Steps to take when the cyber threat is heightened - Cyber and Fraud Centre

UK organisations are being urged by the National Cyber Security Centre to bolster their security defences in light of Russia’s unprovoked attack on Ukraine. But what does this mean? In a recent webinar we hosted together with the National Cyber Security Centre (NCSC) and Police Scotland, we discussed the practical steps businesses can take immediately to step up their cyber security posture to mitigate against potential cyber threats.

Whilst there is no specific threat to the UK right now, if cyber attacks increase due to the ongoing conflict, organisations in the UK and other countries could become collateral damage. An important point raised by Jude McCorry, CEO of the Scottish Business Resilience Centre (SBRC): “Cybercrime does not have any borders, nor does it discriminate between large or small businesses. This guidance from the National Cyber Security Centre is a reminder to all public, private and third sector organisations to review their cyber security hygiene, no one is immune to a cyber attack.”

Oliver N from the National Cyber Security Centre added: “Past cyber attacks such as NotPetya affected Ukraine and had an international impact too; we continue to see destructive malware attacks being deployed.

“The present heightened state of alert calls for three actions from UK organisations:

Be vigilant – Test your cyber security controls, incident response plans and backup facilities.
Be aware – Keep up-to-date with the latest threat intelligence and guidance on the NCSC website.
Boost your defences – Prioritise the necessary work that needs to be done to improve your organisation’s cyber security defences.

“You should not only think about how you can defend against attacks but also think about how your business would be able to recover quickly and efficiently if you were to fall victim to one.”

Declan Doyle, Head of Ethical Hacking and Client Services at the Scottish Business Resilience Centre shared the practical steps that organisations should prioritise to mitigate against cyber threats:

1) Patch Management and Updates:

Many cyber attacks affecting national infrastructure result from hackers exploiting known IT systems’ known vulnerabilities.
To reduce the risk of those vulnerabilities, make sure your systems and devices (laptops, computers, tablets & phones) are kept up-to-date with the latest software versions (a process also known as patching). These updates should be completed by your IT team or Managed IT provider within 14 days of the updates being released.
Have a patch management and update process to ensure your devices are always kept up-to-date and protected.
If you have a Bring Your Own Device (BYOD) policy or know that employees access company emails or apps such as MS Teams on their personal devices, those devices need to be kept updated.
It’s easy to dismiss the ‘updates available’ alerts at the bottom of the screen; however, ignoring important updates can leave a device unsecure and more vulnerable to threats – ensure employees don’t dismiss pending updates.
To find out more about updating devices watch our explainer video.

2) Secure settings:

Passwords are an easy and effective way to keep business and customer data safe. All of your company devices and accounts should be password protected.
The NCSC recommends you use three random words, at least twelve characters or more, ensuring passwords are unique and not easily identifiable.
Avoid using predictable passwords (such as dates, family and pet names) and don’t use the same password across important accounts.
Download the NCSC’s password security infographic for full guidance.
To find out more about password security watch our explainer video.
A password manager is an easy and secure way to store all of your passwords (think of it as a vault), so you don’t have to worry about remembering them.
Password managers generate strong, random passwords and automatically fill them in for users.
Watch our password manager explainer video for more information.
Use two-factor authentication (2FA) on accounts for an extra layer of security.
2FA requires two different methods to ‘prove’ your identity before you can use a service, generally, a password plus one other method such as a code sent to your phone.

3) Review user access to your data and services:

Employees should only have just enough access to software, settings, files and data that allows them to perform their role. They should not have the ability to freely download and install various software.
Additional permissions should only be given to those employees that require them and admin permissions should only be given to those that perform administrative tasks such as adding or removing users from accounts.
Restricting admin access will minimise the chances of admin accounts being compromised in the event of a cyber attack.

4) Anti-virus software:

Review the software you have to prevent viruses and malware from infecting your company devices.
Ensure they are configured correctly and that they are alerting you to any potential issues.
If your anti-virus software also offers email protection, it will scan incoming mail traffic and flag anything that it deems suspicious or a threat. Similarly, if your anti-virus also supports browser protection, the software will stop users from immediately jumping to that site, flag it as dangerous, and suggest users go back.
Explore anti-virus software options, don’t just assume your device is fully protected with the anti-virus that came as standard with your device.
For more information on anti-virus software watch our explainer video.

5) Up-to-date firewalls:

Use a firewall to secure your internet connection, you should check with your IT team or Managed IT provider about the firewall configurations you have in place for your business.
A firewall creates a ‘buffer zone’ between your IT network and other external networks. In the simplest case, this means between your computer (or computers) and ‘the internet’.
Within this buffer zone, incoming traffic can be analysed to determine whether it should be allowed onto your network.

6) Backup data regularly:

Ensure business-critical data is backed up regularly.
This means that in the event of a severe data loss, such as hardware failure, data corruption, or a ransomware attack, it is possible to recover the data from the backup and minimise the impact on the company’s operations.
When backing up follow the 3-2-1 rule:
- This simple approach is centered around keeping data safe in almost any failure scenario.
- Three copies of your data should be kept.
- Two of the copies should be stored on different storage media such as one on a hard drive and another in the cloud.
- One of these backups should be stored off-site.
Watch our backup explainer video for more information or take a look at our backup guidance blog.

