This site uses cookies to improve your user experience. By using this site you agree to these cookies being set. To find out more, please read our privacy policy.

IT Security Best Practice

All colleagues are urged to be extra vigilant and follow IT security best practice

Following Russia’s attack on Ukraine, the cyber security threat level has been heightened.  

One of the most common attempts to breach cyber defences is through the use of phishing emails, so it is really important that you remain alert to suspicious emails containing links or attachments.  Please take the time to read the simple best practice guide below and follow the links at the bottom for more information and guidance. 

Do not open any suspicious links or attachments

Do not open any suspicious links or attachments

Phishing is when hackers and criminals send illegitimate but very realistic-looking emails to try and trick people into clicking attachments or links to begin a cyber attack. To avoid phishing:

  • Check the sender’s email address to see if it looks legitimate.
  • Check the email for: spelling mistakes, poor grammar, and suspicious website link names.
  • Don’t click links or attachments from senders you don’t recognise.
  • Don’t provide sensitive personal information like usernames and passwords over email.
  • Send any suspicious emails as an attachment to then delete it.
Use strong passphrase

Use strong passphrases

The easiest way to protect yourself from cyber threats is by having a strong passphrase. This is a sentence-like string of words that is longer than a traditional password but is easier to remember and more difficult to break such as a quote or a line from a song. It should include:

  • a minimum of 12 characters (including spaces) 
  • a mix of UPPER and lower case characters 
  • a number and a special character such as @, #, $, %, &, * and +
Use encryption to send personal, confidential or sensitive information

Use encryption to send personal, confidential or sensitive information

Where personal, confidential or sensitive information is to be sent via email, the content of the email MUST be secured using an encrypted method of transfer. It is policy that emails containing any Personal Confidential Data (PCD) or commercially sensitive information should be sent using an NHSmail account.

For further information, read our guide on using email to send personal, confidential or sensitive information.

Fully restart your computer every couple of days or at least once a week to install updates

Fully restart your computer every couple of days or at least once a week to install updates

IT security updates are regularly scheduled for your computer to ensure your device, and the systems you have access to, remain compliant with the latest security recommendations.
To enable these important security updates to be installed, your computer needs to be fully restarted. If your computer isn’t fully restarted, these important updates will not be installed which could cause a security vulnerability.

If you receive a desktop message reminding you to restart your computer to install these updates, please ensure you restart your computer at the next convenient opportunity. It is best practice to restart your computer every couple of days or at least once a week. Please note that shutting down your computer is not the same as restarting, and a full restart is required to enable these important updates to be installed.

Beware of social engineering

Beware of social engineering

Social engineering involves criminals using tricks or deception to manipulate people into giving access to information such as patient data, health care records or details of IT systems. Giving unauthorised or suspicious people access to information or places could risk someone taking patient data. A social engineer might use the following tactics:

  • Call and pretend to be a fellow colleague
  • Ask you to hold the door open for them
  • Pose as a friend on social media
  • Criminals will often research the target organisation to appear legitimate

To help stop social engineering:

  • If a web browser states you are about to enter an untrusted site, be very careful as it could be a fake phishing website that has been made to look genuine.
  • If you see a red padlock or a warning message stating your connection is not private, be careful.
  • Never give your login details to anyone. Your IT Service Desk and digital colleagues will never ask you to disclose your passphrase.
  • Be cautious with sharing information about your work on social media sites.
Watch out for tailgaters

Watch out for tailgaters

Tailgating is when unauthorised people gain entry to a building by following a staff member through physical security facilities, such as doors, barriers and gates, to avoid detection. Letting unauthorised people in could lead to them taking patient data or accessing systems. To help stop tailgating:

  • Query the status of strangers, if it is safe to do so, especially if they try to follow you into staff areas.
  • Wear your ID badge and ensure it is visible.
  • Challenge anyone who doesn’t display a visible ID badge, if it’s safe to do so.
  • Make sure you shut or lock doors and cabinets, where necessary.
  • Maintain a clear desk policy when away from your work station.
  • Lock screens and devices when not in use.
Be Cyber Savvy

Further information and support

For further information on the risks to look out for as well as handy hints and tips on how to be cyber savvy, please visit: