Malicious software (also known as 'malware') is software or web content that can compromise your IT security. The most well known form of malware are viruses, which are self-copying programs that infect legitimate software. Other forms of malware include ransomware, which encrypt the files on a computer or network, or lock a user's screen, and demand a payment to allow the computer to be used again.
Antivirus software should be used on all computers and laptops to reduce the risk of infection with computer viruses or ransomware. Firewalls, which create a 'buffer zone' between your network and external networks (such as the Internet), should also be installed and activated. Installing updates to software and firmware, will ensure that your IT systems are protected by the latest versions from software developers, hardware suppliers and vendors.
Unfortunately, many instances of malware are the result of someone inadvertently opening an infected email attachment, unwittingly downloading a malicious programme from the internet or inserting a USB drive or memory card that is infected with a virus. Training staff to be aware of these threats and only providing the level of access to IT systems required for staff to perform their roles will prevent or limit the effects of such an occurrence.
Install and turn on antivirus software and activate your firewall.
Ensure that updates to the antivirus software are installed as soon as they become available.
Keep all your IT equipment up to date (patching).
• Ensure that automatic updating is enabled where available.
• If a software product has reached the end of its supported life, i.e. the developer is no longer providing updates, replace with a more current version.
Ensure that staff IT accounts only have the level of access required to perform their role. For example, ensure standard user accounts do not have permission to install new software or change security settings.
• Provide administrative accounts with extra permissions only to those members of staff who need them.
• Ensure administrative accounts are only used for administration of the IT system, with standard user accounts used for general work.
Control how USB drives (and memory cards) can be used on your IT systems.
• Reduce the likelihood of infection by either blocking the use of USB drives altogether or only allowing approved drives to be used on your systems.
• Ask staff to transfer files using alternative means (such as by email or cloud storage), rather than via USB.
Ensure staff know to delete suspicious emails and to be wary of opening unexpected attachments or clicking on weblinks embedded in emails.
If considered necessary, restrict access to personal email and personal use of the internet on the practice’s IT systems.