Top security tips from the National Cyber Security Centre

Security is no longer restricted to the IT-only zone. Now, when so much of our lives is recorded by companies and organisations, it’s a business-wide concern. At this year’s Microsoft Future Decoded, Dr Ian Levy, Technical Director at the National Cyber Security Centre (NCSC), took to the stage.

There are nine things that businesses must do to protect their users, customers and brand. And while some are simple common sense, others require technical knowledge. Some are quick fixes, small steps you can take in an instant. Others will need more time and attention to devoted to them, and even changes in organisation policy, process, attitude and behaviours.

Cybersecurity usually relies on fear to spur people into action. You’ve probably read a variety of threatening, scary articles that spark panic across your company. Well, the NCSC is pushing back. These nine recommendations below aren’t designed to scare anyone into action. They’re exactly what the NCSC does to protect the government. And as Dr Levy says, if it works for the Government – it’ll work for all organisations.

Do your administrators browse the web or get email using their admin machine or account?

The NCSC see many, many mistakes resulting from people receiving emails or browsing the web, while on the company’s admin account. It’s human nature to err, and considering the rules of probability, someone’s going to make a mistake one day. From clicking on a suspicious link in an email to browsing a dodgy website, if someone does this while on an admin account – that’s the entire company broken into. This, according to the NCSC, is the most important step you can take towards protecting your business. Don’t allow anyone to use the internet or email applications while on the admin account.

For big companies using Managed Service Providers, it’s not quite as simple, as you’ve basically outsourced all of your IT admin. You need to look at all parts of the contractor relationships: trust, contract and processes. To help companies out in this position, the Government has published comprehensive advice. Whether your admin account is local or through an MSP, you need to get it right. It’s your biggest vulnerability: employee behaviour causes around 80% of security-related breaches.

Do you whitelist executables? Do users ever have write and execute permissions to a directory?

Everyone wants to hope that their security processes are robust enough to stop any attacks. But thinking like this could be your downfall. Instead, assume that someone’s going to break in. Assume that someone’s going to make a mistake. Assume that you don’t patch in time. And then minimise the damage that can be done.

If you update your settings to say that users can’t write and execute from the same directory, your damage control will be a case of restarting your device. If you do let users write and execute at once, hackers can wreak havoc on your systems. Or, they can lie in wait, dormant in your systems until they decide to strike. Dr Ian states that in the investigations the NCSC does into hacked companies, the ‘nasty stuff’ has sometimes been in their systems for years – even decades.

When a mistake happens, don’t let it be world-ending. For example, Windows AppLocker prevents non-trusted code from executing. If you have more resource, you can look at using apps to whitelist your executables. That is, rather than allowing all programs to run and only blocking suspicious ones, you’ll block everything, and create rules for a certain few programs to break through.

You do use a VPN, right? And the credentials aren’t just the user credentials, are they?

Most people take for granted the security that a VPN brings. But at some point, someone’s going to create a lookalike of your log-in page. They’ll phish your employees and gain access to their credentials. That won’t be the end of the world if you’re securing your VPN properly. But if the only thing standing between a hacker and your company’s data is a username and password, then you’re in big trouble.

Two-factor authentication and machine certificates are necessary to complete a VPN’s security process. Without using one of these, it’s like putting a set of locks on your front door, but not bothering to shut it before bed.

Two-factor authentication is easy to install now. There are plenty of plug-and-play solutions to help you do this easily, like the built-in feature in Windows 10. Or, you can eradicate user impact. A machine certificate means that even if a hacker guesses credentials, unless they have access to the device tied to the credentials, they won’t have access.

Do you have a register of systems and domains that expose a service to the internet? What’s your process for adding one?

It’s not hard for someone to pretend to be you or your company. Whether it’s through fraudulent emails, letters or phone calls, you know that you need to be aware of all communications purportedly coming from your brand. But what about your actual website?

You need to know exactly what’s on show. The main problem the NCSC sees during incidents is a compromised system that no one even knew existed. You must know what you’ve got out there exposing a service. Else how do you know what you need to patch? And if someone uses ransomware to hold data on an old site hostage, how do you know if it’s vital enough to pay for?

