Overview:

1. Authentication and Access Security
2. Software and Device Security
3. Device Usage Guidelines
4. Social Media Security
5. Communication Security
6. Device Loss or Compromise Mitigation
7. Incident Response

This document has been designed to equip organisations, executives, and professionals with practical strategies to fortify their digital defences. Today’s interconnected world requires proactive measures to safeguard sensitive information, prevent unauthorised access, and mitigate potential cyber threats.

In this document, we delve into our starting recommendations for cybersecurity, covering topics such as Multi-Factor Authentication (MFA), software and application updates, device security best practices, and safeguarding sensitive data. The guidelines extend beyond the technical realm, addressing the importance of maintaining a clear distinction between work and personal devices, secure sharing practices, and the prudent management of social media accounts.

We emphasise the significance of proactive measures, such as digital forensic spyware examinations and routine device restarts, as well as the need for stringent password practices and secure communication channels. Additionally, the guide provides clear instructions on what to do if compromise is suspected.

As cyber threats evolve, so must our strategies for defence. NSI Global stands committed to supporting business leaders in their journey towards a resilient and secure digital environment. By implementing these guidelines, organisations can strengthen their cybersecurity posture, reduce the risk of compromise, and protect the integrity of their valuable assets.

Implement Multi-Factor Authentication (MFA)

Implementing Multi-Factor Authentication (MFA) is crucial to thwarting unauthorised access to your devices and accounts. MFA necessitates the verification of your identity through two or more methods before granting access. Activate MFA across all applicable platforms, with a particular emphasis on securing your email accounts. It stands out as one of the most potent cybersecurity measures available. Optimal MFA choices include authenticator apps, tokens, or physical security keys. While email and SMS authentication are viable, be cautious as they are more susceptible to exploitation by malicious entities.

Guard Your MFA Codes and Exercise Caution. Never divulge your MFA codes and refrain from endorsing unexpected MFA prompts. Malicious entities may attempt to deceive you into sharing MFA codes or approving prompts, seeking unauthorised access to your devices or accounts. Stay vigilant and prioritise safeguarding these authentication measures to fortify your cybersecurity defences.
Back to Overview

Keep Your Software and Applications Current

Ensure the regular updating and patching of your software and applications to address vulnerabilities and introduce enhanced security features.

Maintaining the currency of your software and applications is equally vital to updating and patching your operating system. Activate automatic updates whenever feasible. Given that your software and apps frequently handle sensitive data, including messages, credit card details, and photos, updating becomes paramount. These updates serve to safeguard such information by rectifying vulnerabilities and incorporating additional security features.

Keep Your Operating Systems Up to Date

Ensure the regular updating and patching of your operating systems to safeguard your devices.

Updates and patches for operating systems, such as Windows, macOS, iOS, and Android, bring forth new features, address critical vulnerabilities, and introduce enhanced security measures. Notifications from your device will alert you when an update or patch is available for your operating system. Install these updates promptly to bolster the security of your devices. If possible, enable automatic updates for your operating system.

Consider replacing devices that no longer receive patches and updates. When acquiring new devices, factor in the promptness of security update delivery. Timely operating system updates are essential for maintaining the security of your device against emerging threats

Safeguard Your Crucial Data with Regular Backups

Ensure the security of your vital information by consistently creating backups. By backing up your files, you establish a means to recover your data in the event of loss, theft, compromise due to malicious software, or damage from unforeseen disasters like fires or floods. Adopting best practices involves routinely backing up your important files, either through a trusted cloud backup service or with an offline backup utilising an external storage device, such as a USB stick or external hard drive.

Enhance Your Device Security

Take Precautions to Avoid Spyware and Malware

Consumer-grade spyware has become an increasing concern for Android and IOS phone users, posing a significant threat to their privacy and security. These malicious applications, often disguised as legitimate monitoring tools or parental control apps, are readily available on various app stores and websites. Unfortunately, they are frequently misused by individuals with malicious intent to monitor and compromise the privacy of unsuspecting victims.

For Android Users Follow NSI Global’s How To Guide: Enable Google Play Protect

For IOS Users Follow NSI Global’s How to Guide: Enable IOS Lockdown Mode

IMPORTANT NOTICE: If you have a concern that you may be the victim of illegal surveillance through the use of spyware and you wish to have evidence of this provided to a court of law, follow these security steps* to Contact NSI Global Today for a confidential consultation. DO NOT ATTEMPT TO REMOVE THE SPYWARE FROM YOUR DEVICE AS YOU MAY DESTROY VALUABLE EVIDENCE TO SUPPORT YOUR CASE.
Back to Overview

Maintain a Distinction Between Work and Personal Devices and Accounts

For heightened security, employ distinct accounts for your work and personal devices, safeguarding sensitive information.

