A deeper look into fraud for businesses

Antivirus software – which is often included for free within popular operating systems – should be used on all computers and laptops. For your office equipment, you can pretty much click ‘enable’, and you’re instantly safer. Smartphones and tablets might require a different approach and, if configured in accordance with the NCSC’s end user device (EUD) guidance, separate antivirus software might not be necessary.

You should only download apps for mobile phones and tablets from manufacturer-approved sites. These apps are checked to provide a certain level of protection from malware that might cause harm. You should prevent staff from downloading third party apps from unknown vendors/sources, as these will not have been checked.

Staff accounts should only have enough access required to perform their role, with extra permissions (ie for administrators) only given to those who need it. When administrative accounts are created, they should only be used for that specific task, with standard user accounts used for general work.

For all your IT equipment (so tablets, smartphones, laptops and PCs), make sure that the software and firmware is always kept up to date with the latest versions from software developers, hardware suppliers and vendors. Applying these updates (a process known as patching) is one of the most important things you can do to improve security – the IT version of eating your fruit and veg. Operating systems, programs, phones and apps should all be set to ‘automatically update’ wherever this is an option.

At some point, these updates will no longer be available (as the product reaches the end of its supported life), at which point you should consider replacing it with a modern alternative. For more information on applying updates, refer to the NCSC’s guidance on Vulnerability Management.

We all know how tempting it is to use USB drives or memory cards to transfer files between organisations and people. However, it only takes a single cavalier user to inadvertently plug in an infected stick (such as a USB drive containing malware) to devastate the whole organisation. When drives and cards are openly shared, it becomes hard to track what they contain, where they’ve been and who has used them. You can reduce the likelihood of infection by:

• Blocking access to physical ports for most users
• Using antivirus tools
• Only allowing approved drives and cards to be  used within your organisation – and nowhere else.

Make these directives part of your company policy, to prevent your organisation being exposed to unnecessary risks. You can also ask staff to transfer files using alternative means (such as by email or cloud storage), rather than via USB.

Firewalls create a ‘buffer zone’ between your own network and external networks (such as the internet). Most popular operating systems now include a firewall, so it may simply be a case of switching this on. For more detailed information on using firewalls, refer to the Network Security section of the NCSC’s 10 Steps to Cyber Security.

A suitably complex PIN or password (as opposed to a simple one that can be easily guessed or gleaned from your social media profiles) will prevent the average criminal from accessing your phone. Many devices now include fingerprint recognition to lock your device, without the need for a password. However, these features are not always enabled ‘out of the box’, so you should always check they have been switched on.

Staff are more likely to have their tablets or phones stolen (or lose them) when they are away from the office or home. Fortunately, the majority of devices include free web-based tools that are invaluable should you lose your device. You can use them to:

• Track the location of a device
• Remotely lock access to the device (to prevent anyone else using it)
• Remotely erase the data stored on the device
• Retrieve a backup of data stored on the device

Setting up these tools on all your organisation’s devices may seem daunting at first, but by using mobile device management software, you can set up your devices to a standard configuration with a single click.

No matter which phones or tablets your organisation is using, it is important that they are kept up to date at all times. All manufacturers (for example Windows, Android, iOS) release regular updates that contain critical security updates to keep the device protected. This process is quick, easy and free; devices should be set to automatically update, where possible. Make sure your staff know how important these updates are, and explain how to do it, if necessary.

At some point, these updates will no longer be available (as the device reaches the end of its supported life), at which point you should consider replacing it with a modern alternative.

Just like the operating systems on your organisation’s devices, all the applications that you have installed should also be updated regularly with patches from the software developers. These updates will not only add new features, but they will also patch any security holes that have been discovered.

Make sure staff know when updates are ready, how to install them, and that it’s important to do so straight away.

When you use public Wi-Fi hotspots (for example in hotels or coffee shops), there is no way to easily find out who controls the hotspot, or to prove that it belongs to who you think it does. If you connect to these hotspots, somebody else could access:

• What you’re working on while connected
• Your private login details that many apps and web services maintain while you’re logged on.

The simplest precaution is to not connect to the internet using unknown hotspots, and instead use your mobile 3G or 4G mobile network, which will have built-in security. This means you can also use ‘tethering’ (where your other devices such as laptops share your 3G/4G connection), or a wireless ‘dongle’ provided by your mobile network. You can also use Virtual Private Networks (VPNs), a technique that encrypts your data before it is sent across the internet. If you’re using third party VPNs, you’ll need the technical ability to configure it yourself, and should only use VPNs provided by reputable service providers.