Digital usage and behaviour

Changing digital behaviour at work is key to reducing the risk of cybercrime. Individuals must learn to pause long enough to question whether the action they are about to take may be unsafe.

Phone calls

Never accept at face value a caller who asks for financial or confidential information. If you receive a call claiming to be from your bank, politely end the call and then contact the bank yourself on a different telephone line. Always use an official bank number. Do not use a number that the caller has given you. Remember that the major UK banks have made declarations that they will never: ask you for your PIN or your online password; ask you to withdraw money to hand over to them; ask you to transfer money to a new account for fraud reasons; send someone to your place of work or home to collect your chequebook, cash or payment card.

Web browsing

When browsing the internet, staff should always be wary of bogus websites and leave the site if in doubt. For example, if you become suspicious of a site because the wording on the site is incorrect or the site address seems strange, you should leave. Use software on your IT system that gives warnings about known malicious internet sites.

Social Media

Think before you send a tweet or issue a post on social media that could compromise you, your firm or a client. When clicking on adverts, videos and links, consider if the source is safe and whether you should be doing this on a business device.

Receiving Emails

When receiving emails, think before you click on links or open attachments from addresses that you do not recognise.
Look at the sender’s email address and ask yourself:

Do I know this person and is this their usual email address? Fraudsters do attempt to send emails using legitimate email addresses. They may have obtained these email addresses from contact lists using malware installed on the computers of family, friends or colleagues.

Does this email subject look unusual? Out-of-the-ordinary or poorly written subject lines may hint at a fraudulent or spam email.

Is there an attached document and do I recognise the attached format (Excel, Word, PDF etc)? Be wary of zip files if you are not expecting to receive them. Does the email mention the attachment and am I expecting an attachment? Attachments can transmit malware, so open them with caution. If you receive an email with attachments that you are not expecting, try, as far as is practicable, to contact the sender and check if they have sent an attachment. Attachments from emails can be saved to folders without opening them. These folders can then be scanned with anti-virus software before they are opened.

Does the email ask me to visit a website, send personal information or reply immediately? Be particularly wary of emails that request personal information, particularly banking details – banks will never ask you to disclose your password in an email. Some emails may state that you need to reactivate your account due to maintenance, or your computer contains malware and needs to be cleaned. Do not respond to these requests. Never provide your username or password in response to an unsolicited email.

Am I being asked to click on a link? Be wary of links in emails – they can easily be disguised and may take you to malicious websites. If in doubt, do not click on the link but hover your cursor over any addresses or links in an email and check if text appears – this is often an indication that something is amiss. Always go directly to a website rather than follow a link within an email.

Personal mobiles and laptops

Only use a personal device for work purposes if it has been approved by the business. Personal devices used for work should have a strong password to unlock and, as a minimum, use active anti-virus software and the latest operating system. Personal mobile devices should be connected only to guest Wi-Fi and not to the firm’s secure network unless specific approval has been received.

Software updates

Do not ignore or delay the regular software updates that your computers and mobile phones receive as they always contain important security updates. These updates include the operating system that runs your device and the applications you use to do your work.

Virus/malware protection

Do not ignore alerts from your anti-virus software; they are designed to warn you when something is a risk. Read pop-ups carefully and take the appropriate action.

Password and access management

Reducing access to important information stored on a firm's system is a key cyber defence. If a cybercrimal gets access to the network. documents and information may still be safe if access to the storage folders is limited to named individuals and sensitive files are protected with strong passwords and encrypted.

Password policy

Traditional advice is that an obscure password with a mix of capitals, special characters and numbers is best, and that you should change it frequently. But there is a preference for simpler and more memorable password phrases that are much longer. If you are using a password management system, ensure that it is robustly protected with a secure and strong password.There is a tendency to share passwords inthe office due to confidence in colleagues and convenience. Passwords should never be shared or left on display.

Access management

Make sure you lock your computer when it is unattended to prevent unauthorised access. Confidential data should be saved in files and drives that have been set up to restrict access to a named audience.

Remote and home working

When working on the move, information becomes more vulnerable. Use your common sense. Be aware of your surroundings and of how information could be compromised.
Avoid transferring confidential or sensitive data over public Wi-Fi networks – the information sent over free networks offered by trains, hotels and coffee shops can be easily compromised.
Using remote devices on public transport – be vigilant and make sure the screen of your laptop, mobile phone or other device is not visible to others. Work tidily and with care. Ensure that no information is on display.
Personal IT equipment – make sure your employer approves the use of any personal IT equipment, and you comply with their security requirements, such as ensuring that software is up to date, and includes anti-virus protection and a firewall.
Wireless network – if you have a wireless network, ensure that it is secure, using the recommended settings and latest encryption software, and that only authorised users can connect to it.
Social media – use privacy settings to control what information you share over social media.
Mobile phones – when dealing with sensitive information over the phone, be aware who might overhear, purposely or not.
Beware of insecure networks – web-based email accounts are particularly risky. Avoid using personal email
addresses to send confidential information. Always check and comply with your firm’s policies.

Information transfer, handling and encryption

The transfer of data between companies and individuals can be vulnerable.


It is easy to become complacent about emails because they are so familiar, but users should not rely on their emails remaining private. If you are sending sensitive or confidential information by email, it should be encrypted.

When sending emails to external addresses ask yourself:

• Are you allowed to share this information with the addressee?
• Is it personal or confidential information?
• Can the information be sent openly, or does it need to be protected?
• What kind of protection would the email require?

Cloud platforms

When sharing documents through a cloud platform, such as Dropbox or Google Drive, do not use personal accounts. Also, make sure you have the firm’s approval to use this method. Follow the firm’s policy on how long that information can be stored on that cloud location.

Removable storage devices

When using removable storage, such as a USB drive, ensure you have the firm’s permission to do so. The drive should be used in line with the firm’s policy with consideration given to, for example, password encryption, scanning the drive with anti-virus software and the drive should be wiped after use.