Our favourite IT security tips from NCSC

Bethany Reid
Wednesday 29 January 2020

Regardless of the size or type of organisation you work for, it’s important to understand why you might be vulnerable to cyber-attack, and how to defend yourself.

Five tips to staying safe online from the National Cyber Security Centre:

  1. know the cyber security policies and practices at the University;
  2. help defend against phishing attacks;
  3. secure your devices;
  4. use strong passwords;
  5. if in doubt, call it out.

Cyber security policies and practices at St Andrews

  • Phishing emails should be reported to [email protected].
  • All new staff should complete the Information Security Essentials training within three months of employment.
  • Staff should be familiar with the University’s data protection policies and notices.
  • University data containing confidential or strictly confidential information shouldn’t be synced to personal devices and handled with care.
  • Staff handling confidential or strictly confidential data information are automatically enrolled in multi-factor authentication.

Help defend against phishing attacks

Many phishing attacks could appear genuine. In fact, they might go so far as to use the University logo and signature, trying to tie in with our academic year. For example, ‘click to activate your account before starting this semester.’ They try to lure you in to reveal sensitive information, visit a malicious website or download an infected attachment.

We’re hosting an event in February which looks at the recent HMRC scam email sent to thousands of UK students. Register to attend using the event page.

For very targeted attacks, cyber criminals may find information about you online: where you work, what building you’re based in, modules you teach. They’ll use this to construct convincing messages in hope that you’ll fall for it. To combat this, check your privacy settings and what’s held online about you. For example, our staff directory is internal and password-protected. This means no one outside the University will know your extension number or which team you’re in. However, if you post this information voluntarily on your social media, you may be putting yourself at risk.

Learn the tricks that phishers use. We’ve highlighted this in an earlier blog post: five ways to spot a phishing email. As a rule of thumb, if an unexpected email is requesting you to do something out-of-the-ordinary, you should be suspicious.

Phishers also try and exploit business processes and communications. If you familiarise yourself with the corporate identity and brand standards of the University, you should be able to quickly spot when something looks out of place. Similarly, look at genuine payslip and IT Service Desk ticket notifications in your inbox. These are commonly spoofed by criminals, so it pays to know the difference between real and scam.

If you do engage with a phishing email by mistake, let the IT Service Desk know as quickly as possible. This means we can reduce the potential harm caused.


Secure your devices

If your device is managed by IT Services, we take care of your security updates and software providers.

If you own your device, don’t ignore software updates and avoid downloading apps from unofficial app stores. Stick to Google Play or the Apple App Store, for example.

Always lock your device when you’re not using it. This goes for laptops, PCs and mobile phones. Use a PIN, password or biometric method (like face recognition or finger print) to make it harder for criminals to exploit your device.


Use strong passwords

What are the most commonly used passwords of 2019?

  • 123456 (23.2m)
  • 123456789 (7.7m)
  • qwerty (3.8m)
  • password (3.6m)
  • 111111 (3.1m)

Other popular themes include names of family members, football teams, musicians and superheroes.

They’re all easy to think up and easy to remember. However, they’re equally as easy to guess so basically useless.

Remember to switch up your passwords for different uses. Don’t use your work password for your online banking.

Use two-factor authentication when offered. This provides allows the website to ‘double check’ who you are, adding an extra layer of security to your accounts.


If in doubt, call it out

  • If something looks suspicious, contact the IT Service Desk and ask for assistance.
  • Report attacks as soon as possible, even if you’ve clicked something by mistake.

Inspired by the following National Cyber Security Centre resources:

Subscribe to the IT Services blog

Enter your email address to subscribe to this blog to receive notifications of new posts.