If your responsibilities involve utilising multiple devices, there are measures you can adopt to ensure secure management. Companies like Apple, Google, and Microsoft facilitate the seamless synchronisation of data across devices, encompassing not just files but also messages, call logs, passwords, and photos. While this synchronisation may be convenient for personal data, it introduces a security vulnerability for sensitive information. If confidential data is synchronised with personal devices, it becomes more susceptible to unauthorised access or theft. To mitigate this risk, utilise separate accounts for your official and personal devices, extending to your Apple, Google, and Microsoft accounts.

Be Sure to Share Apps and Paid Services Securely

Utilise secure sharing services like Apple Family Sharing, Google Play Family Library, and Microsoft Family Group to share your apps, games, books, and movies with other accounts.

These services enable you to securely distribute your purchases without compromising sensitive information. It is advisable to avoid directly logging into your accounts on family members’ devices, as doing so poses a risk of synchronising sensitive data to their devices, potentially leading to unauthorised access.

Purpose: Safeguards sensitive information against unauthorised access and inadvertent leaks. Capitalises on the security measures commonly applied to work devices.

Refrain from Sharing Work Devices

Do not share your work devices with others.

Sharing such devices increases the vulnerability of sensitive information to unauthorised access. Despite potential convenience, it is advisable not to share your devices.

Purpose: Safeguards sensitive information against unauthorised access and inadvertent leaks.

Implement Screen Locks on All Devices

Enhance the security of your devices by employing a screen lock mechanism, whether it be a robust passphrase, fingerprint unlock, or face unlock.

Discourage the use of swipe or gesture-based unlocks, as they frequently leave visible marks on the screen, making them more susceptible to guessing.

Purpose: Guards against unauthorised access to your device and any sensitive information or accounts stored within.

Strictly Limit Permissions for Software and Apps

Safeguard sensitive organisational information by minimising the permissions granted to your software and apps.

These applications may request access to various elements such as your location, contacts, camera, files, and microphone. Consider restricting these permissions, even for well-known software and apps, including popular social media platforms. Utilise your devices’ privacy settings to manage and restrict these permissions. Exercise caution when encountering software or apps that seek extensive permissions or permissions unrelated to their functionality. For instance, exercise skepticism if a calculator app requests permission to access Bluetooth functionality and your calendar.

Purpose: Shields sensitive information from software or apps that excessively collect data or exhibit lax data security measures.

Perform a Factory Reset on Your Devices

Initiate a factory reset on your devices following any suspected compromises.

Instances may arise where your devices were not used securely, such as a family member installing potentially malicious software or apps during travel or your devices briefly being out of your possession. To mitigate this risk, back up essential data and proceed with a factory reset. While not comprehensive, a factory reset can effectively eliminate many (but not all) strains of malware.

Purpose: Guards against various persistent malware strains.

Conduct Digital Forensic Spyware Examinations on Suspect Devices

If you suspect your device has been compromised, consider performing a digital forensic spyware examination to thoroughly assess potential security threats.

Instances of compromise could include suspicious activities, unexpected performance issues, or unauthorised access. To initiate this examination, follow these steps:

1. Isolate the Device: Disconnect the device from any networks to prevent further potential compromise and contain the security threat.
2. Backup Important Data: Prioritise the backup of crucial data to ensure its safety throughout the examination process. This step helps preserve essential information while addressing potential security concerns.
3. Engage NSI Global to perform a Digital Forensic Analysis: We will conduct a thorough examination, ensuring an in-depth analysis and accurate identification of potential compromises.
4. Implement Security Measures: Based on the examination results, take necessary security measures to address identified threats. This may include removing malicious software, updating security protocols, or implementing additional safeguards.
5. Educate and Raise Awareness: Share insights gained from the examination with relevant stakeholders. Educate users on potential security risks and promote awareness to prevent future compromises.
6. Document Findings: Our examiners can provide detailed records of the examination process, noting any evidence of identified threats, suspicious activities, or unusual behaviour. This documentation can be prepared to a legal standard to be used as evidence in court proceedings.

Why: Enhances Security Posture, Identifies Potential Threats, and Provides Evidence for Potential Litigation. Conducting a digital forensic spyware examination is crucial to identifying and mitigating potential threats on your device. This proactive approach strengthens your overall security posture, providing a comprehensive understanding of any compromise and facilitating informed decision-making to safeguard sensitive information. Additionally, evidence gathered of this illegal surveillance can be crucial in court proceedings.