7) Be vigilant to common cyber threats:

Ensure employees are prepared for any kind of cyber incident, consider implementing cyber user awareness training to embed a culture of good practice around cyber security.
Phishing is the most common type of cyber threat that a business faces today.
Could your team identify a phishing email in their inbox?
You can’t solely rely on tools such as spam filters to protect against phishing attacks, unfortunately, some malicious emails do make it through the cracks and staff must be able to recognise these.
Have a clear process for employees to report phishing emails; if you don’t have a process in place you could run the risk of staff simply ignoring or deleting any phishing emails that they receive. Don’t assume that because you’ve identified a phishing email your colleagues will too.
If you receive a phishing email, report it to your IT team or Managed IT provider who will block the domain immediately.
You can also report suspicious emails to the NCSC at [email protected].
Instil a positive culture around reporting, don’t blame employees if they have clicked on a suspicious link. Encourage people to come forward if they think they have interacted with suspicious content, time is of the essence when it comes to a cyber incident.

8) Prepare for a cyber incident:

An incident response plan is one of the best tools an organisation can have to prepare for a cyber attack.
If you don’t already have a plan in place visit the CyberScotland website to download your free Cyber Response Plan. The pack gives you useful information on preparing your business, PR, comms, and legal considerations.
Understand roles and responsibilities and what part people are going to play in the incident response process. Depending on the severity of a cyber attack, it may engage different people within your business or even externally.
It’s a good idea to identify and agree on an offline method of contact – if systems are compromised, or you can’t access them, ensure there is a way to communicate with each other.
The NCSC has a helpful severity matrix that will assist you in grading cyber incidents based on the percentage of staff it affects, the number of systems affected, if sensitive information has been accessed and whether or not your business can recover immediately or if it will disrupt operations.
It’s important to identify the type of cyber attack you are facing. For example, is it ransomware, phishing or a denial of service attack? Each type of attack will require a different response plan.
Understand which of these incidents your organisation would be most vulnerable to, and what would impact you the most, identify what these are then develop playbooks specifically for them.
Playbooks are detailed response plans for various incident types. We recommend creating at least 3-5 playbooks for incidents that are most likely to happen to your business.
Test, test, and test again! Practice your incident response plan to ensure it is fit for purpose and that the people involved are comfortable with their roles.
If you want to practice your incident response plan, cyber exercising is a good place to start.
Exercise in a Box, developed by the NCSC and delivered by SBRC is a free 90-minute, non-technical workshop that helps organisations find out how resilient they are to cyber attacks and practice their response in a safe environment. Find out more about Exercise in a Box here.
Cyber exercising is also an effective way to ensure employees have a basic understanding of what to do in a cyber incident.
If you have cyber insurance, make sure you know exactly what is covered.
A lot of lessons are learned after a cyber attack, whether security improvements are required or if there is any information that could have been obtained quicker.
If you are the victim of a cyber attack you must get the right support either by calling the SBRC Incident Response Helpline (0800 1670 623) or by contacting the police on their non-emergency phone number (101).
If you are unsure whether you should call the police, please call our Incident Helpline and we can provide guidance.

9) Cyber Essentials Certification:

Cyber Essentials is a simple but effective, Government-backed scheme created to help you protect your organisation against a range of the most common cyber attacks.
The scheme has been carefully designed to guide organisations of any size in protecting themselves against cyber threats, including malware, ransomware and phishing, through the use of five technical controls and the implementation of basic cyber hygiene.
The five technical controls are:
- boundary firewalls and internet gateways;
- secure configurations;
- user access controls;
- malware protection;
- patch management (applying software updates).
It offers two levels of certification, Cyber Essentials (self-assessment) and Cyber Essentials Plus which provides a greater level of assurance following additional verification of your cyber security by an independent technical auditor.
Watch our ‘What is Cyber Essentials’ video for more information on getting certified.

To conclude the webinar Russell Kerr of Police Scotland’s Cyber Strategy and Implementation Team talked about how Police Scotland handles a cyber incident once reported: “Police Scotland is responsible for assisting, coordinating and investigating high-level cyber incidents. We have a large network of law enforcement links in the UK and further afield with the US, Canada and Australia to whom we can contact for information.

“When we receive a report of cybercrime we assess the company’s ability to recover and operate normally and reach out to partners such as the Scottish Business Resilience Centre or the National Cyber Security Centre for their expertise in advising the affected organisation appropriately.

“When investigating, we link with a cyber incident response company to inspect the digital crime scene. For example, if the business has been subject to a ransomware attack, we would search for malware executables to understand how the hackers have gained access to your network. We look for IP addresses, seeking to identify any evidential opportunities we could explore to progress the investigation and engage with the threat actor.

“Understandably, some businesses may hesitate to call the police once they realise they have been the victim of a cyber attack. Police Scotland are there to help you get to the bottom of what has happened, help your business recover quickly and provide a pastoral service.”

To recap, we have put together some useful links below to help protect your organisation against cyber threats:

Download a free incident response planning toolkit from CyberScotland.
Test your response plan with real-life cyber scenarios through Exercise in a Box sessions.
Find out more about protecting your business with Cyber Essentials certification.
Visit CyberScotland for the latest cyber security guidance and resources for Scotland as well as technical advice.
Visit the National Cyber Security Centre for up-to-date cyber security news, guidance and threat alerts.
If you think your business has been the victim of a cybercrime, please call our Incident Response helpline on 0800 1670 623.