The UK National Cyber Security Center (NCSC) has published a guide for information security teams on how to maintain strong digital defenses in the midst of an “extended period of heightened threat.”
This comes as the organization’s concern grows for the well-being of the country’s cyber professionals, who have to maintain resilient cyber defenses as a result of the ongoing kinetic and cyber warfare between Russia and Ukraine.
The cyber authority has listed several measures that UK businesses and organizations can take to ensure their security experts remain happy, healthy, functional and efficient during the ongoing period of conflict.
Actions to take when the cyber threat is greatest, according to the NCSC.
“The threat an organization faces can change over time. At any point in time, a balance needs to be struck between the current threat, the measures needed to defend against it, the implications and cost of those defenses, and the overall risk this poses to the organization,” writes NCSC, in whose view there may be times when the cyber threat to an organization is greater than usual.
In the entity’s opinion, going to the maximum alert can
- help prioritize necessary cybersecurity work
- offer a temporary boost to defenses
- give organizations the best chance of preventing a cyberattack when it may be most likely, and recovering quickly if one occurs
The NCSC guide explains under what circumstances the cyber threat can change and outlines the steps an organization can take in response to an intensified cyber threat.
Regarding the factors that affect an organization’s cyber risk, NCSC notes that an organization’s view of its cyber risk can change if new information emerges indicating that the threat has increased. This could be due to a temporary increase in adversary capability, if, for example, there is a zero-day vulnerability in a widely used service that capable threat actors are actively exploiting. Or it could be more specific to a particular organization, industry, or even country, as a result of hacktivism or geopolitical tensions.
These various factors mean that organizations of all sizes must take steps to ensure that they can respond to these events. It is rare that an organization can influence the threat level, so actions are often focused on reducing their vulnerability to attack in the first place and reducing the impact of a successful attack. Even the most sophisticated and determined attacker will use known vulnerabilities, misconfigurations, or credential attacks (such as password stealing, attempted password cracking, or authentication token reuse) if they can. Removing your ability to use these techniques can reduce cyber risk to your organization.
Measures to take
The most important thing for organizations of all sizes is to make sure the fundamentals of cybersecurity are in place to protect their devices, networks, and systems. The actions outlined below are to ensure that basic cyber hygiene controls are in place and working properly. This is important in any circumstance, but is critical during periods of heightened cyber threat.
It is unlikely that an organization will be able to make widespread changes to systems quickly in response to a change in threat, but organizations should do everything possible to make these actions a priority.
- Check your system patches
- Check access controls
- Make sure defenses work
- Record and monitor
- Check your backups
- Have an incident plan
- Check your footprint on the Internet
- Have an answer for phishing
- Check third party access
- Inform your organization in general
“Large organizations should take all of the actions listed above to ensure that the most fundamental security measures are in place,” writes the entity, which recommends organizations with more resources to consider the following measures:
“If your organization has plans to make cybersecurity improvements over time, you should review whether to accelerate implementation of key mitigation measures, accepting that this will likely require reprioritization of resources or investment.
No service or technology system is completely risk-free, and mature organizations make balanced and informed decisions based on risk. When the threat becomes acute, organizations must review key risk-based decisions and validate whether the organization is willing to continue to tolerate those risks or whether it is better to invest in remediation or accept reduced capacity.
Some system functions, such as exchanging rich data from untrusted networks, may inherently carry a higher level of cyber risk. Large organizations should assess whether it is appropriate to accept a temporary reduction in functionality to reduce exposure to threats.
Larger organizations will have mechanisms to assess, test, and apply software patches at scale. When the threat is greater, their organizations may wish to take a more aggressive approach to patching security vulnerabilities, accepting that this may impact the service itself.
During this time, large organizations should consider delaying any significant system changes that are not security related.
If you have an operational security team or SOC, it may be useful to consider taking steps to extend operating hours or put contingency plans in place to quickly scale up operations if a cyber incident occurs.
If you have systems that can take automated action or notifications based on threat intelligence, you might also consider purchasing threat intelligence feeds that can provide you with relevant information for the period of heightened threat.”
Eddie is an Australian news reporter with over 9 years in the industry and has published on Forbes and tech crunch.