Malware is the term used to refer to any type of code or program that is used for a malicious purpose.
Cybercriminals often use malware as just one stage in a larger attack. For example, they can use malware to steal sensitive information then use that information to extort their victim or steal their identity. They can also use malware to record everything their victim types, including their usernames and passwords, then use that information to access their victim’s sensitive accounts.
Common types of malware include adware, keyloggers, worms, ransomware, spyware, trojans and viruses.
Follow the steps in this guide to significantly reduce your risk of being affected by malware.
Secure your device to protect yourself against malware
Antivirus software can help prevent, detect, and remove malware from your device. Make sure you turn on your antivirus software and keep it up-to-date. The ACSC has published guidance on antivirus software.
You may already have antivirus software on your device. Microsoft Windows 10 and Windows 11 come with a built-in antivirus tool called Windows Security. Apple macOS also has antivirus software built in to remove and block malware, called XProtect.
Whatever antivirus you choose, we recommend familiarising yourself with what legitimate warnings look like. Sometimes websites will give you a fake warning to try to get you to click on a harmful link. If you know what your antivirus warnings look like, you can avoid the harmful links.
If possible, ensure your antivirus software is set to automatically scan removable media. This will help reduce the risk of malware introduced by USB sticks or other storage devices.
Cybercriminals use known weaknesses to hack your devices. Updates include security upgrades, so known weaknesses can’t be used to hack you. You should always update your system and applications when prompted. You can also turn on automatic updates on some devices and applications so that updates happen without your input.
Read our advice on updates for more information, including how to update your Windows, Apple, and Android devices.
If you have a server or Network Attached Storage (NAS) device in your network, make sure they are regularly updated too. If you are unsure how to update your device, refer to the manufacturer’s guidance or speak to an IT professional.
A backup is a digital copy of your most important information (e.g. photos, customer information, or financial records) that is saved to an external storage device or to the cloud.
Some types of malware can delete or corrupt your data. If this happens, the best way to recover is to restore from an unaffected backup. Regularly backup your files to an external storage device or the cloud. Backing up and checking that backups restore your files offers peace of mind.
If you backup your files to an external storage device, disconnect it when it is not in use. This reduces the risk that malware will spread to your external storage device and infect your backups too.
Read our advice on how to back up your device.
Multi-factor authentication (MFA) makes it harder for cybercriminals to gain initial access to your device, account, and information by making them jump through more security hoops and additional authentication layers. This means that the cybercriminal will have to spend more time, effort, and resources to infect your device with malware.
MFA typically requires a combination of two or more of the following authentication types before granting access to an account:
- something a user knows (PIN, password/passphrase),
- something a user has (smartcard, physical token), or
- something a user is (fingerprint, iris scan).
Prioritise enabling MFA on critical services such as email or remote access (if this is used by your business). Read our guidance on MFA for more information.
Protect your accounts and devices with strong passwords. You can use both password managers and passphrases to create strong passwords.
A password manager acts like a virtual safe for your passwords. You can use it to create and store strong, unique passwords for each of your accounts. If you have a lot of accounts, this removes the burden of remembering unique passwords. You don’t have to remember the passwords or the accounts they belong to, as it is all recorded in your password manager.
For accounts that you sign into regularly, or that you otherwise don’t want to store in a password manager, consider using a passphrase as your password. Passphrases are a combination of random words, for example ‘crystal onion clay pretzel’. They are useful when you want a secure password that is easy to remember. Use a random mix of four or more words and keep it unique – do not reuse a passphrase across multiple accounts. For more information, read our advice on passphrases and password managers.
Microsoft Office applications can execute macros to automate routine tasks. Macros can be used to deliver malware to your device, so they should be used with caution.
If you don’t need to run macros, it is best practise to disable them. If you do need to run macros, consider preventing them from running automatically and restricting which macros can run.
- Microsoft has published guidance on configuring macros settings on their support website: support.microsoft.com
The ACSC has published a guide on Microsoft Office macro security.
