National Cyber Security Centre Business Guidelines 2020 Review - Cyber Foundry

The National Cyber Security Centre (NCSC) provides many articles and guides on how to secure your business against the risk of cyber attack. The last two years have seen many changes and updates to this advice as our work environments have adapted to the global COVID-19 pandemic, and consequent restrictions of movement enforced on the country’s populace.

This article intends to be a single resource that encompasses all of the NCSC’s guidelines and posts, starting from their original guides and incorporating any published updates. Simplifying all the news, updates, and procedures into a simpler will help SMEs stay safe.

The guide has eight stages designed to break down the available information into smaller sections. By following these steps and acting on the suggestions, you could save time, money, and even your business’s reputation. The steps outlined below can significantly reduce the likelihood of your organisation becoming a victim of cybercrime.

Cyber Security Steps

Step 1 – Data Backup

All businesses rely heavily on data; this information could be anything from customer contact details or even your employees’ personal information. The NCSC encourages you to think about how your organisation would operate if this crucial data were no longer accessible.

By backing up your data, you can ensure that there is never a time when critical information is not accessible. However, many companies are put off creating these backups, assuming they are time-consuming to make and potentially more difficult to secure than the source data. There are many tools and applications that offer automated backup procedures – these can operate transparently and in a straightforward way.

Here are some points to consider.

Identify what information is most important to your organisation

• Identify the data without which your business could not function, and only back up this information. You do not need to back up everything

Keep backups separate from your working internet-connected devices

• The backup should not be kept on the device where the original data resides
• The backup should only be accessible to those staff members who require it
• The best solution for keeping backup files is ‘cold storage’: for example an external hard drive that is not connected to any machine, and only used when a backup is made or during a recovery
• Encrypting the device on which the backups are stored will prevent the data from being misused if the backup media is stolen or lost. For example, Windows 10’s device encryption is called BitLocker

Set a reminder to make backups regularly

• A simple, repeating calendar entry would suffice
• A more robust solution would be to use, for example, Windows 10’s dedicated backup and restore scheduling

Review any storage services you are using, and check for automated backup options

• Cloud storage provider Dropbox, for example, has different subscription levels such as Plus and Professional. Upgrading to a more expensive tier can often unlock recovery and restore functionality that works automatically in the background

Consider cloud software or services designed to take care of backups for you

• There are many of these services – here are a few examples:
  • Carbonite
  • Veeam
  • Duplicati
  • iDrive
  • Acronis

Step 2 – Malware Protection

There are many ways in which malicious software – ‘malware’ – can get onto a device and, from there, the wider network of a business. Malware often enters a device masquerading as legitimate software and may never make its malicious intent known to the user. Other malware will make itself known by, for example, locking users out of their systems – the WannaCry ransomware outbreak is a good demonstration of this.

Here are five easy to implement tips to prevent malware from causing damage to your organisation:

Install and activate antivirus software

• Many computers come with free antivirus software; for example, Windows 10’s ‘Defender’: https://www.microsoft.com/en-gb/windows/comprehensive-security
• Details for other devices and operating systems such as smartphones and tablets are available here: https://www.ncsc.gov.uk/collection/end-user-device-security/platform-specific-guidance
• Ensure your staff are made aware that any devices they are using for work should also follow the NCSC’s device security guidelines
• Ensure that antivirus applications are enabled and kept up-to-date

Prevent staff from downloading potentially dangerous applications

• Staff should be made aware that they must only download applications from manufacturer-approved marketplaces, such as Google’s Play and Apple’s App Store
• If a staff member requires an application that is not available via these stores, this should be raised with technical staff or management for approval and installation
• Employees’ devices should have only the permissions needed to carry out their work. Administrator-level accounts should only be accessible by those staff responsible for administering the devices and not for general work. Windows 10, for example, allows multiple users accounts with different permissions, view here