Switch Off and Restart Your Mobile Devices Daily

Shutting down a device can effectively eliminate some (but not all) strains of malware.

Power down and restart your mobile devices at least once every day. To ensure the efficacy of this practice, it’s essential to turn off the devices completely, rather than merely locking them or putting them in sleep mode.

Purpose: Safeguards against various strains (but not all) of malware by disrupting the connection to the attacker.

Install Software and Apps Solely from Reputable Sources

Safeguard your devices by exclusively utilising trusted software and apps.

Adhere to best practices by downloading your software and apps solely from official app stores and websites, such as the Apple App Store, Google Play Store, and Microsoft Store. Employing pirated software or accessing untrusted app stores increases the likelihood of device compromise by malware and diminishes the probability of receiving essential patches and updates from vendors and developers.

Purpose: Shields against many (but not all) types of hidden malware. Ensures ongoing support from vendors and developers by using genuine software and apps.

Practice Safe Charging of Devices

Ensure secure charging practices by using only trusted cables and power outlets.

Malicious actors may exploit charging cables to introduce malware to devices. Exclusively employ charging cables from your device’s manufacturer or reputable third-party vendors. USB power outlets can also serve as a conduit for delivering malware to your devices. Safeguard against potential threats by plugging your devices into USB power outlets only in trusted environments, such as your home or office. Avoid public USB power outlets, commonly found in places like airports or cafes, and opt for regular power outlets instead.

Purpose: Defends against malware threats during the charging process.

Connect Only Trusted Devices to Your Device

Ensure that only trusted devices are plugged into your laptop, phone, or computer.

This includes removable media such as USB sticks and external hard drives, as well as peripherals like USB headphones and microphones. Exercise caution with the following:

• Devices received as gifts.
• Devices that have been in the possession of untrusted individuals, even briefly.
• Removable media that has been connected to systems or devices owned by others.

Anything you connect to your devices should be manufactured by a reputable company and purchased from a reliable store. Prior to connecting any device to a work system, consult your IT team to conduct a thorough scan.

Purpose: Safeguards against malware threats arising from untrusted or compromised devices.

Disable Communication Features When not Required

Switch off your device’s communication capabilities, such as cellular data, wireless, Bluetooth, and Near Field Communication, when not in use.

While communication technologies have advanced, none are completely immune to compromise. By deactivating these features when not needed, you can diminish the potential avenues through which a malicious actor might exploit your device.

Purpose: Mitigate vulnerabilities in your device and minimise the risk of compromise.
Back to Overview

Secure Your Accounts

Exercise caution and screen calls, emails, and messages for potential threats.

Remain vigilant for signs of a cyber attack, especially in correspondence that:

• Originates from unfamiliar phone numbers or email addresses.
• Requests actions such as clicking on links, opening attachments, or visiting websites.
• Exhibits suspicious writing, an unusual tone, spelling mistakes, or incorrect capitalisation.
• Imposes urgent deadlines or claims your device has a technical problem.
• Seeks information that the sender has no valid need to know.

Identifying legitimate communication can be challenging, as malicious actors may disguise their identity using spoofed phone numbers or email addresses. They might also incorporate personal details, sourced from publicly available information such as your social media pages, to enhance the persuasiveness of their messages.

If you encounter suspicious correspondence, refrain from interaction, especially avoiding opening any links or attachments. Report the message to your IT support team for assistance.

Purpose: Shields against various threats, including ransomware, malware, account compromise, remote access scams, identity theft, and financial theft.

Employ Robust, Distinct Passwords or Passphrases

Enhance your account security by employing strong, unique passwords or passphrases.

Password managers offer the capability to generate robust, unique passwords for each account. With a password manager, you only need to recall a single master password, as the manager handles the rest. Ensure your master password is robust, as it serves as the key to all your accounts.

For accounts you access regularly or prefer not to store in a password manager, consider using a passphrase as your password. Passphrases consist of a combination of random words, such as ‘jagged cream face stepladder’. They provide a secure yet memorable password option. The Australian Signals Directorate’s Australian Cyber Security Centre (ASD ACSC) recommends passphrases that are at least 14 characters long, comprise a random mix of four or more words, avoid popular phrases, and are not reused across multiple accounts.

Avoid storing passwords or passphrases in close proximity to the linked devices, for instance, refrain from storing your laptop passphrase in your laptop bag.

Purpose: Safeguards accounts, devices, and the sensitive information they contain from unauthorised access.

Maintain Password Confidentiality

Never share your passwords or passphrases, even with family members or colleagues.

