Introduction

This collection brings together expanded guidance to raise awareness of the cyber threats to democratic processes, institutions, and the people involved in them. The aim is to prevent or reduce related attacks against both organisations and individuals.

The context here is the threat of foreign cyber interference with the aim of influencing UK democratic processes. Democratic events such as elections are attractive targets for adversaries, and organisations and individuals must be prepared for threats, old and new. Defending UK democratic institutions and processes is a priority.

Who is this guidance for?

Organisations

political parties or organisations, think tanks
local authorities, central government, devolved administrations

Individuals

working in organisations as above, that puts them at higher risk of targeting
working in IT or SOC roles in organisations as above

This collection contains

Guidance for high-risk individuals
There has been a rise in targeting of individuals’ personal accounts instead of corporate ones, as security is less likely to be managed by a dedicated team. This is not a mass campaign against the public but a persistent effort to target people whom attackers consider to hold information of interest. This guidance sets out how individuals can protect their accounts and devices.

Further guidance will be added to this collection in 2024.

Guidance for high-risk individuals on protecting your accounts and devices

What is a high-risk individual?

In a cyber security context, you are considered a high-risk individual if your work or public status means you have access to, or influence over, sensitive information that could be of interest to nation state actors.

High-risk individuals include those working in political life (including elected representatives, candidates, activists and staffers), academia, journalism and the legal sector.

In recent years there have been a number of targeted cyber attacks against high-risk individuals in the UK, to attempt to gain access to their accounts and devices. This has resulted in the theft and publication of sensitive information, which can also cause reputational damage.

How and why you may be targeted

There are different ways an attacker may gain access to your accounts or devices. Spear-phishing is one method that attackers have used in the past to compromise high-risk individuals.

A joint NCSC advisory with international partners describes this technique and warns of a state actor that has targeted high-risk individuals in the UK in this way.

Using this guidance

This guidance will help you improve the security of personal accounts and devices, and keep you better protected online.

Personal accounts and devices are the responsibility of the individual and may be considered an easy target for threat actors, as they may perceive them to have fewer security measures in place.

As far as possible, you should continue to use corporately managed accounts and devices for your work, as they will be centrally managed and secured.

Protecting your accounts

Your personal accounts are a likely target for attackers. If an attacker gains access to one of your accounts, they may be able access to the information on them. Taking the actions below will significantly reduce the chance of a successful attack.

Use strong passwords

When an attacker compromises an account, it is often because they have either stolen or guessed the password. Weak passwords are vulnerable to attack. Research shows that weak passwords often contain names, places or a run of numbers. The more complex a password is, the more secure it becomes. The NCSC recommends using a sequence of three random words to make a password complex but easy to remember.

Having strong passwords can lessen the chance that your account is compromised. Important accounts that contain sensitive information (such as your personal and work email, social media and online banking) should have a strong password that is unique to that account.

It can be difficult to remember passwords, so it’s fine to write them down and keep them safe where other people can’t access them, separate from your devices. You can also use a password manager. Password managers are a convenient and secure way to store your passwords, either in your browser or an app, which uses one ‘master’ password or biometrics. Both Android and iOS devices have secure and trusted password manager functions built in:

Accessing password manager functions on IOS (Apple)

Accessing password manager functions on Android

You should not share your passwords for any of your accounts. Password sharing heightens the risk of account compromise and weakens your online security.

Enable two-step verification on your accounts

Setting up two-step verification or 2SV (also known as multi-factor authentication or two-factor authentication) on an account makes it considerably more secure. It means that even if an attacker knows your password, they can’t access your account. It works by asking you to complete a second step when you sign in, usually by entering a code sent by SMS, email or via an app. Authentication apps such as Google Authenticator or Microsoft Authenticator are designed just for this purpose, and are more secure and convenient than SMS.

For some accounts, you can choose to only use 2SV when signing in from a new device or changing your password. This means you don’t have to enter a code every time you use a service.

Where should I set up 2SV?

You should set up 2SV on all personal accounts that could be considered a high-value target for an attacker, such as your email, messaging apps like WhatsApp, and social media. If 2SV isn’t available on an account, make sure it has a strong and unique password or consider changing to a service that offers 2SV.

The NCSC has separate guidance to help you set up 2SV.

Receiving 2SV requests

If you receive a 2SV request that asks if you are trying to access your account but you are not trying to log in, do not grant permission. It's possible that an attacker knows your password and is trying to access your account. In this instance, 2SV is doing its job, but you should change your password. If you use the same password on other accounts, you should change it for them too.

Never share an access code with others, even if prompted, as this can give attackers control of your account.

Review your social media use and settings

Consider how much personal information you are sharing on social media. Attackers may use the information you post to engineer a spear-phishing attack and attempt to gain access to your account and data.

You should also consider maintaining separate professional and personal social media accounts.

