Protect your devices from malware
Malware is often hidden in phishing emails, or in websites that they link to. Well configured devices and good endpoint defences can stop malware from installing, even if the email is clicked.
There are many other defences against malware and you will need to consider your security needs and ways of working to ensure a good approach. Some defences are specific to particular threats (such as disabling macros) and some may not be appropriate for all devices (anti-malware software may be pre-installed on some devices and not needed on others).
Finally, the impact of malware on your wider system will depend on how your system has been set up. For more information, see the NCSC’s secure design principles.
How do I do this?
Prevent attackers from using known vulnerabilities by only using supported software and devices. Make sure that software and devices are always kept up to date with the latest patches.
Prevent users from accidentally installing malware from a phishing email, by limiting administrator accounts to those who need those privileges. People with administrator accounts should not use these accounts to check email or browse the web.
Read the NCSC's Device Security Guidance.
Protect your users from malicious websites
Links to malicious websites are often a key part of a phishing email. However, if the link is unable to open the website, then the attack cannot continue.
How do I do this?
Most modern, up-to-date browsers will block known phishing and malware sites. Note that is not always the case on mobile devices.
Organisations should run a proxy service, either in house or in the cloud, to block any attempt to reach websites which have been identified as hosting malware or phishing campaigns.
Private sector organisations should use Protective DNS, which will prevent users resolving domains known to be malicious.
Protect your accounts with effective authentication and authorisation
Passwords are a key target for attackers, particularly if they are for accounts with privileges such as access to sensitive information, handling financial assets, or administering IT systems. You should make your login process to all accounts more resistant to phishing, and limit the number of accounts with privileged access to the absolute minimum.
How do I do this?
Add additional security to your login process by setting up Two Factor Authentication (two-step verification), which is also called 'Two Step Verification' on some web services. Having a second factor means that an attacker cannot access an account using just a stolen password.
Consider using password managers, some of which can recognise real websites and will not autofill on fake websites. Similarly, you could use a single sign-on method (where the device recognises and signs into the real website automatically). Adopting these techniques means that manually entering passwords becomes unusual, and a user can more easily recognise a suspicious request.
Consider using alternative login mechanisms (like biometrics or smartcards) that require more effort to steal than passwords.
The damage an attacker can cause is proportionate to the privileges allocated to the credentials they have stolen. Only provide privileged access to people who need it for their roles. Regularly review these and revoke privileges if no longer needed.
Remove or suspend accounts that are no longer being used, such as when a member of your organisation leaves or moves to a new role.
Consider reviewing your password policies. Doing so may (for example) reduce the chance of staff reusing passwords across home and work accounts.