Recognise that any activities conducted by staff using your accounts will likely be associated with your identity.

Purpose: Safeguards accounts, devices, and the sensitive information they contain from unauthorised access.

Do Not Utilise Publicly Available Information for Password Reset Questions

Establish robust password reset questions when needed to thwart malicious actors from gaining access to your accounts.

Exercise caution to refrain from using publicly available information when selecting password reset questions. For example: business leaders frequently have biographical details accessible online, making common reset questions such as ‘mother’s maiden name’ and ‘childhood address’ vulnerable.

Purpose: Safeguards accounts, devices, and the sensitive information they contain from unauthorised access.

Enhance the Security of Your Social Media Accounts

Ensure the privacy and security of your social media accounts by managing privacy settings effectively. Regularly update your privacy settings on social media platforms to control who has access to your information. Privacy settings can evolve with added functionalities, making periodic checks crucial. Be mindful that your data might be stored in jurisdictions where Australian legislation may not have jurisdiction.

Purpose: Shields sensitive information from unintended exposure, making it more challenging for malicious actors to gather enough details to engage in identity theft, launch personalised phishing attempts, or guess password reset questions.

Do Not Share Personally Identifiable Information on Social Media

Refrain from disclosing private information on social media, and encourage your friends and family to follow suit.

Even seemingly insignificant details can, when pieced together, paint a comprehensive picture about you. Revealing too much private information online poses the risk of malicious actors gathering enough data to engage in identity theft, guess weak account reset questions, decipher weak login details, or personalise scams and phishing attempts targeted at you.

Never presume that any online activity or post will remain confidential, as even trusted platforms and services may fall victim to cyberattacks and experience data breaches.

Purpose: Safeguards sensitive information from unintentional disclosure, making it more challenging for malicious actors to amass enough details to perpetrate identity theft, launch personalised phishing attempts, or decipher your password reset questions.

Create Completely Separate Work and Personal Social Media Accounts

Safeguard your public and private life by establishing two different work and personal social media accounts.

This practice allows you to compartmentalise the information shared with distinct audiences.

Purpose: Safeguards sensitive information from unintentional sharing and complicates attempts by malicious actors to gather enough details for identity theft, personalised phishing attempts, or guessing your password reset questions.

Do Not Share Login Credentials for Social Media Accounts

Never divulge login details for social media accounts.

Instead, opt for business or corporate social media accounts that permit multiple users to oversee a profile without the need to share login credentials. Several social media platforms, such as Facebook and X, provide this functionality.

Purpose: Guards against unauthorised account access and diminishes the risk of unauthorised account activity by restricting permissions.

Look Out For and Report Fake Social Media Accounts

Remain alert to potential online impersonation attempts, as individuals may try to replicate your online identity.

Combat misinformation by promptly reporting fake accounts to both your IT support staff and the respective social media platform.

Exercise caution, as malicious actors might seek to impersonate individuals you trust to deceive you.

Be wary of social media accounts exhibiting unusually low post counts, limited pictures or connections, and unfamiliar email addresses or phone numbers. Recognise that malicious actors often leverage personal details to craft highly convincing digital identities with the intent to mislead.

Be vigilant when responding to requests for social media account verification.

Malicious actors may use such requests to deceive you into confirming fake accounts. Only validate accounts if you can confirm the legitimacy of the request.

Purpose: Safeguards against scams targeting you directly or exploiting your identity to target others.
Back to Overview

Ensure the Security of Your Communications

Activate security features on messaging apps to safeguard your conversations.

Use encrypted messaging applications and acquaint yourself with their security functionalities.

For iMessage users, note that blue text bubbles indicate encrypted conversations, while green bubbles signify non-encrypted exchanges, often occurring when messaging an Android device.

Google Messages users should be aware that a lock over the send button denotes encrypted conversations, while the absence of a lock indicates non-encrypted communication, typically when messaging an iPhone. Google Messages also offers users a unique verification code to ensure they communicate with intended recipients.

When exchanging sensitive information between Android and iPhone users, consider utilising cross-platform encrypted messaging tools like Signal. These applications offer end-to-end encryption across different operating systems and device types.

For users of other encrypted messaging apps, activate multi-factor authentication and check for mechanisms to verify the integrity of your conversations. This often involves comparing security codes among all parties involved.

Purpose: Safeguards messages from interception and unauthorised access, aiding in the detection of potential impersonation attempts by malicious actors.

