Stay Safe Online: A Simple Security Guide (For Everyone)

Think of your work account like your house. A strong lock (good password) and a door chain (MFA) keep the bad guys out. This guide shows you the basics – no tech-speak needed.

The 3 Golden Rules

1. Pause before you click. If a message feels urgent, scary, or “too good to be true,” it’s probably a scam.
2. Keep your password secret & strong. Use a long passphrase you don’t use anywhere else.
3. Turn on MFA (Multi-Factor Authentication). It’s the easiest way to block most hacks.

What is MFA? (And why it matters)

MFA = Multi-Factor Authentication.
After your password, you confirm it’s really you with a code or a phone approval.
Even if someone steals your password, they still can’t get in without that second step.

MFA in 60 Seconds (Pick one method)

Option A: Authenticator App (best)

1. On your phone, install Microsoft Authenticator or Google Authenticator from the app store.
2. On your computer, sign in to your work account and open Security / Sign-in methods (the page where you manage your sign-in options).
3. Choose Add method → Authenticator app.
4. When you see a QR code on your computer, open the app → Add account → Scan QR code.
5. Approve the test notification. Done!

How it works: Next time you sign in, a message pops up on your phone. Tap Approve.

Option B: Text Message (OK)

1. On your computer, open your account’s Security / Sign-in methods.
2. Choose Add method → Phone (SMS).
3. Enter your mobile number and type in the code you receive.
4. Done. Next time you sign in, you’ll get a code by text.

Tip: If you can, use the Authenticator app—it’s more secure and works even without mobile signal (codes keep generating).

Smart Passwords (Easy Version)

• Use a passphrase: four or five random words + a number. Example: LemonGardenTrain!42
• Never reuse the same password on different sites.
• Don’t share passwords. Don’t send them in email or chat.
• If offered, use a password manager (it remembers for you).

Spotting Scams (Phishing)

Common tricks:

• “Your account will be closed today—click here now!”
• “Unpaid invoice attached—open immediately.”
• “Delivery failed—pay £1.50 to re-deliver.”

How to check:

• Look at the sender. Is the address spelled oddly?
• Hover over links. Does the web address look weird or wrong?
• Ask yourself: Was I expecting this?

If unsure: Don’t click. Ask your line manager or IT/Comms to check.

Devices & Data (Simple Habits)

• Update your phone and computer when asked.
• Lock your screen when you step away (Windows: Windows + L, Mac: Control + Command + Q).
• Only use work apps for work data. Don’t store client info in personal apps.
• Avoid public Wi-Fi for sensitive work. Use your phone’s hotspot if needed.
• Lost phone or laptop? Report it immediately so we can protect your account.

“MFA Popup I Didn’t Start” = Deny + Report

If your phone asks you to approve a sign-in you didn’t make:

1. Tap Deny (or No, it’s not me).
2. Report immediately to your line manager and the IT & Comms team via your usual channel (Teams/email).
3. Change your password as soon as possible

What To Do If You Clicked Something Suspicious

1. Tell us right away (no blame—speed helps).
2. Don’t enter any passwords or codes.
3. Disconnect from the internet if asked by IT.
4. We’ll guide you to change your password and check your account.

Quick Checklist ✅

• I use a unique, strong passphrase for work.
• MFA is turned on (app or text).
• I pause before clicking links or opening attachments.
• My phone/computer are up to date.
• I know how to report anything suspicious quickly.

Need help?

• If you’d like someone to sit with you and set up MFA, or you’re unsure about a message you received, contact your line manager or the IT & Communications team ([email protected]) via your usual support channel. We’re happy to help.