Setting up two-step verification or 2SV (also known as multi-factor authentication or two-factor authentication) on an account makes it considerably more secure. It means that even if an attacker knows your password, they can’t access your account. It works by asking you to complete a second step when you sign in, usually by entering a code sent by SMS, email or via an app. Authentication apps such as Google Authenticator or Microsoft Authenticator are designed just for this purpose, and are more secure and convenient than SMS.
For some accounts, you can choose to only use 2SV when signing in from a new device or changing your password. This means you don’t have to enter a code every time you use a service.
Where should I set up 2SV?
You should set up 2SV on all personal accounts that could be considered a high-value target for an attacker, such as your email, messaging apps like WhatsApp, and social media. If 2SV isn’t available on an account, make sure it has a strong and unique password or consider changing to a service that offers 2SV.
The NCSC has separate guidance to help you set up 2SV.
Receiving 2SV requests
If you receive a 2SV request that asks if you are trying to access your account but you are not trying to log in, do not grant permission. It's possible that an attacker knows your password and is trying to access your account. In this instance, 2SV is doing its job, but you should change your password. If you use the same password on other accounts, you should change it for them too.
Never share an access code with others, even if prompted, as this can give attackers control of your account.
Review your social media use and settings
Consider how much personal information you are sharing on social media. Attackers may use the information you post to engineer a spear-phishing attack and attempt to gain access to your account and data.
You should also consider maintaining separate professional and personal social media accounts.
You can review the privacy settings for each account to decide what is most appropriate for you. The major platforms provide instructions on how to manage your privacy settings. You can find links to these instructions in the NCSC guidance on using social media safely, alongside additional information on managing your digital footprint and spotting fake accounts.
Be aware that attackers may pose as other people on social media platforms, even if you appear to have mutual contacts. They may seek to cause you reputational damage, by sending you malicious links to click to gain access to sensitive information. It’s possible that over the next few years, attackers may also make increasing use of voice clones or ‘deep fakes’ to trick users to reveal sensitive information.
The UK National Protective Security Authority has guidance about false profiles that helps you spot them on social media and professional networking sites.
For any public social media accounts that you use in a professional context, consider using a social media management service. This means that colleagues or employees will be able to create posts for you without you sharing your passwords. You should avoid using the same password for the management service as any of your social media accounts connected to it. You can read the NCSC guidance on protecting what you publish for further information.
Review your use of messaging apps
Messaging apps such as WhatsApp, Messenger and Signal are now an important part of how we communicate in everyday life. It's important to use them securely and pay special attention when connecting with people professionally.
If you use a messaging app for personal use on a personal device, you should consider the following:
- use disappearing messages that automatically delete after a set period – by turning this on you will limit what a successful attacker could access if they do manage to get in
- consider the recipient – are they who they say they are, and who else is in the chat group?
- avoid accepting message requests from unknown accounts – consider calling first to verify who they are
As with all apps, you should make sure that the latest security updates are installed and set up two-step verification (2SV) for when you log in.
Protecting your devices
As with your accounts, attackers may also try to compromise your devices – computers, phones or tablets – to achieve their aims. If they manage to access them, they can steal sensitive or personal information, carry out monitoring, or even impersonate you.
There are several things you can do to secure your devices.
Install updates
Installing security updates promptly is one of the most important things you can do to protect yourself from a cyber attack.
Out-of-date software, apps and operating systems often contain security vulnerabilities, and vendors regularly release updates to fix them. So if you receive a prompt to update your device or apps, you should do it, as it will prevent attackers taking advantage of these security flaws.
Most apps offer an auto-update option, meaning that updates will automatically download when they are available (or when you next connect to wifi), and install at the earliest time suitable for you, or the next time the device restarts. You should make sure this option is enabled on your device. You can read the NCSC guidance on software and app updates to help you enable automatic updates for popular devices and services.
You should only download software and apps from official stores, like Google Play or Apple App Store. They scan software for viruses before making it available, giving you more reassurance that what you’re downloading is safe
Use 'Lockdown Mode'
For additional security, you should consider enabling Lockdown Mode for your Apple devices. Lockdown Mode has been designed for individuals who might be targeted by sophisticated threat actors. On Windows devices, you have the option to enable ‘S mode’ which only allows applications from the Microsoft Store to be downloaded and installed. This prevents malicious programs running on your device.
Replace old devices
As older devices are replaced by newer models, vendors stop releasing security updates, making them more vulnerable to attack. You should avoid using devices that are no longer supported and upgrade your device if support is ending soon.
You can check to see if you device is still supported with the Which? phone support checker tool.
Protect physical access
You should protect your devices with a password or pin that must be entered when the device is powered on or restarted. This will help prevent someone who has managed to get physical access to your device accessing the information on it.
To unlock from standby, you can also use a password, PIN or a biometric, such as a fingerprint or facial recognition. Use whichever method you find convenient.
Avoid plugging your devices into public USB charging points, and instead use a traditional power plug.
Most devices come with a feature that allows you to track the location of a device and remotely wipe it if it's lost or stolen. On an iPhone, make sure Find My is turned on, and for Android devices, enable Find My Device.
Know how to erase data from devices
Our devices often contain sensitive work, personal and financial data, which can still be recovered even if the files have been deleted. So it's important to know how to erase the data if a device is lost or stolen, or you permanently give it to someone else to use. The NCSC has guidance to help you securely erase data on your devices.
What to do if you think you've been attacked
If you receive a suspicious email, do not click on any links, or reply to the email, until you're certain the sender is genuine. The NCSC has guidance on how to spot and deal with phishing emails.
If you receive a suspicious email you should report it to your organisation’s IT support team, who will be able to offer advice, even if has been sent to a personal account.
If you have clicked on a link, or think you’ve been hacked, don’t panic, even if you think you have made a mistake. If something goes wrong on a device or account that your organisation has provided, report it to IT support. The security team shouldn’t blame you for reporting that something has happened to you, as it helps them fix things, and try to stop it happening again, to you or anyone else.
Topics
https://www.ncsc.gov.uk/section/advice-guidance/all-topics?topics=Device
https://www.ncsc.gov.uk/section/advice-guidance/all-topics?topics=Personal%20data
https://www.ncsc.gov.uk/section/advice-guidance/all-topics?topics=Social%20media