The UK’s National Cyber Security Centre (NCSC) has had a busy first eight months of operation, having dealt with 480 major cyber incidents since its inception in October 2016.
These incidents range from global ransomware outbreaks to smaller scale, targeted attacks on UK businesses. The NCSC says that attacks have accelerated in recent months and have reiterated the need for all organisations to take a proactive approach to tackling threats by identifying and remediating weaknesses before they can be exploited by cybercriminals.
Attacks increasing in regularity
Of all the incidents investigated to-date by the NCSC, the vast majority (451) were classified as C3 level attacks, of limited scale and often targeting specific organisations. The remaining 29 were C2 level attacks, which were significant incidents requiring cross-governmental response. Examples include the WannaCry and Petya global ransomware attacks and a recent brute-force attack on UK Houses of Parliament.
None of the attacks recorded reached the top C1 classification but NCSC incident management director, John Noble, has indicated that the severity of disruption caused to the National Health Service by WannaCry did mean that this level came close to being triggered. Speaking at a recent cyber security event in London, Noble blamed the rise in attacks on the ease at which hackers are able to obtain the necessary tools needed to conduct nefarious activity.
“This increase in major attacks is mainly being driven by the fact that cyber-attack tools are becoming more readily available, in combination with a growing willingness to use them.”
In a recent interview with BBC Radio 4, NCSC CEO, Ciaran Martin, pointed to a shift in attackers’ motives. While starting that most attacks are financiallydriven, he observed a growing trend of attacks looking instead to cause disruption, such as the recent Petya outbreak. In a separate interview with The Sunday Times, Martin suggested that the UK is likely to see an increase in attacks of this nature, owing to an increasing level of cyber activity from nation states.
The UK is still too soft a target
Both Noble and Martin have consistently pointed to the fact that basic cyber security issues are continuing to be ignored, leaving many organisations vulnerable to attack. The vast majority of reported attacks took advantage of basic weaknesses such as insecure password protocols, unpatched software and applications, poor data backup procedures and insufficient controls for system administrators.
The NCSC recently released a set of guidelines to help organisations fix these issues and Martin indicated that this was a significant factor in the reduced impact of Petya in the UK. However, it is clear that many organisations have still failed to implement the appropriate controls, and Noble suggested that some are struggling to strike a balance between security and usability:
“In the vast majority of incidents, victim organisations have got this balance wrong, leaning too far in the direction of convenience and usability, leading to things like logging being turned off to optimise performance.”
These comments emphasise the delicate juggling act that many IT teams face as they struggle to multitask between day-to-day operations and cyber security.
How to improve your organisation’s cyber security posture
Commissioning a certified ethical hacker to conduct regular website and network penetration testing is one highly effective way for businesses to detect and address security issues that leave them vulnerable to breaches. For business that want to go further to reduce risk, achieving Cyber Essentials certification is a great way to demonstrate compliance with recommended standards.
To alleviate the stress on already stretched IT teams without the budget or expertise to effectively maintain and develop information security, many organisations are also turning to managed detection and response (MDR) to help mitigate business risk. Redscan’s ThreatDetect ™ service acts as an extension of in-house resources to provide the rapid threat detection, incident response and breach reporting capabilities otherwise only achievable by large enterprises.