Cybersecurity Advice From The UK’s National Cyber Security Centre
We spoke to the former head of the UK’s National Cyber Security Centre to get some good advice for businesses.
Having robust cybersecurity defenses is extremely important for large businesses because they come under so many different kinds of cyber attack. The most common cyber attack they see are phishing and spear phishing attacks, but they also see distributed denial-of-service (DDoS) attacks, man-in-the-middle (MitM) attacks, drive-by attacks and SQL injection attacks among many others.
Anyone who reads the news can tell you that the most recent high profile attacks involved Twitter accounts being hacked, and a sophisticated cyber-attack on Australia’s government and institutions. But they are just the tip of the iceberg, recently it feels like businesses are experiencing attacks every day of the week, so I spoke to Peter Yapp, the former Deputy Director at the UK’s National Cyber Security Centre (NCSC) to discuss how businesses can prepare for potential attacks.
TA: Where do businesses start when preparing a cybersecurity strategy?
PY: We read a lot about cyber threats and attacks but, if they don’t directly relate to our organisation, we tend not to take much action. And yet, when it comes to a breach, prevention is so much better than the cure. It might not have been your business today but the odds are it will happen at some point – even if you’ve already been attacked in the past.
Just looking at whether there are threats to your organisation is the wrong focus and will potentially lead to a false sense of security. So many of the current breaches are collateral damage from an attack on another organisation. Organisations are being breached because they were vulnerable and easy pickings in a wider attack. In some cases, the attackers starting point is to scan the internet for known vulnerabilities and then exploit the easiest to access. Every vulnerable organisation can become a target (and there are many out there) and this throws the threat focus on its head.
Every single organisation should therefore not only know where they’re vulnerable, but should have an incident response plan in place for when the worst happens. While a lot of companies run a penetration test every six months (or even just once a year), this only gives a snapshot, so it’s essential that a vulnerability scan is also completed on a daily basis, as part of normal business operations, in order to understand what the attack surface looks like and where the weaknesses are.
When you consider that even the most sophisticated IT teams will still make mistakes every now and then, even the newest software services might not be as secure as they should be. If you just look at this incident and think ‘I’m not a pharma company so see no threat from this’, then you’ve really missed the point.
You should be proactively protecting against every hacker and every kind of attack. And once they’re in, they’re in – they might not use the weakness they’ve found today, but if you don’t do anything to patch it, then they’ll still be able to use it when your business is of commercial use to them. Take the worldwide attack on Managed Service Providers (MSPs) for instance – the attack used a few MSPs service providers to get into thousands of their clients worldwide. The attack was about seeing who had an open door, rather than necessarily wanting all of those companies’ data in that moment. Don’t rest on your laurels because you’re not in the affected space.
TA: As more businesses need to track customers becaue of COVID (from pubs taking down names to airport testing), they are dealing with unprecedented amounts of data, and often hope that their small size will protect them from criminal notice. Yet their lack of security infrastructure puts them at greater risk – so how can businesses best protect their customers’ data and their systems?
PY: It doesn’t matter about the size of the company, an attack is often random and you could be lucky or unlucky with it. Across the hacker community, people are always looking for ways to monetise things. So, if you have a vulnerability and they come across it, then they’ll take that opportunity. COVID-19 means more customers are parting with their personal data than they’ve needed to before, handing it over to pubs and restaurants who haven’t necessarily had to hold on to that information in the past. But it’s personal data that tends to equal money. So, if you happen to be holding it anywhere unsecure – then that’s a massive red flag and you’ll likely be a target.
The best way businesses of all sizes can protect against this is to make sure all hardware and software systems are up to date. While people often view software updates as a nuisance, they’re not. They are incredibly important in keeping security updated, and to plug existing holes in any systems. It’s also very important all staff who have access to customer databases have very strong passwords. The NCSC recommends picking three random words for this. Furthermore, the most business-critical applications should be supported by two-factor authentication, even if none of the other systems are.
It might take some time and effort to make sure that these practices are in place, but it will be invaluable in the long term. You must also take the time to educate your workforce, and let them know they should report when something looks odd. They can either be your strongest or weakest link, so make them your strongest. Even in a team that’s had thorough security training, one in ten people will click on phishing emails, so let them know they can come to you and tell you if that’s happened. Tell people how to stop them, how to notify you, and to let them know they can tell you without getting in trouble.
TA: The boards of businesses of all sizes are still struggling to understand the business risk of cybersecurity, often still viewing it as a detached part of the business that is the responsibility of the ‘IT Team’, and yet has the potential to devastate a business. What is the importance of clear protocols and frameworks that managers/board directors must consider in their risk management strategies?
PY: Cybersecurity is a business risk like any other, it’s not just an IT issue that should be left to one particular team. Unfortunately, we’ve grown up thinking that it needs to be left to very technical people, and it’s seen as a niche skill. That means that, as business leaders have progressed through the business, they’ve not tried to understand cybersecurity or seen how fundamental it has become to the whole of their business,
As these people came up through the business, they tended to leave security to someone else – the tech team – expecting them to sort it out. But that’s wrong, security (and the consequences of getting it wrong) are such an integral part of the business now. It needs to be a boardroom issue and the people at the head of the business need to take responsibility for it. For instance, these boards are used to asking complex questions about finance, even if they’re not accountants.
But they know they need to understand that to some extent. That should be exactly the same case with cybersecurity. Even if they don’t feel as comfortable having conversations on technology, or understand the intrinsic details of how security systems work, there are toolkits available to give the board questions to ask the CISO in order to know what the estate is like – and help them understand what answers they should expect or how to interpret them. It should be treated like any other risk in the risk portfolio.
Too often, CISO’s share the same budget as the CIOs they report to, which creates a huge conflict of interest and results in the CIO simply viewing cybersecurity as an add-on. The CISO needs to report to the board in their own right, and have their own delegated budget. We saw some good movement in this direction around GDPR, but it’s still not on business leaders’ radar as much as it should be, which is risky, given the large fines the whole business could incur should they get their approach wrong.
Sections of this interview first appeared in my article for Benzinga.com