Keep your equipment up to date

• All employees should be made aware that devices they use for work – computers, smartphones, tablets – must be kept up to date
• Many devices and operating systems offer automatic updating – this should be used wherever possible
• Older devices that no longer receive automatic updates should be manually updated according to manufacturers’ guidelines  by an appropriate member of IT or management staff
• All employees should be made aware of the security implications of using a device that is not up to date

Manage the use of USB peripherals such as external media storage devices

• Employees should be aware of the risks that USB devices pose to the business – from devices of unknown origin which may contain malware, or through the loss of portable storage media containing company data
• All staff members should be shown how to transfer files securely – this process should be formilised as company policy
• Computers used by staff members should block the use of removable storage: this guide from Microsoft explains how to enable this feature in Windows, view here

Switch on any available firewalls

• Ensure that all devices have any available firewalls enabled. For Windows 10, This article shows how view here
• Other hardware such as routers, switches, and internet security gateways will have guides from their respective manufacturers detailing how to ensure that firewalls are working; these devices should be reviewed at the earliest opportunity, view here

Step 3 – Device Safety

Many staff members are now using devices such as smartphones and tablets to respond to emails and complete work while away from the office. These devices’ mobility presents an increased security risk over, for example, a desktop computer that never leaves the workplace.

Here are five tips to help ensure these mobile devices remain safe.

Use a strong password and switch on any available fingerprint or facial recognition protection

• Many devices now support fingerprint or facial recognition technology –  these are not always enabled by default
• Staff members must be made aware that they should have password protection enabled on all their mobile devices
• Where possible, staff members should use fingerprint or facial recognition to log in to their devices

Make sure stolen or lost devices can be locked and wiped

• Staff members should be encouraged to enable tracking and remote access on their mobile devices in case of loss or theft
• For business-owned devices, a mobile device management software suite is an appropriate way of managing different technologies – more details, view here

Keep all applications on every device up to date

• As well as the device and its operating system, staff members should be encouraged to keep downloaded apps up to date
• Some applications will require manual updating – how-to guides should be made available to help staff members follow correct procedures

Never connect devices to suspicious or unknown wi-fi hotspots

• Staff should be aware of how public wi-fi hotspots, such as those in coffee shops, airports, or restaurants, cannot be considered secure. These access points must not be used to carry out any business activity
• In the event an employee needs to use a wi-fi hotspot that they do not control, for example at a hotel, it is advised that they are provided with – and able to use – a virtual private network (VPN). Providing the employee with a 4G or 5G dongle with which to connect is a good alternative

Step 4 – Password Security

Passwords are still the most widely used form of security with which we prevent unauthorised access to our accounts and data. These tips will help ensure that you are making effective use of password security.

Some devices allow users to log in without a password: this should never be allowed for a device operating in a business environment. Ensure all devices have a password or pin to protect them from unauthorised access.

Multi-factor authentication (MFA) is currently one of the most robust methods for preventing access by rogue users. Even if your password is guessed or stolen, MFA ensures that a further identity check is made before access is allowed; this check could take the form of a text message or phone call to which the user must correctly respond. If suspicious activity takes place on the device, MFA ensures you are notified instantly and can take adequate steps to check and, if necessary, resecure the account. More information view here.

Passwords should be at least 12 characters long and not predictable or personally relatable. Password managers are available that can run on any platform to automatically generate, save, and secure good-quality passwords for any account. This software will prevent users suffering from password ‘overload’ – a situation which can result in your employees using the same password for multiple accounts and services. More information view here.

Many devices, such as networking hardware, peripherals, and Internet of Things devices, are supplied with default passwords. Default passwords require changing before the equipment is used – many devices from the same manufacturer share a password that can be easily guessed by an attacker.

Many websites have been compromised by malicious attackers – these hacks reveal sensitive information, including that related to business users’ accounts. You can check whether your email or your employees’ emails have been a part of a historic leak by using the website https://haveibeenpwned.com/. If a user has had their account details leaked, it is essential that they change their password straightaway.

