Public sector organisations have been reminded to implement a series of measures to strengthen resilience and protect data.
A spokesperson of the National Cyber Security Centre (NCSC), Nicholas, outlined the priorities and background at UKAuthority’s recent Resilience & Cyber4Good conference.
He said bulk data makes very tempting targets for attackers of all kinds, so it is essential to ensure it is adequately protected.
To be useful, systems very often need to move, store and provide access to sensitive data. Unfortunately, this makes them attractive for cyber actors. The consequences of a successful compromise of these systems can be hugely impactful for the organisation.
However, the picture need not be a bleak one. Frequently, the very worst outcomes can be avoided if services are designed and operated with security as a core consideration.
“We encourage organisations to consider security from the start,” he said.
Familiar steps
His advice to strengthen resilience included familiar steps such as patching IT systems and ensuring an effective, tested, back-up regime is in place.
“It is important for organisations to have backups in place to enhance resilience. Testing your back-up regime is equally important to make sure you can restore your data as planned,” he said. This point is reflected in the recently published NCSC cloud back-up principles that are designed to help them be more resistant to ransomware.
This should be accompanied by proportionate, reliable logging to make it possible to “follow the breadcrumbs” as part of an investigation.
Other measures include using ‘strong enough’ passwords as highlighted in the NCSC’s ‘three random words’ guidance, implementing multi-factor authentication where available, and access control (for example, following the ‘principle of least privilege’).
All of this should be underpinned by a policy of continuous improvement, with cyber specialists in the organisation up to date on technology developments.
A shared understanding of the business impact is also important to ensure the consequences of a cyber incident are understood, and to make it clear who is responsible and accountable for the different elements of the business.
Plan for response
“Having an incident management plan in place is also really important,” Nicholas added. “It’s about knowing exactly what must be done, and having the confidence that when you pull the response ‘lever’ what you expect to happen, happens.”
Organisations should also aim to create a positive security culture, where people are aware of their role in maintaining cyber security and actively contribute to improving their organisation’s security.
“You may also want to consider having staff training awareness programmes in place, so individuals understand how they can help protect their organisation and have the confidence to report when anything goes wrong or near misses”.
Usefully, Nicholas highlighted the free NCSC Suspicious Email Reporting Service (SERS), which helps the NCSC take action to block malicious email addresses so they can no longer send emails. By reporting phishing attempts individuals can reduce the amount of scam emails they receive, make themselves a harder target for scammers, and protect others from cyber crime online.
In response to a question on how best to communicate with people in an organisation about cyber risks, Nicholas said there is a need to make the subject accessible to technical and non-technical people alike. Explaining how cyber security relates to day-to-day business really helps and the NCSC Board toolkit has been developed to assist conversations in this space.
What and why
“One of the things to consider is not only describing what the security measures are, but why they are in place. If that isn’t landed in the right way, there’s a risk users begin to feel alienated, indifferent or develop workarounds.”
Nicholas also explained the importance of understanding the cyber posture of third parties with which an organisation works, including its supply chain. This involves understanding the impact of supply chain cyber security risks and accessing essential supply chain resources. The good news is the NCSC has a collection of guidance which provides accessible advice on this topic.
He also pointed to the evolving ecosystem, with continuously changing technologies, being accessed by more organisations.
"This isn’t an easy task, but if we continue to work together and approach cyber security as a ‘team sport’, we can further strengthen the public sector cyber security posture, and enhance overall organisational resilience," he said.