NOTE: FOR GOVERNMENT, MILITARY, OR LAW ENFORCEMENT USERS ONLY, NSI GLOBAL RECOMMENDS THE USE OF HARDENED ENCRYPTED DEVICES FOR ALL VOICE CALLS AND MESSAGING.

Exercise Caution with Group Messages

Exercise caution when utilising group messages, as the size of the group increases the potential for information compromise.

Take note that certain messaging software and apps permit new group members to access messages sent before their inclusion. When sharing content, verify whether your messaging apps provide end-to-end encryption for group messages, as not all platforms offer this feature.

Purpose: Safeguards sensitive information from unintended exposure.

Ensure Work Communication is Only Conducted on Your Work Devices

Limit work-related activities to your designated work devices for storing and sharing work-related information.

Work devices typically have robust security measures in place to safeguard sensitive work information. Personal devices, lacking the same level of protection, should not be relied upon for sharing or storing work-related information.

Purpose: Safeguards sensitive information from unintended exposure or unauthorised access.

Share Meeting Invitations Only through Secure Channels

Exclusively distribute meeting invitations through private channels, such as email or encrypted messaging applications.

Sharing meeting invitations on publicly accessible websites or social media platforms poses a risk of unauthorised individuals attending. To prevent unintended access, routinely update meeting login details and access links for recurring meetings, ensuring that previous guests cannot access meetings they were not invited to.

Purpose: Safeguards sensitive information from accidental sharing.

Restrict Meeting Access to Invited Participants Only

Permit entry to a meeting solely for invited participants.

Implement a password requirement for online meetings to minimise the chance of unauthorised attendees. Once all expected participants have joined, secure the meeting to prevent unauthorised access. If unfamiliar participants are present, request identification, and disconnect those who refuse to comply.

Purpose: Safeguards sensitive information from being shared accidentally.

Participate in Meetings from a Private Setting

Whenever feasible, join meetings from a private location.

If there are others in close proximity, it is advisable to use headphones to ensure that only meeting participants can hear the entire conversation. Orient your webcam away from any confidential information in your background and utilise background-blurring features, if provided.

Purpose: Safeguards sensitive information from inadvertent sharing.

Exercise Caution During Screen Sharing

Exercise caution when sharing your screen. Limit the sharing to specific software or apps that are necessary, rather than displaying your entire screen. Additionally, it is advisable to establish expectations regarding meeting recordings or the publication of proceedings in advance.

Purpose: Safeguards sensitive information from inadvertent sharing.

Ensure Communications Security When in Public

Avoid Public Wi-Fi Usage

Public Wi-Fi inherently lacks security and may expose your internet activity to malicious actors. While traveling, it is more secure to establish a personal mobile hotspot rather than relying on public Wi-Fi.

Purpose: Safeguards your internet traffic from interception and unauthorised access by malicious actors.
Back to Overview

Implement Precautions to Mitigate the Impact of Lost or Stolen Devices

One of the most significant threats to your information arises from the loss or theft of devices.

Never leave mobile devices or removable media unattended, whether in checked-in luggage or hotel safes. Enable encryption on your devices if supported, as it enhances the security of your information in case of loss or theft. If available, utilise features such as ‘find my device’ or remote data erasure to provide additional security in the event of device loss or theft.

Purpose: Safeguards sensitive information and accounts on your devices, preventing unauthorised access.

Consider Employing Dedicated Travel Devices and Accounts

When traveling overseas, your devices may be more vulnerable to targeting by malicious actors.

To enhance security, limit the devices you take with you to only those necessary. Consult your IT support team to establish dedicated travel devices and accounts before your trip, and reset them upon your return. Utilise a Virtual Private Network (VPN) for internet traffic security on your travel devices. This best practice minimises the potential access to information in case of device compromise, loss, or theft.

Purpose: Safeguards sensitive information and accounts on your devices, preventing unauthorised access.
Back to Overview

What to do if you think you have been compromised

If you have a concern that you may be the victim of illegal surveillance through the use of spyware and you wish to have evidence of this provided to a court of law, follow these security steps* BEFORE CALLING NSI at 1300 000 NSI(674) for a confidential consultation. DO NOT ATTEMPT TO REMOVE THE SPYWARE FROM YOUR DEVICE AS YOU MAY DESTROY VALUABLE EVIDENCE TO SUPPORT YOUR CASE.

If you think you have been the victim of a cyber incident, you should speak to your IT support team immediately. The sooner they know, the sooner they are able to help you. If you do not have an IT department feel free to contact NSI Global on the number above.

Cyber incidents should also be reported to the Australian Cyber Security Centre on 1300 CYBER1 (1300 292 371). This service operates 24 hours a day, 7 days a week.