Step 5 – Phishing Defence

Phishing – the act of sending fraudulent emails that masquerade as legitimate communications – is one of the most common attacks targeting internet users. Phishing emails are becoming more sophisticated and aim to trick users and businesses in a variety of ways. These messages will often contain a malformed link, appearing as the URL of a legitimate website such as that of a high-street bank, to trick the user into visiting an infected website; alternatively, the emails might have an innocent-looking attachment containing malware.

More sophisticated attacks are now using leaked personal information, such as a person’s name and job title, to tailor the email’s appearance. This practice, known as ‘targeted’ or ‘spear’ phishing, increases the likelihood that the user will believe the malicious email to be genuine.

Here are some tips to help mitigate the threat of phishing within your business.

Understand the different types of phishing attacks

• A standard email phishing attack is a bulk email sent to thousands of individuals
• Spear phishing is an attack in which the threat actor knows the individual’s full name, job title, and other sensitive data. These emails are more personal – they could, for example, purport to come from a more senior employee
• ‘Whaling’ is a form of phishing that targets an organisation’s senior employees who will commonly receive false invoices or tax information. The attackers’ intent is to obtain sensitive information such as a company’s bank details, or have the email forwarded to a less senior employee who will not question – for example – a fraudulent payment transaction
• Smishing (text message) and vishing (voice) attacks communicate via telephone rather than email. In these scenarios, the bad actors often pretend to be more senior employees, state officials, or fraud investigators
• Angler phishing is a newer form of malicious communication that uses social media as the attack vector. Angling is rooted in the knowledge that many users lower their security defences when using social media, and are therefore more likely to trust other users on the platform

Consider how your business could be the target of phishing, and which employees are most at risk of this kind of attack

• Learn how you can support and encourage your staff to question suspicious emails or requests
• Re-evaluate the communication methods you have for stable business relationships: how do you know an email is genuine, and how can you verify by an alternative method?
• Consider having your staff take training in how to spot phishing emails, view here

Understand, and communicate to your employees, the signs of phishing

• Look for spelling and grammar errors
• Is the email addressed to you by name? Does the sender refer to you as an individual or use your business’s name?
• Does the email contain any coercion? ‘Problems’ that require immediate action or a time limit on the reply?
• Is the email asking for a payment to be made and do you know who the sender is? Can you verify by an alternative method that the email is genuine before sending payment?
• If it sounds too good to be true, then it is. Never be persuaded to click on a link or open an attachment – always ask another employee first if you suspect malicious activity

Enable email filtering and fine-tune it for your organisation’s needs. Ensure that employees know these filters exist, and why emails may be in the spam box and not to trust them if they are.

Ask staff to be transparent about their actions. Even if they have made a mistake ensure they know that reporting an incident or potential attack will not mean they are punished.

Check your digital footprint. How much information about your business and employees is freely available online? Make your employees aware of what information is common knowledge, and help them understand the impact of the public information shared about them and your business. Assist employees in shaping their public-facing profiles – social media – to reduce any information leaking about them and the company.

Step 6 – Policy Actions

The following policy actions should be created, checked, and updated regularly as part of your business processes. Name this document “Policy Actions”, and put your initials and the date against all changes and additions in this document. Make sure to password protect this document and store it in a suitable place.

• Identification and recording of essential data that requires regular backup
• A firm password policy that all staff can access and review
• Access controls required for different users, who should only have access to the information and systems that are necessary for their job role
• A decision as to which staff, if any, require the use of USB drives or any other removable storage media
• Subscription to threat alerts and local cyber advice, for example briefing sheets and threat reports such as that available at www. action fraud.police.uk/signup where it is of relevance to your organisation
• The creation of an inventory of approved USB drives and the staff to whom they are issued. To include labelling and periodic review to ensure they are still required and their current whereabouts

Step 7 – Technical Actions

The following technical actions should be created, checked and updated regularly as part of your business processes; name this document “Technical Actions”, put your initials and date against all changes and additions in this document. Again, password protect this document and store it in a suitable place.