If you don’t know what you’ve got, you can’t protect it. It’s a case of asset management, down to the last, tiny detail. Go through all of your external, internet-facing pages that offer services, and decide if they’re still important. It might be obvious. Or it might be a case of shutting the page down, and seeing how quickly it takes departments to complain.

You’ve got a sensible patching policy for all your internet facing stuff, right? And you’ve audited it recently, haven’t you?

For anything internet-facing, you need a robust patching policy. It’s likely to differ depending on how important each page or service is. And the speed at which you patch is always going to change based on how business critical the situation is. But you need the same stringent attitude towards your patching policy as you do towards your financial control policy, including the regularity of audits.

You need to know what you’ve got, and how long it’s been live for. You need to patch quickly, and not let your company get caught out due to a vulnerability from a few years ago – exactly like what happened to TalkTalk.

If your external-facing services and sites aren’t well patched, you’ll have problems. Luckily, there are a lot of ways you can do this automatically. Windows Update provides automatic updates by default, and WSUS (Windows Server Update Services) supports all enterprise updates.

Are your systems that hold personal data designed properly?

If you run externally-facing systems that hold customer data, you have to assume that one day, they’ll be successfully attacked. So, you need to have a system that’s designed for managed compromise. You need to be able to have a conversation with your CIO and your customers, where you can say that X, Y and Z need to happen before hackers get hold of precious customer data.

It’s hard to do this. If you use a service that processes personal data, you need to have a robust, reliable security system. The built-in features in Windows 10, plus Microsoft’s world-leading dedication and expertise in the security field, are an ideal place to start. And for further information, read this guidance set out by the Government, about what to think about when designing a system that processes personal data.

Do you follow NCSC email guidance?

The NCSC has released recent guidance around email security, recommending the use of TLS and DMARC. Organisations should be using both preventions to protect both their customers, and themselves. In a nutshell, TLS stops people intercepting your emails, and DMARC stops people pretending to be you.

With DMARC, you can take control of your email domain. It’s another barrier stopping fraudulent emails from reaching your customers. And because it sends all failed emails back to you, you can process what people are sending out in your name.

TLS is just as important. You don’t want commercially sensitive information leaked or spread around the internet. It’s a simple way to ensure your company’s and your customers’ data stays private and secure. TLS is an automatic feature on the majority of email systems, for example, with Office 365, you simply tick a box to action it.

Do you do active brand protection online?

Once you’ve got installed the right software, ticked the right boxes, and instilled the right employee behaviours, you might think you’ve guaranteed the protection of your company. Well, almost. To reach the higher levels of security and protection, you need to be actively protecting your brand online. You need to search for lookalike domains, analyse and process spam, and monitor phishing sites.

If you’re not doing this, you’re not protecting people. However, by looking actively for suspicious activity and behaviour, you can reduce the likelihood of harm when someone clicks on a fraudulent link. Yes, everyone is warned not to click if you think a link looks suspicious. But according to Dr Ian, this advice isn’t good enough. Technology is sophisticated enough for hackers to disguise suspicious-looking links, as he wrote about recently. Instead of telling people not to click links, just make sure there’s nothing harmful waiting for them when they do.

Are you careless when you communicate with customers?

One last thing to consider is how you interact with your customers. Are you encouraging dangerous behaviours in them? Are you training them up to give away details to criminals? If your organisation calls customers up and asks them for their account details and hidden passwords, then what’s stopping them from relaying the same information to a criminal when they call up pretending to be you?

You need to put measures in place that protect people – and don’t encourage behaviours that could get them in trouble. This could be implementing two-factor authentication with every piece of communications – from calling back your company back on a different number to clicking on a link emailed separately.

Analyse the communications you’re sending out – and you’ll have to work alongside your marketing department here – and see how they encourage both good and bad behaviours. Don’t let your emails, gated sites and communications be the reason your customer becomes an easy target.

See how Microsoft 365 can protect your business here

Visit Microsoft Secure to see how you can develop the right security strategies