Patch patch patch
Ten years ago everyone would joke about core operating system security and though it is not perfect today the blame game has changed partly. Most infections start off by something (a human is of course behind it) exploiting add-ins or browsers; Opera, Firefox, Chrome etc. + PDF, Flash, Silverlight, Java more.
Set automatic updates, let the PC restart when it starts and pay even more attention to non-core operating system software (browsers above) and add-ins (add-ins above). To reduce the attack surface only install what you need, and review items installed from time to time, and remove what is rarely used.
Login as a user
Windows has two main account types, an administrator and a user. An administrator can install software, uninstall software, change settings, views logs and a lot more. A user can uninstall and install very little, if anything and cannot edit or view certain settings nor view security logs. Attackers love privileged accounts.
Create or update your PC to make two accounts: an administrator and a user account, and ideally do not name them JohnSmithAdmin or JaneDoeUser. This has two purposes, if someone steals or finds your laptop it makes it hard to identify the owner (there are other ways of course) and secondly users with user rights cannot install software easily and malware can only do so much damage with user rights.
Do not rely on inbuilt antimalware
Pre-Windows 7 the operating system had no antimalware software installed by default. Microsoft Essentials was added and now Windows Defender. Linux usually comes with nothing and though it should have something, it is less needed due to the number of vulnerability and entry points - "this is a different kettle of fish".
Windows Defender is of course something, but it is basic and do not have sub-functions. Paid antimalware software over Defender or some free ones has various sub-components, like an automated firewall, intrusion prevention, anti-exploit and importantly some kind of local web filter which filters known spam, malware, phishing sites. Some even have real-time phishing detection. You get what you pay for!
Secure your Wi-Fi while at home, at work and on the road
The British MoD and private defence contractors barely have Wi-Fi at their sites which really says a lot. Neighbours pinching free Wi-Fi (or something “framing” you by using your home network) is not the only problem or really an important one on the grand scheme of things. Wi-Fi at an office is really an extension of the RF45 port which is physically secure inside a building. Poor setups can allow a way in to the network or existing traffic being intercepted and then used to login to online web apps.
Home Wi-Fi router/modems are more basic than networking kit at the office so changing the SSID, changing the PSK to something 20+ characters, implement MAC filter (a slowdown not at all bulletproof), change the default username/password and ensuring only WPA-2 is used. Securing work Wi-Fi is different and includes changing the SSID to something less obvious, implementing certificate or username/password auth which is called WPA2-Enterprise. Nomadic devices should not be forgotten, and a good VPN should be given and the auto connect function off for SSIDs.
Creating a strong password (or passphrase)
The ideal password is long, complex, and easy-to-remember – but hard to break. Below is a method of creating a non-dictionary password or you can follow it to make a passphrase with a bit of tweaking.
First pick a group of words
- I have a black labrador dog called charlie
- my house is in south-east london
- my favourite rock band is the beatles
- my favourite musical instrument is the saxophone
- I got married in paris in france
Take each first character and make a word
- ihabldcc
- mhiisel
- mfrbitb
- mfmiits
- igmipif
Add a random word at the end to further strengthen
- ihabldccapple
- mhiiselemail
- mfrbitbmicro
- mfmiitsred
- igmipifebay
- ihabldcc@pple
- mhii$elemail
- mfrb1tbmicro
- mfmiits-red
- igmipif+ebay
QA have an extensive Cyber curriculum offering a number of courses to improve Cyber Awareness. QA have also partnered with The AntiSocial Engineer Limited to provide advanced social engineering and phishing courses.
Visit cyber.qa.com for more information on how they can help solve the Cyber Security skills gap.

Graeme Batsman
Graeme joined QA in 2017 and has worked in security on and off for 15 years. His last role was as a Senior Technical Security consultant at Capgemini covering the public and private sector.
From the age of 17, he was running investigations into online scams and phishing. Today he teaches and/or has written: CEH, OSINT, CTF (conventional or OSINT), CyberFirst, practical encryption and Security+. Graeme is an avid writer with 130+ articles to his name and a chapter in a published book.
He loves thinking like a hacker to review and tweak settings with a fine-tooth comb.
More articles by Graeme
Shadow IT during Covid-19: Do not let your employees decide which apps and tools to use
If you don't take control, your remote-working teams may be putting your IT infrastructure at risk of hacking or loss of data…
29 May 202011 cybersecurity tips for more secure home-working during the Covid-19 outbreak
Keep your company and personal details safe while working from home. QA Cyber Security Technical Consultant Graeme Batsman of…
23 March 2020Hostile reconnaissance: What is it and how do we stay safe?
Shhh! Cyber attackers often use hostile reconnaissance in the physical world to find a way into an organisation. So what is h…
29 January 2020My partner is a landscape gardener – who would want to hack me?
You may think your small business would not be interesting to global cyber crooks. But you may have a client or supplier who…
29 January 20207 cybersecurity tips for wedding photographers – or anyone, really
QA Cyber Security Technical Consultant Graeme Batsman looks at why cybersecurity is important for photographers, especially t…
29 January 2020Cyber Security for everyone - what we all should know
In May the security of the official Sussex’s wedding photographers was breached, and private photos were released. This highl…
05 September 2019Cyber Attacks - Most of them are not as high-tech as you'd think
Hackers have a reputation for using complex technical means to gain unauthorised access to digital systems. However, low-tech…
05 September 2019Cyber risks are too often ignored by management
Project Managers and top management need a better security understanding to allocate resources and to sign off technical risk…
14 November 2017Rise and Fall of Bitcoin
With the popularity and value of crypto currencies growing, so do the security and anonymity concerns.
01 February 2018Endpoint and network firewalling needs to change
QA Cyber Security Trainer, Graeme Batsman, discusses how you need to focus on outbound as much as (or more than) inbound rule…
03 April 2018