1. Switch on available firewalls for all devices and detail the actions in the document
2. Install and activate antivirus and anti-malware software and detail the assets for which this has been carried out
3. Block access to any network ports that are not needed, and document this carefully
4. Consider making a password manager available to your staff. Review and research the offerings in the marketplace first and document the final choice and reasons
5. Ensure data is copied or archived to a backup platform regularly. Document all the details required to review and create these backups and create a schedule to test them regularly
6. Set automated backup periods continuously, hourly, or daily based on the organisation’s needs and detail this in the document. Carry out a review to ensure backups are correctly being provisioned and are working on a regular schedule
7. Ensure that password protection is enabled on all available devices and document this appropriately. Change default passwords on all internet-enabled devices as per the password policy and document which device has been changed, the original password, and the new password
8. Install and turn on tracking applications for all available devices. Document all the details for these enabled devices allowing quick access to locate or destroy them if flagged as lost or stolen
9. Enable multi-factor authentication (MFA) for all critical accounts such as email – two-factor authentication is a form of MFA. Maintain a list of any accounts, services, and software with MFA enabled, and which do not if they do not support it. Regularly check for changes in these services regarding their support or requirements for this authentication type
10. Apply restrictions to prevent users from downloading third-party applications. Document any restrictions
11. Install the latest software updates on all devices and switch on automatic updates with periodic checks. Document the systems that are updating automatically Regularly check these systems to ensure they are healthy and up to date
12. Ensure all applications on devices are up to date, and automatic updates are enabled. Schedule regular manual checks on updates and keep track of which assets are updating correctly
13. Set up encryption on all office equipment. Use products such as Bitlocker for Windows or FileVault on Mac OS. Keep track of all devices with encryption enabled and any recovery keys associated with each machine to restore access should a user forget their password

Step 8 – Training and awareness actions

The following training and awareness actions should be created, checked and updated regularly as part of your business as usual process. Name this document “Training and Awareness Actions”, and put your initials and date against all changes and additions in this document.

1. Provide secure physical storage – for example a locked cupboard – for network administrator staff to write down and store device passwords. Remember to keep track of the cupboard’s contents
2. Create a cyber security training plan that you can use for all staff, and keep track of who has completed the training
3. Include details of your password policy explaining how to create a non-predictable password. Ask employees if they follow the guidelines with all their passwords, and keep track of those who have followed the policy
4. Include guidance on spotting the signs of phishing and the types of phishing that each employee should expect to receive. Keep track of the employees who have received this training, and regularly ask if they have received phishing emails
5. Make staff aware of your reporting process should they suspect phishing, and ask regularly what they have done with previous phishing emails. Keep track of the employees who are following the guidance correctly
6. Detail how your business operates and how employees should deal with work requests via email. Note what to do if they have concerns about an email or have suspicions about a request. Keep track of the employees who are following the guidance
7. Include details of any wi-fi hotspot vulnerabilities and use alternative options – for example VPN or mobile networks – if necessary. Encourage employees to ask for mobile internet access devices if they feel they require them Keep track of any assets given to employees

Response and recovery steps

If a cyber attack does occur, it is imperative that your business is prepared to respond to the and has an adequate plan for the recovery process. The NCSC defines a cyber incident as “unauthorised access to any organisation’s IT systems”. This definition includes the following:

• Attempts to gain unauthorised access to a system and/or to data
• Unauthorised use of systems for the processing or storing of data
• Changes to a systems firmware, software or hardware without the system owners consent
• Malicious disruption and/or denial of service

If you are experiencing a live incident, call Action Fraud immediately on 0300 123 2040.

Step 1 – Prepare for a variety of incidents

Understanding your business, what it needs to operate, and what would cause issues if not available helps envisage what kind of attacks would most hurt the organisation. The steps below will help you understand what areas you need to think about regarding incident preparation.

