NCSC Releases Guidelines on How Organisations Can Address “Heightened” Cyber Threat

Organisations in the UK are being urged to bolster their data protection measures as the Russian invasion of Ukraine continues.

The incursion has been accompanied by a flurry of cyber attacks from hackers on both sides of the conflict. Russia has launched a malware attack on the Ukrainian military and a phishing campaign targeting Ukrainian soldiers, while opposition forces have also deployed cyber capabilities.

A group of Ukrainian hackers took the Moscow Stock Exchange offline on Monday, while the hacking collective Anonymous, which has declared “cyber war” against Russia, said it had taken down RT News, the Russian state-controlled television network.

Cyber security experts warn that these salvos could escalate and damage organisations unaffiliated with the conflict.

J. Michael Daniel, the head of Cyber Threat Alliance and former White House cyber coordinator for President Barack Obama, warned that sophisticated attacks, such as worms, could create spillover incidents that go beyond their intended target.

“You could take anything from emergency services, health care systems, or other things offline without meaning to. Which both has an immediate impact – you could hurt civilians inside Russia – and it could also inadvertently escalate things if the Russians perceive that as a direct order,” he said.

Meanwhile, the UK’s NCSC (National Cyber Security Centre) has warned businesses that they could be targeted by Russian cyber criminals.

It said: “UK organisations are being urged to bolster their cyber security resilience in response to the malicious cyber incidents in and around Ukraine.”

Since then, the UK has strengthened its sanctions against Russia, which has increased the threat to organisations in the country.

What actions can you take?

In January, the NCSC published guidelines on the steps that organisations can take to address “heightened” cyber threats. Although it doesn’t specifically reference Russia, the timing of its release reflects the uncertainty of the situation.

“The threat an organisation faces may vary over time. At any point, there is a need to strike a balance between the current threat, the measures needed to defend against it, the implications and cost of those defences and the overall risk this presents to the organisation,” the NCSC writes.

“The most important thing for organisations of all sizes is to make sure that the fundamentals of cyber security are in place to protect their devices, networks and systems. The actions below are about ensuring that basic cyber hygiene controls are in place and functioning correctly. This is important under all circumstances but critical during periods of heightened cyber threat.

“An organisation is unlikely to be able to make widespread system changes quickly in response to a change in threat, but organisations should make every effort to implement these actions as a priority.

The NCSC recommends a variety of measures, such as reviewing your patch management systems, verifying access controls, implementing an incident response plan and evaluating your susceptibility to phishing scams.

Another crucial aspect of data protection, particularly in light of the current situation, is Cloud security.

Why Cloud security is essential

Cloud security is a subset of cyber security that addresses organisations’ ability to secure data, applications and infrastructure that’s stored remotely online.

With hybrid working now the norm, many organisations are increasingly reliant on the Cloud to ensure their staff can access the data and services they need wherever they are.

However, the use of the Cloud increases the data protection risks that organisations face. For example, should the Cloud service provider suffer a security incident, your organisation could experience delays in the supply of good or services.

Moreover, depending on the nature of the incident, your organisation’s data could be compromised.

To protect organisations from these risks, the NCSC (National Cyber Security Centre) created the Cloud Security Principles. They outline 14 recommendations for protecting information stored online.

1. Data in transit protection

User data transiting networks should be adequately protected against tampering and eavesdropping.

2. Asset protection and resilience

User data, and the assets storing or processing it, should be protected against physical tampering, loss, damage or seizure.

3. Separation between users

A malicious or compromised user of the service should not be able to affect the service or data of another.

4. Governance framework

The service provider should have a security governance framework which coordinates and directs its management of the service and information within it. Any technical controls deployed outside of this framework will be fundamentally undermined.

5. Operational security

The service needs to be operated and managed securely in order to impede, detect or prevent attacks. Good operational security should not require complex, bureaucratic, time consuming or expensive processes.

6. Personnel security

Where service provider personnel have access to your data and systems you need a high degree of confidence in their trustworthiness. Thorough screening, supported by adequate training, reduces the likelihood of accidental or malicious compromise by service provider personnel.

7. Secure development

Services should be designed and developed to identify and mitigate threats to their security.

8. Supply chain security

The service provider should ensure that its supply chain satisfactorily supports all of the security principles which the service claims to implement.

9. Secure user management

Your provider should make the tools available for you to securely manage your use of their service.

10. Identity and authentication

All access to service interfaces should be constrained to authenticated and authorised individuals.

11. External interface protection

All external or less trusted interfaces of the service should be identified and appropriately defended.

12. Secure service administration

Systems used for administration of a cloud service will have highly privileged access to that service. Their compromise would have significant impact, including the means to bypass security controls and steal or manipulate large volumes of data.

13. Audit information for users

You should be provided with the audit records needed to monitor access to your service and the data held within it. The type of audit information available to you will have a direct impact on your ability to detect and respond to inappropriate or malicious activity within reasonable timescales.

14. Secure use of the service

The security of Cloud services and the data held within them can be undermined if you use the service poorly. Consequently, you will have certain responsibilities when using the service in order for your data to be adequately protected.

How you can get started

Any organisation that is concerned about its data protection practices should conduct a technical and organisational measures audit as soon as possible.

DQM GRC’s audit service ensures that you have appropriate defences to protect yourself from a variety of threats.

Our auditors will review your technical and organisational measures against our proprietary audit framework derived from relevant international standards to assure you that your controls are appropriate

The audit comes with a detailed report, providing an assurance rating for each area of your business and outlining weaknesses that you must addressed.

Prioritised recommendations are highlighted to help you develop an action plan, and we can help you implement the necessary measures to instigate that plan.