February/March 2020

A look inside the National Cyber Security Centre

Cyber security has steadily gained importance over the past few years for many businesses and organisations, large or small, and is continuing to be part of the critical dialogue in setting up any business today. Especially when we look at GDPR compliance, businesses need to address the problem of cyber threats far more rigorously than ever before. The National Cyber Security Centre was established in 2016 by the government at the time and replaced a variety of different organisations and parts of organisations looking at the issues of cyber security. The new remit of the centre was to help the UK become a safe place to live and work online. The centre has a comprehensive website offering help and advice for many of the UK’s businesses and organisations, and describe their principle role as supporting the most critical organisations in the UK, the wider public sector, industry, SMEs as well as the general public.

What does the NCSC do?
• Understand cyber security, and distils this knowledge into practical guidance that is available to all.
• Responds to cyber security incidents to reduce the harm they cause to organisations and the wider UK.
• Uses industry and academic expertise to nurture the UK’s cyber security capability.
• Reduces risks to the UK by securing public and private sector networks.

History of the NCSC
Launched in October 2016, the NCSC has headquarters in London and brought together expertise from CESG (the information assurance arm of GCHQ), the Centre for Cyber Assessment, CERT-UK, and the Centre for Protection of National Infrastructure. The NCSC provides a single point of contact for SMEs, larger organisations, government agencies, the general public and departments. They also work collaboratively with other law enforcement, defence, the UK’s intelligence and security agencies and International partners.

How can the NCSC help businesses?
The NCSC provide a helpful guide for small businesses to follow. This advice can also be applied to larger businesses and organisations, and much more information is available on the centre’s website for organisations of every size.

Step 1 – Backing up your data
Think about how much you rely on your business-critical data, such as customer details, quotes, orders, and payment details. Now imagine how long you would be able to operate without them. All businesses, regardless of size, should take regular backups of their important data, and make sure that these backups are recent and can be restored. If you have backups of your data that you can quickly recover, you can’t be blackmailed by ransomware attacks.

Your first step is to identify your essential data. That is, the information that your business couldn’t function without. Next, keep your backup separate from your computer. Also, whether it’s on a USB stick, on a separate drive or a separate computer, access to data backups should be restricted so that they are not accessible by staff and not permanently connected (either physically or over a local network) to the device holding the original copy.Ransomware (and other malware) can often move to attached storage automatically. Cloud storage solutions are a cost-effective and efficient way of achieving this. Lastly, make backing up part of your everyday business. The majority of network or cloud storage solutions now allow you to make backups automatically.

Step 2 – Protecting your organisation from malware
Malicious software (Malware) is software or web content that can harm your organisation. The most well-known form of malware is viruses, which are self-copying programs that infect legitimate software. Antivirus software – which is often included for free within operating systems – should be used on all computers and laptops.

Staff should also be prevented from downloading dodgy apps. You should only download apps for mobile phones and tablets from manufacturer-approved stores (like Google Play or Apple App Store). Making sure that software and firmware is always kept up to date with the latest versions from software developers, hardware suppliers and vendors (known as patching) is one of the most important things you can do to improve security. Operating systems, programmes, phones and apps should all be set to ‘automatically update’.

Controlling how USB drives (and memory cards) can be used is also crucial. It only takes a single cavalier user to inadvertently plug in an infected stick (such as a USB drive containing malware) to devastate the whole organisation. When drives and cards are openly shared, it becomes hard to track what they contain, where they’ve been, and who has used them. You can reduce the likelihood of infection by using antivirus tools and only allowing approved drives and cards to be used within your organisation – and nowhere else. You can also ask staff to transfer files using alternative means (such as by email or cloud storage), rather than via USB.

Finally, firewalls create a ‘buffer zone’ between your own network and external networks (such as the Internet). Most popular operating systems now include a firewall, so it may simply be a case of switching this on.

Step 3 – Keeping your smartphones (and tablets) safe
Mobile technology is now an essential part of modern business, with more of our data being stored on tablets and smartphones. What’s more, these devices are now as powerful as traditional computers, and because they often leave the safety of the office (and home), they need even more protection than ‘desktop’ equipment. A very basic safeguarding measure is to simply switch on password protection. Using a suitably complex PIN or password (opposed to a simple one that can be easily guessed or gleaned from your social media profiles) will prevent the average criminal from accessing your phone. Many devices now also include fingerprint recognition to lock your device. It’s also possible now to ensure lost or stolen devices can be tracked, locked or wiped. Staff are more likely to have tablets or phones stolen (or lose them) when they’re away from the office or home.

Another important task is to make sure the operating systems on devices are kept up to date at all times. All manufacturers (for example Windows, Android, iOS) release regular updates that contain critical security updates to keep the device protected. Just like the operating systems on your devices, all the applications that you have installed should also be updated regularly with patches from the software developers. These updates will not only add new features, but they will also patch any security holes that have been discovered.

