and Android can be found here Apple IOS and Android. Versions highlighted in red are out of support and do not meet the requirements, so must not be used.

• Don't ignore other notifications e.g. your anti virus updates!

Only install official software

• Only download computer software from vendors you trust and from their official websites
• You should need Admin permissions to install software on your devices.  Although sometimes it's frustrating when this request pops up and you need to contact your IT lead or provider, it's not good practice to have Admin permissions for the everyday user account you log into, as if you click on a link which downloads some bad software, it would be able to automatically install and spread through your network
• Only download apps from the Google or Apple Stores; don't download apps from unknown vendors and sources

Security requirements specific to smartphones

• Use a PIN or preferably Biometric (Face ID or Touch (Fingerprint) ID) for login, not shared with anyone
• As above - ensure the Operating System and all Apps are updated
• Do not download any work files with personal or sensitive data onto the device
• Do not add your work email as an account to your device mail app.  Only use the Outlook app (if using M365) or browser for email instead.