You can review the privacy settings for each account to decide what is most appropriate for you. The major platforms provide instructions on how to manage your privacy settings. You can find links to these instructions in the NCSC guidance on using social media safely, alongside additional information on managing your digital footprint and spotting fake accounts.

Be aware that attackers may pose as other people on social media platforms, even if you appear to have mutual contacts. They may seek to cause you reputational damage, by sending you malicious links to click to gain access to sensitive information. It’s possible that over the next few years, attackers may also make increasing use of voice clones or ‘deep fakes’ to trick users to reveal sensitive information.

The UK National Protective Security Authority has guidance about false profiles that helps you spot them on social media and professional networking sites.

For any public social media accounts that you use in a professional context, consider using a social media management service. This means that colleagues or employees will be able to create posts for you without you sharing your passwords. You should avoid using the same password for the management service as any of your social media accounts connected to it. You can read the NCSC guidance on protecting what you publish for further information.

Review your use of messaging apps

Messaging apps such as WhatsApp, Messenger and Signal are now an important part of how we communicate in everyday life. It's important to use them securely and pay special attention when connecting with people professionally.

If you use a messaging app for personal use on a personal device, you should consider the following:

use disappearing messages that automatically delete after a set period – by turning this on you will limit what a successful attacker could access if they do manage to get in
consider the recipient – are they who they say they are, and who else is in the chat group?
avoid accepting message requests from unknown accounts – consider calling first to verify who they are

As with all apps, you should make sure that the latest security updates are installed and set up two-step verification (2SV) for when you log in.

Protecting your devices

As with your accounts, attackers may also try to compromise your devices – computers, phones or tablets – to achieve their aims. If they manage to access them, they can steal sensitive or personal information, carry out monitoring, or even impersonate you.

There are several things you can do to secure your devices.

Install updates

Installing security updates promptly is one of the most important things you can do to protect yourself from a cyber attack.

Out-of-date software, apps and operating systems often contain security vulnerabilities, and vendors regularly release updates to fix them. So if you receive a prompt to update your device or apps, you should do it, as it will prevent attackers taking advantage of these security flaws.

Most apps offer an auto-update option, meaning that updates will automatically download when they are available (or when you next connect to wifi), and install at the earliest time suitable for you, or the next time the device restarts. You should make sure this option is enabled on your device. You can read the NCSC guidance on software and app updates to help you enable automatic updates for popular devices and services.

You should only download software and apps from official stores, like Google Play or Apple App Store. They scan software for viruses before making it available, giving you more reassurance that what you’re downloading is safe

Use 'Lockdown Mode'

For additional security, you should consider enabling Lockdown Mode for your Apple devices. Lockdown Mode has been designed for individuals who might be targeted by sophisticated threat actors. On Windows devices, you have the option to enable ‘S mode’ which only allows applications from the Microsoft Store to be downloaded and installed. This prevents malicious programs running on your device.

Replace old devices

As older devices are replaced by newer models, vendors stop releasing security updates, making them more vulnerable to attack. You should avoid using devices that are no longer supported and upgrade your device if support is ending soon.

You can check to see if you device is still supported with the Which? phone support checker tool.

Protect physical access

You should protect your devices with a password or pin that must be entered when the device is powered on or restarted. This will help prevent someone who has managed to get physical access to your device accessing the information on it.

To unlock from standby, you can also use a password, PIN or a biometric, such as a fingerprint or facial recognition. Use whichever method you find convenient.

Avoid plugging your devices into public USB charging points, and instead use a traditional power plug.

Most devices come with a feature that allows you to track the location of a device and remotely wipe it if it's lost or stolen. On an iPhone, make sure Find My is turned on, and for Android devices, enable Find My Device.

Know how to erase data from devices

Our devices often contain sensitive work, personal and financial data, which can still be recovered even if the files have been deleted. So it's important to know how to erase the data if a device is lost or stolen, or you permanently give it to someone else to use. The NCSC has guidance to help you securely erase data on your devices.

What to do if you think you've been attacked

If you receive a suspicious email, do not click on any links, or reply to the email, until you're certain the sender is genuine. The NCSC has guidance on how to spot and deal with phishing emails.

If you receive a suspicious email you should report it to your organisation’s IT support team, who will be able to offer advice, even if has been sent to a personal account.

If you have clicked on a link, or think you’ve been hacked, don’t panic, even if you think you have made a mistake. If something goes wrong on a device or account that your organisation has provided, report it to IT support. The security team shouldn’t blame you for reporting that something has happened to you, as it helps them fix things, and try to stop it happening again, to you or anyone else.

Topics

https://www.ncsc.gov.uk/section/advice-guidance/all-topics?topics=Device

https://www.ncsc.gov.uk/section/advice-guidance/all-topics?topics=Personal%20data

https://www.ncsc.gov.uk/section/advice-guidance/all-topics?topics=Social%20media

Svenn Dybvik

:

The National Cyber Security Centre