Finally – don’t connect to unknown Wi-Fi Hotspots. When you use public Wi-Fi hotspots (for example in hotels or coffee shops), there is no way to easily find out who controls the hotspot, or to prove that it belongs to who you think it does. If you connect to these hotspots, somebody else could access what you’re working on whilst connected, plus your private login details that many apps and web services maintain whilst you’re logged on. The simplest precaution is not to connect to the Internet using unknown hotspots – instead use your mobile 3G or 4G network which will have built-in security. You can also use Virtual Private Networks (VPNs).

Step 4 – Using passwords to protect your data
Your laptops, computers, tablets and smartphones will contain a lot of your own business-critical data, the personal information of your customers, and also details of the online accounts that you access. It is essential that this data is available to you, but not available to unauthorised users. The obvious first step is to set a screenlock password, PIN, or other authentication method (such as fingerprint or face unlock). The NCSC blog has some good advice on passwords. If you’re mostly using fingerprint or face unlock, you’ll be entering a password less often, so consider setting up a long password that’s difficult to guess.

For ‘important’ accounts use two-factor authentication (also known as 2FA). If you’re given the option for any of your accounts, you should do; it adds a large amount of security for not much extra effort. 2FA requires two different methods to ‘prove’ your identity before you can use a service, generally a password plus one other method. This could be a code that’s sent to your smartphone (or a code that’s generated from a bank’s card reader) that you must enter in addition to your password. Avoiding using predictable passwords within your business. If you are in charge of IT policies, make sure staff are given actionable information on setting passwords that is easy for them to understand. Passwords should be easy to remember, but hard for somebody else to guess.

Remember that your IT systems should not require staff to share accounts or passwords to get their job done. Make sure that every user has personal access to the right systems, and that the level of access given is always the lowest needed to do their job, whilst minimising unnecessary exposure to systems they don’t need access to.

This now leads on to helping your staff cope with ‘password overload’ If you’re in charge of how passwords are used in your organisation, there’s a number of things you can do that will improve security. Most importantly, your staff will have dozens of non-work related passwords to remember as well, so only enforce password access to a service if you really need to. Where you do use passwords to access a service, do not enforce regular password changes. Passwords really only need to be changed when you suspect a compromise of the login credentials. You should also provide secure storage so staff can write down passwords for important accounts (such as email and banking), and keep them safe (but not with the device itself). Staff will forget passwords, so make sure they can reset their own passwords easily. Also consider using password managers, which are tools that can create and store passwords for you that you access via a ‘master’ password. Since the master password is protecting all of your other passwords, make sure it’s a strong one, for example by using three random words.

Finally, one of the most common mistakes is not changing the manufacturers’ default passwords that smartphones, laptops, and other types of equipment are issued with. Change all default passwords before devices are distributed to staff. You should also regularly check devices (and software) specifically to detect unchanged default passwords.

Step 5 – Avoiding phishing attacks
In a typical phishing attack, scammers send fake emails to thousands of people, asking for sensitive information (such as bank details), or containing links to bad websites. They might try to trick you into sending money, steal your details to sell on, or they may have political or ideological motives for accessing your organisation’s information. Phishing emails are getting harder to spot, and some will still get past even the most observant users. Whatever your business, however big or small it is, you will receive phishing attacks at some point. There are some easy steps to help you identify the most common phishing attacks, but be aware that there is a limit to what you can expect your users to do.

A first step would be to configure your staff accounts in advance using the principle of ‘least privilege’. This means giving staff the lowest level of user rights required to perform their jobs, so if they are the victim of a phishing attack, the potential damage is reduced. To further reduce the damage that can be done by malware or loss of login details, ensure that your staff don’t browse the web or check emails from an account with Administrator privileges, which can be far more damaging than accessing a standard user account. Use two-factor authentication (2FA) on your important accounts such as email.

Next, consider ways that someone might target your organisation, and make sure your staff all understand normal ways of working (especially regarding interaction with other organisations), so that they’re better equipped to spot requests that are out of the ordinary. Common tricks include sending an invoice for a service that you haven’t used, so when the attachment is opened, malware is automatically installed on your computer. Another is to trick staff into transferring money or information by sending emails that look authentic. Think about your usual working practices and how you can help make these tricks less likely to succeed.

Next, its important to check for the obvious signs of phishing. However, expecting your staff to identify and delete all phishing emails is an impossible request and would have a massive detrimental effect on business productivity. Many phishing emails still fit the mould of a traditional attack, so look for warning signs like bad grammar and spelling plus links within the emails to go directly to a sign-in page. Email filtering services attempt to send phishing emails to spam/junk folders. However, the rules determining this filtering need to be fine-tuned for your organisation’s needs. You may also have to change the rules over time to ensure the best compromise.

Finally, attackers use publicly available information about your organisation and staff to make their phishing messages more convincing. This is often gleaned from your website and social media accounts (information known as a ‘digital footprint’). Understand the impact of information shared on your organisation’s website and social media pages. What do visitors to your website need to know, and what detail is unnecessary (but could be useful for attackers)?

The National Cyber Security Centre has a website featuring many articles and resources to help your business or organisation safeguard against cyber crime.

Visit www.ncsc.gov.uk to find out more.

Please note – the above text has been taken and edited from the National Cyber Security Centre website. It contains public sector information licensed under the Open Government Licence v3.0.