Information security within the office
  • Never share passwords – there is a tendency to share passwords in the office due to confidence in colleagues and convenience. Passwords should never be shared or left on display.
  • Do not leave sensitive information lying around or on the walls – if your desk is a mess, you could accidentally leave sensitive information out and then not notice if it went missing.
  • Always lock your computer – make sure you lock your computer when it is unattended to prevent unauthorised access.
  • Safe disposal of confidential documents – dispose of paper copies of confidential information securely.
  • Encrypt any remote devices that are being sent in the mail – unencrypted USB or other storage devices sent in the mail can get lost or stolen.

It is easy to become complacent about emails because they are so familiar – but they are not as secure as you might think. In a US court case, Google advised that Gmail users could not rely on their emails remaining private. If you are sending sensitive or confidential information by email, it should be encrypted.

When sending emails to external addresses ask yourself:

  • Are you allowed to share this information with the addressee?
  • Can the information be sent openly or does it need to be protected?
  • Has it got a security label?
  • Is it personal or confidential information?
  • Who is it going to?
  • How is it being sent?
  • What kind of protection would the email require?

When receiving emails, think before you click on embedded links or open attachments from addresses that you do not recognise. Look at the sender’s email address and ask yourself:

  • Do I know this person and is this their usual email address? Be aware, spammers do attempt to send emails using legitimate email addresses. They may have obtained these email addresses from contact lists using malware installed on the computers of family, friends or colleagues.
  • Does this email subject look unusual? Out-of-the-ordinary or poorly written subject lines may hint at a fraudulent or spam email.
  • Is there an attached document and do I recognise the attached format (Excel, Word, PDG etc)? Be aware of zip files if you are not expecting to receive them. Does the email mention the attachment and am I expecting an attachment? Attachments can transmit malware, so open them with caution. If you receive an email with attachments that you are not expecting, try, as far as is practicable, to contact the sender and check if they have sent an attachment. Attachments from emails can be saved to folders without opening them. These folders can then be scanned with anti-virus software before they are opened.
  • Does the email ask me to visit a website, send personal information or reply immediately? Be particularly wary of emails that request personal information, particularly banking details – banks will never ask you to disclose your password in an email. Some emails may state that you need to reactivate your account due to maintenance, or your computer contains malware and needs to be cleaned. Do not respond to these requests. Never provide your username or password in response to an unsolicited email.
  • Am I being asked to click on a link? Be wary of links in emails – they can easily be disguised and may take you to malicious websites. If in doubt, do not click on the link but hover your cursor over any addresses or links in an email and check if text appears – this is often an indication that something is amiss. Always go directly to a website rather than following a link within an email.
Using the telephone

Never accept at face value a caller who asks for financial or confidential information. If you receive a call claiming to be from your bank, politely end the call and then contact the bank yourself on a different telephone line. Always use an official bank number. Do not use a number that the caller has given you. Remember that the major UK banks have made declarations that they will never: ask you for your PIN or your online password; ask you to withdraw money to hand over to them; ask you to transfer money to a new account for fraud reasons; send someone to your place of work or home to collect your chequebook, cash or payment card.

Browsing the internet
  • Bogus websites – when browsing the internet, always be wary of bogus websites and leave the site if in doubt. For example, if you become suspicious of a site because the wording on the site is incorrect or the site address seems strange, you should leave. Use software on your IT system that gives warnings about known malicious internet sites.
  • Social media – think before you send a tweet or issue a post on social media that could compromise you, your company or a client.

Change your passwords regularly and ensure that they are of a certain length. Traditional advice is that an obscure password with a mix of capitals, special characters and numbers is best. But there is an increasing preference for simpler and more memorable password phrases that are much longer. If you are using a password management system, ensure that it is robustly protected with a secure and lengthy password (eg 40-60 characters).

Working on the move

When working on the move, information becomes more vulnerable. Use your common sense. Be aware of your surroundings and of how information could be compromised. Do not be overheard or overlooked and keep your devices with you at all times.

  • Avoid transferring confidential or sensitive data over public Wi-Fi networks –the information sent over free networks offered by trains, hotels and coffee shops can be easily compromised.
  • Using remote devices on public transport – be vigilant and make sure the screen of your laptop, mobile phone or other device is not visible to others. Work tidily and with care. Ensure that no information is on display.
  • Leaving public transport – check that you have not left anything behind when you leave, eg your USB stick, documents, laptop or other remote device. Always double check.
  • Remove your pass – make sure you remove any security passes before you leave work.
Working from home
  • Personal IT equipment – make sure your employer approves the use of any personal IT equipment and you comply with their security requirements, such as ensuring that software is up to date, and includes anti-virus protection and a firewall.
  • Printing– paperwork should be stored and disposed of securely.
  • Wireless network – if you have a wireless network, ensure that it is secure, using the recommended settings and latest encryption software, and that only authorised users can connect to it.
  • Social media – use privacy settings to control what information you share over social media.
  • Document disposal – do not throw sensitive or confidential documents in the bin. Dispose of paper documents just as securely as you would in the office.
  • Mobile phones – when dealing with sensitive information over the phone, be aware who might overhear, purposely or not.
  • Keep information discreet – do not leave information lying around for others for others to see.
  • Beware of insecure networks – web-based email accounts are particularly risky. Avoid using personal email addresses to send confidential information. Always check and comply with your firm’s policies. Connect to the firm network using a virtual private network (VPN). If using a wireless network, ensure a minimum of Wi-Fi Protected Access 2 (WPA2) with a good security key.