Staying Private & Secure


This document has been prepared in conjunction with many different sources. The objective is to highlight some of the existing online data risks. Managing risk can be completed at work or home following some simple but sensible steps.

Use this checklist to review your devices and accounts and amend as necessary. Delete old accounts you just don’t need anymore. Consider all new online activity based on safety that you would ordinarily complete in the real world. For social media you need to consider not just yourself but close friends and family who may be tagged.

Review this document throughout the year and ensure this is an ongoing process rather than an annual health check. Always validate suggested links by using a trusted search engine like Google or Bing.

Personal Cyber Safety

Be aware of your surroundings. Shoulder surfing is a known tactic people use to collect passwords.

Do not use public Wi-Fi for any sensitive internet browsing unless using an operational VPN. 3G or 4G is safer than public Wi-Fi. You cannot be sure who owns or is monitoring a Wi-Fi hotspot.

Never save any account data on any devices that you don’t use exclusively – i.e. others can log onto your accounts if you auto-fill any data and share devices.

Turn off Bluetooth and Wi-Fi when it’s not needed, it is a weakness.

When undertaking sensitive work related visits or tasks, the use of ‘airplane mode’ is recommended if internet connectivity is not needed.


Make STRONGER passwords using the latest guidance from the National Cyber Security Centre. Current best practice advises THREE RANDOM WORDS known as a PASSPHRASE. Add complexity, convert some letters to numbers and add special characters. Aim for 13+ characters.

For example: LondonBeachMusic

This is 16 characters and is a good strong passphrase. It may be adequate for some services.

To add complexity: L0nd0n8eachMu$ic

Or: London#0Beach3$Music

This is now 19 characters and gains strength by increasing the possible characters used in the passphrase. Most passwords are worked out by criminals after a data breach and work them out using brute force attacks – trying every combination of Upper and Lower Case letters, symbols and numbers until they match the encrypted (properly known as ‘hashed’) password stolen.

Don’t use words / names / information that may be in the public domain or easily worked out from social media content, e.g. Mother’s maiden name; date / place of birth; pet names; teams you support…

Your single most important account and password is your main email – anyone taking control of your main email can reset all your other passwords locking you out. Always log out of sites you have logged into on shared or public devices.

Password recycling – never re-use old passwords. Criminals are known to recycle old passwords which have been exposed via a data breach.

If you want to know more look at the NCSC’s Advice:

Password Managers

Password managers are a GOOD THING. They give you huge advantages in a world where there’s far too many passwords for anyone to remember. They make it easy for you to use long, complex, unique passwords across different sites and services, with no memory burden. They can help prevent you falling for phishing attacks. They can generate new passwords when you need them and automatically paste them into the right places.

They can sync your passwords across all your devices, so you’ll have them with you whether you’re on your laptop, phone or tablet.  Read more at:

Do some risk assessment as to what you trust the Password Manager to look after. You should end up needing to remember only a small number of STRONG PASSPHRASES such as:

  1. Main Email Account PASSPHRASE
  2. Main Bank Account PASSPHRASE
  3. Password Manager PASSPHRASE

Two-Factor Authentication (2FA)

Two-factor authentication (often shortened to 2FA) provides a way of ‘double checking’ that you really are the person you are claiming to be when you’re using online services, such as banking, email or social media. It is available on most of the major online services.  Where possible activate 2-Factor Authentication – see:

Staying Private

Consider data that is contained in and whether edits or deletion needs to be made or requested at:

Change your browsing habits

Think about using stealth mode (e.g. Chrome Incognito, Firefox private window) – be aware they don’t hide what you do from everyone including the other end of the connection. Use a private search engine if necessary.

Social Media

Social Media presents a massive risk to your privacy. We all share far too much information about ourselves.

If you want to see how much, watch this video called ‘Data to Go’ where Open Source researchers had just 3 minutes to find out everything about real individuals who liked a Facebook page…

Data to Go – cifas

Stay Secure Online 2019 Booklet

The National Police Chiefs Council have created this booklet which contains screenshot instructions of social media accounts, browsers, smart phones and apps which shows you how to appropriately secure them.

Scams and Social Engineering

Take Five – Stop Fraud is a national initiative to reduce fraud. Find guidance and a quick test of your skill in spotting scams, frauds and phishing at:

Take Five to Stop Fraud


Phishing and Spear Phishing are prevalent and responsible for the majority of security incidents. This shows some of common techniques.

Spear Phishing Awareness – CPNI

There are lots of impersonation scams out there….

Fraudstars – Get Safe Online

Data Breaches

Data breaches are being reported daily since the General Data Protection Regulation went live on 25/5/18. We are entrusting more and more information about ourselves to digital services. By being aware of the dangers and adopting good online hygiene we can significantly reduce the risk we face.

Article 17 of GDPR – Right to Erasure (‘right to be forgotten’) – allows you to require the deletion of information about yourself. The less they know the less there is to be breached.

Data Breach Checker

Have I been Pwned is a trusted website run by Cyber Security Researcher – Troy Hunt – who works with the National Cyber Security Centre. You can check if you have an account that has been compromised in a data breach. Don’t forget to tick the ‘Notify Me’ box to sign up to future alerts when you are involved in another breach.

Involved in a Data Breach?

Immediately change your password for all accounts which have been compromised AND any other account(s) that you have used the same password for. Do not use this password ever again. Follow our guidance above.

If it involves accounts you no longer use, recover those accounts (using forgotten password processes if necessary) – then delete or close the account. There are lots of free guides which can be found using a simple Google search.

If the data breach involves sensitive personal or credit data, you need to sign up for credit score alerts from free providers. There are three credit agencies in the UK so you need to sign up to more than one service:

Keep home and work life separate. Consensual data is shared between companies and data breaches are being merged. Try not to use your work emails for anything at home and vice versa. For example…

Having personal items delivered to work will link your personal account with a new delivery address. Linking work emails to accounts where personal data is stored e.g. social media – will link home addresses to work.

A Secure Device Means….

  • An Operating System which has been fully updated
  • An up-to-date modern internet browser
  • The latest versions of all software or apps, fully updated
  • Anti-Virus software, fully updated
  • Anti-Malware software, fully updated
  • Firewall switched on
  • Virtual Private Network (VPN) software for use on Public Wi-Fi

Online Safety

Don’t forget to look after the people around you with these useful sites.


Please use the following three audit checklists to assist you with a Cyber Hygiene review of all devices and accounts you use or have used.  If you print and write sensitive information on it, keep it secure or cross-shred upon completion.

No More Ransom Project

Law enforcement and IT Security companies have joined forces to disrupt cybercriminal businesses with ransomware connections. The “No More Ransom” website is an initiative by the National High Tech Crime Unit of the Netherlands’ Police, Europol’s European Cyber-Crime Centre (EC3) and McAfee with the goal of helping victims of ransomware retrieve their encrypted data without having to pay the criminals.

Further Advice

Visit HM Government’s Cyber Aware website:

Cyber Aware