FACT SHEET

Emergency Services Sector Cybersecurity Best Practices

Many cybersecurity incidents can be prevented with a few simple, low cost protective measures.
Publish Date

Cybersecurity is one of the most important security considerations for Emergency Services Sector (ESS) organizations. From targeted incidents, such as ransomware attacks, to unintentional acts, such as failure to properly install security updates, poor cybersecurity practices can cause severe operational problems and the needless expenditure of funds.

General Best Practices

ESS organizations frequently use networked computers and smartphones for a variety of operational functions, such as computer-aided dispatch systems, communications backup to radio systems, and storage and connectivity to databases. Below are general practices that can be implemented and included in plans and policies:

  • Create strong passwords using a combination of upper and lowercase letters, numbers, and special characters. Avoid words and basic patterns (e.g., '12345' or 'qwerty') and use a different password for each account.
  • Ensure devices require the user’s password to be entered each time it is turned on, restarted, or woken up.
  • Change the default password (set by the manufacturer) on all devices that have one.
  • Ensure auto-run is turned off for USB drives, CD/DVD drives, etc., to prevent programs from being run just by inserting the drive into a device or by turning the device on.
  • Ensure devices automatically sleep or shut down when unattended for a period of time.
  • Ensure anti-virus software is turned on and kept up to date on all devices.
  • Ensure firewalls are turned on and kept up to date on all devices.
  • Ensure application updates are downloaded and installed as they become available.
  • Ensure the operating system is updated to the newest version on all devices.
  • Do not use an administrator account as your primary user account.
  • When not specifically being used, ensure Wi-Fi, Bluetooth, and personal hotspots are turned off.
  • When disposing of a computer or smartphone, do not donate or throw away after deleting information. Data recovery software exists that may be able to retrieve information even after deletion. Information is still on the device until removed by specialized software designed to wipe the hard drive or complete physical destruction of the hard drive.
  • For agencies with a bring your own device (BYOD) program, ensure implementation of security policies and practices to limit risk.
  • Restrict personal use of agency devices. Specific vulnerabilities include browsing websites, accessing personal email, and downloading apps without encryption.
  • Use multi-factor authentication to access computer systems with at least two of the following:
    • Knowledge factor—something you know, such as a password
    • Possession factor—something you have, such as an identification card that a computer can read
    • Inherence factor—something you are, such as fingerprint identification

Social Networking Best Practices

ESS organizations and personnel are increasingly using social media not only for personal use, but also as a means to inform the public about day-to-day activities and emergencies and to receive feedback and information from the public. Social media practices that ESS organizations and personnel can implement include:

  • Avoid posting work-related information, such as employer name, job location, and security clearance.
  • Avoid posting personal information, such as home address, phone number, email address, and social security number.
  • Avoid posting current or future travel plans that broadcast when your home will be unoccupied.
  • Avoid posting personal information about family members/friends/co-workers, and ask them to avoid posting personal information about you.
  • Use caution when posting pictures. Pay specific attention to close-up facial pictures, locations, backgrounds, and picture metadata.
  • Be aware of your privacy and security settings to limit your visibility as desired.
  • Verify through other means that a contact request actually came from the person that it appears to have come from.
  • Occasionally search for yourself in various social media sites (even if you do not have an account) to see if any data appears, such as personal info or a fraudulent account with your name.
  • Use caution when you 'like' pages or accept contacts. The page owner or contact will now have your contact Information and access to your profile.
  • Do not post pictures or other information unless you are comfortable with everyone having access to it.
  • Once you post information to the Internet, it is there forever—even if you delete it from your account and your computer. Some sites and applications track what you type, even if you delete it before actually posting.
  • Be cautious with add-ons (i.e., plug-ins, games, and applications) because they are frequently written by other users, not the host site. Once installed, the author (and others) may be able to access your data.
  • Information posted on social networking sites has led to retractions of job offers and employment terminations, and has been used in civil and criminal proceedings.

Wi-Fi Best Practices

Wi-Fi is any wireless local area network (WLAN) and is commonly used as a way to wirelessly connect mobile devices to a network, such as the Internet, using radio waves. Public Wi-Fi hotspots (e.g., coffee shops, libraries, airports) are convenient, but they are often not secure. If you connect to a Wi-Fi network and send information through websites or mobile apps, it might be accessed by someone else. Below are some helpful tips on protecting yourself while using Wi-Fi networks:

  • Encryption 'scrambles' the information you send over the Internet into a code so it is not accessible to others. When you are using wireless networks, it is best to send personal information only if it is encrypted—either by an encrypted website or a secure Wi-Fi network. An encrypted website protects only the information you send to and from that site. A secure wireless network encrypts all the information you send using that network.
  • To determine if a website is encrypted, look for ‘https’ (as opposed to ‘http’) at the start of the web address. (The ‘s’ stands for 'secure'.) Some websites use encryption only on the sign-in page, but if any part of your session is not encrypted, your entire account could be vulnerable. Look for ‘https’ on every page you visit, not just when you sign in.
  • Unlike websites, mobile apps do not have a visible indicator like ‘https’. Researchers have found that many mobile apps do not encrypt information properly, so it is a bad idea to use certain types of mobile apps on unsecured Wi-Fi. If you plan to use a mobile app to conduct sensitive transactions—like filing your taxes, shopping with a credit card, or accessing your bank account —use a secure wireless network or your phone’s data network (often referred to as 4G or 5G).
  • If you must use an unsecured wireless network for transactions, use the company’s mobile website (where you can check for the ‘https’ at the start of the web address) instead of the company’s mobile app.
  • To protect your information when using Wi-Fi hotspots, send information only to sites that are fully encrypted and avoid using mobile apps that require personal or financial information.

Bluetooth Best Practices

Complementing Wi-Fi, Bluetooth is a wireless technology used for transmitting and receiving data over short distances using very little power. Bluetooth simplifies discovery and connection between a variety of devices that are commonly used by the ESS, such as smartphones, tablets, laptops, headsets, and vehicles. Bluetooth specifications establish a minimum range of 10m/33ft, but, depending on conditions, can operate at a range of 100m/330ft or more.

Bluetooth can be set up on devices to establish trusted users with known connections; any other connection will require the user to allow the connection. Also, Bluetooth can be placed in a non- discoverable mode, which limits the ability of other Bluetooth devices to detect it, or it can be turned off completely, when not needed.

Email Best Practices

Emails are an easy and reliable mechanism to transmit a variety of data. Desktop and laptop computers, tablets, and smartphones can all access emails, but they also provide a variety of vulnerabilities. Some easy measures to protect your devices that access email include:

  • Pay attention when using Reply vs. Reply All vs. Forward. They are all different and can be the difference between a single infected computer and multiple infected computers.
  • Be cautious of unsolicited emails as they are a common method of virus transmission.
  • Be cautious of suspicious emails, even if they appear to come from people or organizations you know. Someone may have spoofed the email address so it appears to come from a known source.
  • If you receive an unsolicited or suspicious email, and you cannot verify through other means that it is legitimate, delete it without opening it.
  • Do not reply to spam or harassing emails.
  • Turn off the option to automatically download attachments.
  • Create a user account on your computer for day-to-day use that is separate from the administrator account. The day-to-day account should have limited or restricted privileges in order to limit the ability of malware to function.
  • Do not open attachments until you have scanned them with anti-virus software.
  • Turn on automatic disabling of hyperlinks. This will prevent hyperlinks within suspicious emails from being enabled.

Contact Us

For more information, visit CISA | Emergency Services Sector or email EmergencyServicesSector@cisa.dhs.gov.