Best Practices

This is a list of best practices that individuals and organizations can adopt to improve their cybersecurity hygiene. The most important thing you can do is to think critically and act cautiously.


  • Change passwords to be long & strong (the more characters the better).
  • Change your password now, even if your password is not due to be changed yet.
  • Don’t use the same passwords for work accounts and personal accounts.
  • Don’t provide passwords to anyone, not even the security team or the service desk.


  • Use Least Privilege – logon to workstation as a user and elevate to administrator only when needed.
  • Remove excess privileges, only keep the least privilege needed to perform job functions.


  • Backup critical documents – backups should not be connected or mapped to workstations.

Social Media

  • Scrub employment and personal information from social media (Facebook, Twitter, Instagram, etc.) – don’t list job title and department name, don’t list address and phone number and pets names, etc. – this information can be used by Anonymous and other bad actors to social engineer you and coworkers.


  • Don’t enable macros in files unless you were expecting to receive the file from the person that sent it.
  • Don’t plug unknown USB sticks/thumb drives into workstations.
  • If a workstation becomes infected by ransomware, immediately disconnect from network - but do not shutdown the workstation – then notify the security team.
  • Don’t let anyone else use your State workstation, not even family members.


  • Don’t use unapproved software on workstations.
  • Don’t store sensitive information on workstations unless absolutely necessary for job functions.
  • Ensure all software on workstations are fully patched to currency.
  • Ensure antivirus software is functioning and receiving updates daily.
  • Always use VPN (with Multi-Factor Authentication) when connecting to State resources from outside of the office, especially when using public hotspots.


  • Don’t forward suspicious emails to anyone other than the security team.
Hi, I can help answer your questions!