Identify all critical systems and assets essential to the day to day running of the business

• These might include diaries, calendars, contact details, emails, and essential documents
• Find out where this data is stored – is it locally, in the cloud, on a service provider’s servers?
• Ensure this data is being backed up internally or externally by your service providers. It is essential to ensure that you can still access your data if a service provider suffers an attack
• What business processes are critical? The company’s website, a client portal, equipment used for manufacturing?
• Think about how you could reduce reputational damage if an incident occurred. Which key partners and customers do you need to contact first? How do you relay information to all your clients about the ongoing issue?
• Is all this solely your responsibility? What happens if you are away from the business premises during an incident? Ensure accountability is shared among multiple employees to reduce bottlenecks in the response

Prioritise the risk and manage it.

• What critical systems and assets are the most important and why? What steps are being taken to protect them?
• Prioritise what needs the most protection, why it needs this protection, and what can be improved

Put the risk on the agenda and discuss the organisational threats that exist as an ongoing casual conversation

• Discuss these risks at all business levels and during weekly catchups
• Try to understand where cybersecurity risks sit when compared with the risk of burglary or flooding
• Do you need to consider cyber insurance – if so, have you reviewed the scope and scale that the cover needs to provide, and can you meet the insurer’s operational requirements?

Make an incident plan that is stored in a safe place so that it can be used to help during an incident, and is not affected by it.

• Ensure the business is prepared to restore backups, and this has been tested. Multiple employees require training on how to create redundancy and increase the speed of recovery
• Roles, which have been trained for, need assigning to staff members during an incident – their contact details should be readily available
• Consider testing your organisation using the NCSC’s Exercise in a Box: https://www.ncsc.gov.uk/information/exercise-in-a-box
• Document possible incident ‘trigger points’ and who decides what occurs during these events. For example, if an employee notices a problem on the company website, who decides how to proceed and shut down the website if required?
• Create a list of required contact points you can reach out to for assistance during an incident. These contact points may be hosting providers, your external IT provider, or a cloud provider. Be prepared with all these details so you can act swiftly
• Periodically check contact details to ensure they are up to date
• If you have cyber insurance, ensure you have the policy number and contact details ready, and understand what actions you must adhere to in order to remain compliant with the insurer
• Write down contact details for different trade associations and advice lines that may also be able to offer support during an incident

Step 2 – Identify what is happening

The first step in effectively dealing with a cyber incident is identifying that it exists. Here are some indicators that will help you detect if something malicious may be occurring.

Initial indicators:

• Computers or devices are running significantly slower than previously
• Users are locked out of their accounts
• Users are not able to access documents that had previously been available
• Users have received messages relating to the ransom payable for specific documents and files
• External users have highlighted that the organisation appears to be sending strange emails
• Normal internet searches appear to redirect to a website that is not commonly accessed
• Employees are receiving requests for payments that have not had proper authorisation
• There is unusual account activity in server and network logs

Questions to ask:

• What has been reported, and by whom?
• What is not working as it used to?
• Are there any signs of data loss? Are there ransom requests? Has data been made publicly available?
• What data has been disclosed to unauthorised parties, or has been deleted or corrupted?
• Has this impacted your customers?
• Who oversees the affected system or service?
• When did this problem first occur?
• What is the scope of the problem and what areas of the organisation are affected?
• What are the specific signs you are seeing that might be related to this problem?
• Do they indicate that the issue is external or internal?
• What is the potential business impact of the incident?

Stopping the incident from getting worse:

1. Review your security software (antivirus), firewall logs, and audit logs. Try to identify any specifics of the attack using timestamps and any information that might indicate the cause of the incident
2. If you cannot identify any specifics but know which device or system has been affected, run all available antivirus or malware scans in ‘full’ or ‘complete’ modes
3. Review the results – if nothing is found, try alternative scans and software while the system is in safe mode
4. Using any information gathered, search for advice online related to repairing any damage caused and preventing the malicious activity from occurring again. Be careful to use only trusted sources for this information
5. If there is an internet outage, contact your ISP from the details recorded in the incident plan. Communication with the ISP will help you identify if the connectivity issues are externally related or not
   1. If the connectivity issues are external, then you need to review the details of any service level and support agreements that you have in place with your providers
       

Step 3 – Resolve the incident

Use this step to help get your organisation back up and running as soon as possible. You will need to confirm everything is running as expected and that all problems are fixed.

