Malware Risks: NCSC and Department of State issue new guidance to protect from malware

January 7, 2022
IT Security, News
3 min read

Last month, it was publicly revealed that phones belonging to employees of the US Department of State were infected with the now-infamous Pegasus malware, developed by Israeli surveillance firm NSO Group. NSO Group, among several other foreign technology groups known to manufacture spyware, was sanctioned just before this information was released.

Today, the National Counterintelligence and Security Center (NCSC) and the Department of State jointly published guidance on defending against attacks by commercial surveillance tools.

In their published document, which can be viewed here, they listed the following tips:

  • Regularly update device operating systems and mobile applications.
  • Be suspicious of content from unfamiliar senders, especially those which contain links or attachments.
  • Don’t click on suspicious links or suspicious emails and attachments.
  • Check URLs before clicking links or go to websites directly.
  • Regularly restart mobile devices, which may help damage or remove malware implants.
  • Encrypt and password protect your device.
  • Maintain physical control of your device when possible.
  • Use trusted Virtual Private Networks.
  • Disable geo-location options and cover camera on devices.

While these steps mitigate risks, they don’t eliminate them. It’s always safest to behave as if the device is compromised, so be mindful of sensitive content. These tips are important and can go along way in keeping your data and your company’s data protected.

It can’t be overstated the importance of updating your device’s operating system. On a very regular basis, hacks and exploits are being found. Companies such as Apple and Microsoft are often responding quickly with patches and countermeasures.

However, these patches are delivered via OS update. So, think twice next before you ignore your next update notification by hitting “Remind Me Tomorrow” for the fourth time.

Additionally, every company should implement privacy and anti-phishing training for employees. Even with the most advanced security technology and software, a common system vulnerability is an untrained and unsuspecting employee.

Password management continues to serve as the bane of on online security. Half of American adults still write down passwords on paper, many more reuse the same or similar password, and only half of American adults habitually use two-factor authentication.

Encryption and strong passwords are important for devices. It’s equally important to ensure the applications themselves, particularly communication applications, are encrypted end-to-end.

That’s why it made headlines around the country when videoconference application Zoom was sued for misrepresenting its claims about its application’s end-to-end encryption feature, and why Zoom, Microsoft Teams, and other communication applications have since implemented end-to-end encryption options.

The above list of tips includes some important details, and each suggestion should be taken seriously.

Of course, like most lists of this nature, these are only half the battle. These tips will do you no good if you’re facing an active threat or if you’re already compromised.

Partnering with a skilled and timely security partner ensures that you’re data is protected even when you’re not thinking about it. And should you ever face a disaster, that partner can minimize downtime and keep you online. The negative effects and costs of malware aren’t measured in loss of data and product so much as the loss of productivity and time.