Keith Nation
Managing Director & CTO

Cyber-attacks are the third most likely global risk for 2018, behind extreme weather conditions and natural disasters, according to findings from the World Economic Forum’s Global Risk Report 2018 released earlier this year.


Cyber-risks have intensified, particularly in 2017, both in their prevalence and disruptive potential. High profile examples last year were the WannaCry attack, which affected 300,000 computers across 150 countries, and NotPetya, which caused quarterly losses of $300m for a number of impacted businesses.


Other notable large-scale attacks have been made on retailers including international online marketplace eBay and the US clothing store Target. Collectively, these cyber attacks have made everyone from executives to shoppers more aware of the threat hackers pose to the online world.


In response, the National Cyber Security Centre, part of GCHQ, has created a new guide on how businesses can shield themselves from potential online attacks. Here we’ve outlined its recommendations:


1. Embed a risk management policy

NCSC recommends that businesses embed an appropriate risk management regime, which should be supported by an empowered governance structure, actively endorsed by the board and senior managers. Management must clearly communicate its approach to risk management with the development of applicable policies and practices. These should aim to ensure that all employees, contractors and suppliers are aware of the approach, how decisions are made, and any applicable risk boundaries.


2.  Implement a secure configuration

The best practice guidelines suggest IT teams implement a configuration management system to improve the security of systems. There should be a strategy to remove or disable unnecessary functionality from systems, and to quickly fix known vulnerabilities, usually via patching. Failure to do so is likely to result in increased risk of compromise of systems and information.


3. Improve your network security

The connections from networks to the internet, and other partner networks, expose systems and technologies to attack. The recommendations suggest IT teams create and implement appropriate architectural and technical responses, which can reduce the chances of these attacks succeeding (or causing harm to an organisation). Networks span many sites and the use of mobile or remote working, and cloud services, makes defining a fixed network boundary difficult. Rather than focusing purely on physical connections, the NCSC suggests businesses think about where data is stored and processed, and where an attacker would have the opportunity to interfere with it.


4. Manage user privileges

If users are provided with unnecessary system privileges or data access rights, then the impact of misuse or compromise of that users account will be more severe than it need be. The NCSC suggests all users should be provided with a reasonable (but minimal) level of system privileges and rights needed for their role. The granting of highly elevated system privileges should be carefully controlled and managed. This principle is sometimes referred to as ‘least privilege’.


5. Educate users

Users have a critical role to play in an organisation’s security and so it's important that security rules and the technology provided enable users to do their job as well as help keep the organisation secure. The NCSC recommends organisations implement a systematic delivery of awareness programmes and training that deliver security expertise as well as helping to establish a security-conscious culture.


6. Create an incident management process

No organisation is immune to security incidents. Investment in establishing effective incident management policies and processes will help to improve resilience, support business continuity, improve customer and stakeholder confidence and potentially reduce any impact an attack may have. The NCSC recommends that businesses identify and consult recognised sources (internal or external) of specialist incident management expertise.


7. Install malware prevention

Malicious software, or malware is an umbrella term to cover any code or content that could have a malicious, undesirable impact on systems. Any exchange of information carries with it a degree of risk that malware might be exchanged, which could seriously impact systems and services. The risk may be reduced by developing and implementing appropriate anti-malware policies as part of an overall 'defence in depth' approach says the NCSC.


8. Continually monitor

Cyber-crime prevention is at its optimum when systems are continually monitored this enables businesses to detect actual or attempted attacks on systems and business services as they happen. In addition, monitoring allows organisations to ensure that systems are being used appropriately in accordance with organisational policies. Monitoring is often a key capability needed to comply with legal or regulatory requirements set out by the NCSC.


9. Control removable media

Removable media is often a common route for the introduction of malware and the accidental or deliberate export of sensitive data. According to the NCSC, organisations should be clear about the business need to use removable media and apply appropriate security controls to its use.


10. Establish a home and mobile working policy

The increase in mobile working and remote system access exposes new risks that need to be managed. Organisations should establish risk-based policies and procedures that support mobile working or remote access to systems that are applicable to users, as well as service providers. Users need to be trained on the secure use of their mobile devices in the environments they are likely to be working in.


ORM's view 

Cyber security is a real and growing threat to digital businesses. Anyone from disgruntled employees through to rogue states and hacktivists can undermine and exploit vulnerabilities that are present in all software, no matter how well tested. All online businesses should undergo regular cyber security assessments with specialist third parties that follow the NCSC best practice guidance. We also recommend that multiple layers of security are employed together with recognised third-party products that protect against specific threats such as DDoS. The bottom line, however, is to be vigilant and continue to review and invest in cyber security – you never know when you’ll need it.  


Disclaimer: the cyber security recommendations within this blog have been designed by the NCSC. Although they can help to significantly reduce the chances of your business becoming a victim of cyber crime, they can’t guarantee protection from all types of cyber attack. For more help and information on Cyber Security contact the NCSC.