UK businesses urged to ensure they do cyber security basics

The cyber threat to UK businesses is “bigger than ever”, according to the latest joint cyber threat report by the National Cyber Security Centre (NCSC) and the National Crime Agency (NCA).

Asked how businesses should respond to the report, NCSC technical director Ian Levy said: “If they do nothing else, they should do the basics. Of all the incidents we have investigated in the past year, almost all of them could have been prevented or at least mitigated to a great degree by the basics.”

Jacqui Chard, deputy director, defence and national security at the NCSC, said the report again underlines the importance of following best practice and putting processes in place to ensure “basic cyber hygiene”.

The important take-aways for cyber crime and good practices contained in the NCSC-NCA report also apply to the defence and national security sectors, said Chard.

“Although we think predominantly about the operational ‘in theatre’ risk, our people need to be equipped with the insights provided by the report,” she said. “While the defence and national security sectors are typically extremely capable technically, we still have a really big workforce around the world and a large partner network, so lessons around good practice and basic cyber hygiene apply to all of them.”

Although the NCSC is not saying that organisations need to patch every sever, Levy said the ones on the internet absolutely should be patched up to date, and although the NCSC is not saying organisations should use two-factor authentication for everything, they should for all critical systems.

“It’s those sorts of things – decent patch management, decent credential management, and a decent network architecture – that are going to save people in the short term,” he said.

All cyber attacks work on the basis of a return on investment, said Levy, whether it involves nation states or cyber criminals. “If you can mess about with the model, they will go somewhere else,” he said. “If you can make it that your organisation is not collateral, they will go somewhere else.”

The NCSC’s Active Cyber Defence (ACD) programme, which is aimed at increasing risk to cyber adversaries and reducing their return on investment to protect the majority of people in the UK from cyber attacks, achieved significant success in its first year in reducing the UK’s share of global phishing attacks, shutting down more than 100,000 phishing sites hosted in the UK, removing thousands of spoofed UK government domains, and blocking millions of malicious emails each month.

Now that the NCSC has proved that those simple technical measures have had a “decent effect” on attackers, Levy said the next step is to scale that to be UK-wide and run by the private sector.

“For example, the day after our first annual report was published, BT announced it had set up a free sharing platform for all ISPs [internet service providers],” he said. “The idea is that we get ISPs to protect their residential, SME and charity customers by default for free, and that is how we can change the scope of attacks against the UK.”

The ACD programme includes the use of the domain-based message authentication, reporting and conformance protocol (Dmarc), which helps email domain owners to control how their email is processed, making it harder for criminals to spoof messages to appear as if they have come from a trusted address.

“Not only do we want industry in the UK to use Dmarc, we also want to help change software so that it is easier for people to see when they are being spoofed,” said Levy. “We are looking to do something with the major software and service providers to give people better information, so it is harder to spoof people using email.” 

Another key component of the ACD programme is Web Check, which performs some simple tests on public sector websites to find security issues. It provides clear reporting to the service owners, along with advice on how to fix any problems.

However, it is not clear yet how this service can be scaled up to be UK-wide, said Levy. “And that is not a technical problem, but a market problem. If we provide free vulnerability scanning for charities in the UK, for example, it is not clear whether that will kill the market or raise it up. So we need to do a set of studies to work out how this will scale.”

In the coming year, the NCSC plans to introduce “three or four” new elements to its ACD programme, which, like the first few, will be tested for effectiveness across government departments.

“One is a vulnerability disclosure pilot, which is in response to complaints by security researchers about how difficult it is to report vulnerabilities to government,” he said. “This initiative is aimed at making sure that it is easier and simpler to report vulnerabilities and ensuring that government takes its responsibility seriously and fixes things in a sensible way.”

Another initiative is aimed at building a tool that discovers what infrastructure the government is using to enable automatic alerts of associated security risks. “If we know everybody who is using something, when a vulnerability in that thing is discovered, we can automatically alert all those affected,” said Levy.

The NCSC-NCA cyber threat report also includes case studies and summaries of the top 30 incidents in the past year. “They all have something that enterprises can take away,” said Levy.

“Organisations need to think about how they can respond before it happens to them because no organisation wants to be innovating through a crisis. Instead, you want a well-practised incident response playbook that sets out what are the most critical systems, what action to take and who to contact.

“It there is one thing I would ask big businesses to do, it would be to invest in some planning and to ensure that their boards know what questions they should be asking around cyber security because a lot of CIOs are not happy to be challenged in the way that I think they should be.

“If a CIO can defend his or her decisions and explain them in a way the board can understand, they possibly do not understand the issues well enough themselves to be doing the job effectively.”