The threat of cyberattacks against Ukraine and countries opposed to Russia's invasion of its neighbour prompted National Cyber Security Centre (NCSC) to issue a call Monday for UK businesses and other entities to strengthen their cyber resilience.
In a posting on its website, the NCSC said while it was not yet aware of any current specific threats to UK businesses and other entities stemming from the Ukraine conflict, organisations should be taking steps to lower their risk of falling victim to a cyberattack.
Specifically, the NCSC advised organisations to follow the steps outlined in the agency's guidance for actions to take when the cyberthreat is heightened.
Among the recommended steps are the following:
- Ensure that the operating systems, websites, firmware, and other software on desktops, laptops, and mobile devices are up to date on patches to close security vulnerabilities that could allow hackers to gain access to critical networks and data.
- Verify that proper access controls are in place. Organisations should closely review all user accounts, especially those with access to sensitive information, and remove all old or unused accounts. Employees should be prompted to ensure that they are using strong passwords that are unique to the organisation's business systems. If available, multifactor authentication should be turned on and double-checked for proper configuration.
- Check that antivirus software and firewall rules are active, set up properly, and functioning as intended. Keep an eye out for temporary firewall rules that may have been left in place beyond when they should have been turned off.
- Confirm that logging is in place, where logs are stored, and for how long the logs are retained (should be at least one month if possible). Monitor key logs and antivirus logs.
- Review all backups and ensure they are running properly. Ensure that data, machine state, and critical external credentials such as private keys and access tokens are all backed up. Perform test restorations to ensure the process is well understood and is working. Make sure there is an offline backup copy that is recent enough to be useful in restoring a system or data damaged by a cyberattack.
- Review the incident response plan and make sure escalation routes and contact details are up to date. Ensure that the plan is clear on who has the authority to make important decisions, especially outside of business hours.
- Check that records of the organisation's internet-facing footprint (including which IP addresses are used on the internet and which domain names belong to the organisation) are up to date and accurate. Perform an external vulnerability scan of the organisation's full internet footprint and make sure all patches are in place. Internet-connected services with unpatched vulnerabilities represent an unmanageable risk.
- Make sure employees know how to spot and report phishing emails.
- Remove any third-party network access that is no longer needed. Ensure that you understand the level of access each third party has in your systems and make sure you understand their security practices.
- Communicate the needs for these actions to ensure team buy-in. Make sure everyone understands the nature of the threat.
Additional steps for large businesses
The NCSC guidance recommends that larger organisations follow all the steps listed above and also consider taking the following steps, if they have the resources to do so:
- Review whether to accelerate the implementation of key mitigation measures in any cybersecurity improvement plans that have already been approved.
- Revisit key risk-based decisions and determine whether the current level of risks is acceptable. Consider whether it would be better to invest in remediation or accept reduced capabilities.
- Assess whether some system functions, such as a rich data exchange from untrusted networks, should be temporarily stopped or streamlined to reduce risk.
- Determine whether to implement a more aggressive approach to patching security vulnerabilities, though doing so may increase the risk of hurting or disrupting service performance.
- Delay any significant system changes not related to security.
- Consider extended operational hours or adding more staffing to ensure a quick response if a cyber incident takes place.
— To comment on this article or to suggest an idea for another article, contact Jeff Drew at Jeff.Drew@aicpa-cima.com.