If an external party manages your IT services, you will need to contact the right people as a matter of urgency.

• In Step 1 of this section, we covered making notes of essential contact details – now is the time to use them
• These contacts are there to help you fix the problem and understand the impact of the incident on the business

If your IT services are in-house, it is time to put your plan into action.

Activate the incident plan established in Step 1, Understand what type of incident you are responding to and:

• Replace any infected or compromised hardware
• Restore services by using backups
• Patch software to fix any vulnerabilities that may have caused the problem
• Clean infected machines of known malicious software
• Change passwords before resuming day-to-day work activity

If you plan to use an external provider for your IT services and cyber security consulting, there are specific steps you need to take. Check the following:

• Are they a reputable organisation with a history of good customer relations?
• Do they have a history of supporting cyber incidents with organisations of a similar size to yours?
• Is there a list of services and relevant technology qualifications available from this provider?

Step 4 – Report the incident to the organisation’s stakeholders

Upon resolving the cybersecurity incident, a formal report must be created to inform internal and external stakeholders of the details of the security event. Some incidents are serious enough to be bound by law – these must be reported to the Information Commissioners Office (ICO), regardless of whether or not your technical support is outsourced.

Report attacks to law enforcement.

• A cyber-attack is a crime and must be reported
• You can report cyber crimes using Action Fraud

Keep everyone informed.

• All staff and customers must be up to date with the latest information
• You must also tell them if any data loss or breach may affect them

Consider taking legal advice.

• If the incident has caused a significant impact within the business, you should consider expert legal advice
• A cyber insurance policy will be able to provide you with more advice
   

Step 5 – Learn from the incident

Once an incident has occurred and is resolved, it is encouraged to:

• Review what has happened with senior staff
• Learn from any mistakes that may have been made
• Take action to reduce the likelihood of a similar attack reoccurring

It is essential to review your technical controls after an incident and improve staff awareness – training may be required to enhance the organisation’s security culture.

Review the actions that were taken during the response

• Collate the actions that were taken, noting any dates and times, and further details as pertinent
• Review these details one by one noting their importance. What can be improved? What was missed?

Review and update your incident plan

• From the review, update your existing plan to reflect on the lessons learned

Strengthen your defences

Reassess the risks and make the necessary changes:

• If the attack used a weak password, then improving and redistributing the password policy will encourage staff to make the necessary changes
• Provide further and new training around the area that was targeted by the malicious attack

Consider the terms of your existing contracts

Depending on how successful the incident response was, you may need to make a strategic decision on any third-party contracts related to it. Consider the following:

• Does the incident change the way you will do business in the future?
• Was any outsourced help that may have been used found to be useful or a hindrance?
• Did any outsourced assistance meet the business’s needs and, if not, can the third party improve their offering to the business?
• Did all the skills required for the incident exist in-house, or are more employees required?

Conclusion

By acting on all the tips and advice in this document, the reduction in the attack area that your business exposes will be significant. There is no single solution to prevent cyber attacks – it is an ever-evolving problem that all industries and individuals face.

If a business can ensure that they get the basics right, acting on all the points above will prevent many of the incidents that we see before they begin. As companies grow, these snippets of advice become challenging to implement and manage. The earlier you start on the path to transparent security, the easier it is to stay secure in the future as the threat landscape and your business both evolve.

Never assume you are too small to be of interest to criminals: many cyber attacks occur not through individual targeting methods but via automated attack scripts looking for any vulnerable target. Don’t let security become a failure from your successful growth, act now and grow securely.

References

• https://www.ncsc.gov.uk/blog-post/small-business-guide-2020
• https://www.ncsc.gov.uk/news/revamped-small-business-guide
• https://www.ncsc.gov.uk/collection/small-business-guide
• https://www.ncsc.gov.uk/files/NCSC_A5%20Response%20and%20Recovery%20Guide_v3_OCT20.pdf
• https://www.ncsc.gov.uk/collection/10-steps-to-cyber-security/the-10-steps/incident-management