Familiarising yourself with and taking even the most basic security steps can go a long way to protecting yourself or organisation from a cyber attack. The NCSC small business guide provides easy to follow guidance on the measures you can take to enhance your cybersecurity. It is equally applicable to households as it is to small businesses.
Watch these short videos from NCSC and apply these tips to help secure your home or organisation.
- Back up your data
- Protect from malware
- Keep mobile devices and smartphones safe
- Use passwords and where possible multi-factor authentication
- Avoid phishing attacks
- Patch all software and firmware
Many of the above attacks are a result of credential-stealing or data compromise. This can be achieved by attackers through cleverly designed social engineering or through data breaches that result in our credentials being stolen and offered for sale or use on the dark web.
- You can use the Have I been Pwned? service, to check whether your personal data has ever been compromised by a data breach. It is important to act if you have been the victim!
Our advice is to protect your credentials through the use of two factor (2FA) or multi-factor authentication (MFA) where possible.
- Two-factor authentication (2FA)
is a security process in which the user provides two different ways to verify themselves to better protect both the user's credentials and the resources the user can access.
- Multi-factor authentication
is an authentication method in which a device user is granted access only after successfully presenting two or more pieces of evidence (or factors) to an authentication mechanism: knowledge (something the user and only the user knows), possession (something the user and only the user has), and inherence (something the user and only the user is).
Cyber threats and mitigations
The following common cyber threats are explained and the protections listed.
- Email compromise
- Vulnerability scanning
- Supply Chain attacks
- Internet of Things (IoT)
Email compromise protection
Email compromise or Business Email Compromise (BEC) for organisations is where an email account has been compromised and an attacker is impersonating you to scam others in your contact list of associates to gain trust to exploit them for money or data or to get someone to click to download some form of malware.
This can take the form of the following types of BEC attack :
- Bogus Invoice fraud
- CEO fraud
- Account Compromise
- Solicitor Compromise
- Data and IPR Theft
Understand these most common methods of attack and ensure that these are communicated around your household or organisation so that you know what to look out for and always verify through a trusted channel e.g. known telephone number if uncertain.
Combined this with multi-factor or two-factor authentication and well-known processes with staff or friends and family or your bank around verification of changes to the requests for payments or changes to payment details will help reduce the probability of being a victim to this type of attack.
Phishing emails range from extremely easy to spot to almost impossible. Hackers use ever-increasingly sophisticated techniques to fool you into parting with your sensitive information.
To this day there is no ‘catch-all’ method for stopping phishing, you must remain vigilant at all times and treat all emails and websites with caution when online.
The threats posed by today’s advanced phishing techniques can be significantly reduced by understanding what to look out for and vigilance.
This video highlights some steps to be aware of to identify a Phishing attempt.
The following layered approach from NCSC is advised.
- Make it difficult for attackers to reach your users.
- Help users identify and report suspected phishing emails
- Protect yourself from the effects of undetected emails
- Respond quickly to incidents
This is mainly aimed at organisations to ensure that they have a process in place with their IT Support to have their systems tested for known vulnerabilities and to have these remediated.
This process is often referred to as vulnerability scanning and penetration testing. The Cyber Essential Plus scheme includes this additional element of reassurance that your systems are secure.
Supply Chain Attacks
As your organisation grows and starts to work with more customers, suppliers and partners, you become a link in one or more complex supply chains. Being a desirable, trustworthy supplier or customer now extends far beyond delivering good products or services, providing great customer care and paying on time.
Today’s way of conducting business means that you must observe good practice (and in many cases, compliance) when it comes to cyber and information security because vulnerabilities put not only your own organisation at risk … but also that of the others up and down the supply chain.
- Customer / client, supplier and partner data is held increasingly on disparate, distributed databases, so one vulnerability could compromise the integrity of the entire chain.
- Data could also be shared between more links in the chain, for example via email or single point of access online portals.
- Every time a new organisation joins the supply chain, the greater the risk of a security breach.
- Financial safety, employee safety, intellectual property, data compliance, finances and reputation are all at stake, for all organisations in the chain.
Achieving acceptable standards in the supply chain
An organisations supply chain is the suppliers and services that an organisation needs for it to deliver its business. It is essential that every organisation in the supply chain has secure systems and practices, can demonstrate this to the others in the chain, and also has confidence in the others in the chain.
You should also establish at the earliest possible point in your entry into the supply chain, the existence, nature and level of security required (if any), and agree or negotiate according to your own requirements and standards, and those of your partners in the chain. Large partners are more likely to have rigid stipulations, but these may vary according to the size and nature of your organisation and its role in the chain.
It may be that one of the levels of the IASME or Cyber Essentials certification is acceptable.
Internet of Things (IoT)
Smart home devices offers more access points than ever before – wireless lights, thermostats, home security sensors, intelligent streetlights, smart meters, and many more. These millions of sensors and devices present a great opportunity for hackers, and a great vulnerability to us all. Many of these are without proper security measures to protect them and in turn you and your organisation.
Without proper security measures in place, every piece of data we generate, whether intentionally or passively, could be open for misuse such as identity theft, financial gain, and potentially even damaging to our health. Implementing security will continue to be critical for controlling how data is used.
Many of these devices are very beneficial to us and our organisations but is essential that we also understand the risks and potential threats associated with their use and implementation in our homes and organisations.
The UK government are working with suppliers to implement their code of practice(external link opens in a new window / tab) That will help ensure that products in the UK are designed with security in mind.
Whether an individual or a multi-national organisation their people use technology and everyone needs to have an understanding of what actions and behaviours make us more cyber secure.
- Cyber awareness and training
- Password protection – basic authentication
- Two or multi-factor authentication
- Be phishing and scam aware
- Routines for better cyber health
- Use of pen drives (USB sticks)
- Get assurances – get an IT trusted party to provide advice and support.
- Basic IT training & awareness - Know how to recover your systems and data
Process and policy for businesses
- No USB devices – lock down access to these where possible
- Passwords – random or two-factor authentication
- Training and awareness
- Access controls and secure configuration
- Patching policy
- Reduce/remove legacy systems
- Incident and recovery processes