Controlling who can access what on your devices will help reduce the risk of malware.
To do this, follow the principle of least privilege and give users access and control only to what they need. This can be done by making sure each person's account has the right privileges.
There are two types of accounts you can set up on Microsoft Windows and Apple macOS: a standard account and an administrator account. Everyday users should have a standard account. Only those who need it should have an administrator account. Consider creating a standard account to use as your main account, as they are less susceptible to malware. It’s also important that users don’t share their login details for accounts.
If you use a Windows device, follow Microsoft’s guidance on adding a new account. Once you have added a new account you will see it appear on the ‘Family & other users’ settings page. Select the new account, change account type then choose ‘standard account’ from the drop-down menu.
If you use a Mac, refer to Apple’s guidance on setting up users, guests, and groups.
In a business environment, access controls might be managed by your IT provider or IT staff. Speak to them if you are unsure how to action this step.
Ransomware is a type of malware. Some antivirus products offer ransomware protection. Make sure you enable this function to protect your devices.
For Microsoft Windows devices, you can enable controlled folder access within Windows Security. This will prevent designated files on your device from being encrypted by ransomware. For more information, visit Microsoft’s website.
Protect yourself from scams
Being alert to scam messages is a great way to protect yourself online. Learn to spot scams.
- Don’t click on links if you think the message might not be legitimate. Often, scammers pretend to be a person or organisation you trust.
- Don’t download files if they have a different file extension than what you were expecting (for example, a file that ends in .exe or .msi when you were expecting a PDF or image).
- Don’t plug anything into your device that you do not trust. Malware can be delivered through chargers, cables, USB mass storage/flash drives and many more. If you don’t know where it's been or you do not trust the manufacturer or person, do not plug it in.
- Don’t allow image previews in your emails from non-trusted sources. Viruses can attach themselves to images, this can be disabled in the settings or options of the program you are using.
- Don’t download applications from third-party download sites that are not widely known to be legitimate. Use the official store for your device instead. For example, the Apple App Store, the Google Play Store or the Microsoft Store.
- Don’t click on online ads to download applications, and do use ad-blocking software.
- Don’t download and install applications from peer-to-peer networks; you never know who has changed the files.
- Don’t click on links in emails or instant messages, or execute attachments unless you are sure they are legitimate. Use a spam filter to protect yourself from malicious messages. If you want to log in to a service or account, visit their website directly rather than clicking on a link that may not be legitimate.
- Don’t install applications received from contacts, say via email or USB sticks, without scanning them with your antivirus application first.
Extra Steps for Small Business
If you use a NAS or other server in your home or business, take extra care to secure it. These devices are common targets for cybercriminals because they often store important files, or perform important functions.
There are many mitigation strategies required to protect these devices from malware. For example, it’s important to ensure any server or NAS devices are updated regularly and accounts are secured with a strong passphrase or multi-factor authentication. You should also consider monitoring and setting up alerts for high disk activity and account logins on these devices.
If you need help to secure you NAS or server, including specific mitigation advice, speak to an IT professional.
Audit and secure any internet exposed services on your network (remote desktop, file shares, webmail, remote administration services). Discuss this with an IT professional if you are unsure.
Consider using online or cloud services that offer built-in security, instead of managing your own. For example, use online services for things like email or website hosting.
Secure your business by implementing further guidance form the ACSC. The ACSC has published guidance for a variety of platforms and business sizes including:
Small business cybersecurity guide – This guide is targeted at small businesses, particularly small businesses that have limited cybersecurity expertise and relatively low cybersecurity risks.
Small business cloud security guides – These guides are targeted at Small to Medium organisations that use software as a service capabilities or cloud-managed endpoints and are exposed to typical cybersecurity risks.
Strategies to mitigate cybersecurity incidents - The ACSC has developed prioritised mitigation strategies to help organisations protect themselves against various cyberthreats. The most effective of these mitigation strategies are the Essential Eight.
Exercise in a Box – The ACSC has an online tool to help you understand your preparedness and resilience to cybersecurity incidents.