skip to Main Content
01268 495566

Actions for Cyber Threats

Actions to take when the cyber threat is heightened. This article by NCSC.GOV.UK gives advice when organisations might face a greater threat, and the steps to take to improve security.

Balancing cyber risk and defence

The threat an organisation faces may vary over time. At any point, there is a need to strike a balance between the current threat, the measures needed to defend against it, the implications and cost of those defences and the overall risk this presents to the organisation.

There may be times when the cyber threat to an organisation is greater than usual. Moving to heightened alert can:

  • Help prioritise necessary cyber security work
  • Offer a temporary boost to defences
  • Give organisations the best chance of preventing a cyber attack when it may be more likely, and recovering quickly if it happens

The guidance explains in what circumstances the cyber threat might change, and outlines the steps an organisation can take in response to a heightened cyber threat.

Factors affecting an organisation’s cyber risk

An organisation’s view of its cyber risk might change if new information emerges that the threat has heightened. This might be because of a temporary uplift in adversary capability, if for example there is a zero-day vulnerability in a widely used service that capable threat actors are actively exploiting. Or it could be more specific to a particular organisation, sector or even country, resulting from hacktivism or geopolitical tensions.

These diverse factors mean that organisations of all sizes must take steps to ensure they can respond to these events. It is rare for an organisation to be able to influence the threat level, so actions usually focus on reducing your vulnerability to attack in the first place and reducing the impact of a successful attack. Even the most sophisticated and determined attacker will use known vulnerabilities, misconfigurations or credential attacks (such as password spraying, attempting use of breached passwords or authentication token reuse) if they can. Removing their ability to use these techniques can reduce the cyber risk to your organisation.

Actions to take

The most important thing for organisations of all sizes is to make sure that the fundamentals of cyber security are in place to protect their devices, networks and systems. The actions below are about ensuring that basic cyber hygiene controls are in place and functioning correctly. This is important under all circumstances but critical during periods of heightened cyber threat.

An organisation is unlikely to be able to make widespread system changes quickly in response to a change in threat, but organisations should make every effort to implement these actions as a priority.

Check your systems patching

  • Ensure your users’ desktops, laptops and mobile devices are all patched, including third party software such as browsers and office productivity suites. If possible, turn on automatic updates.
  • Check to make sure firmware on your organisation’s devices is also patched. Sometimes this is implemented in a different way to updating software.
  • Ensure your internet-facing services are patched for known security vulnerabilities. Internet-facing services with unpatched security vulnerabilities are an unmanageable risk.
  • Ensure, where possible, that your key business systems are all patched. Where there are unpatched vulnerabilities, ensure that other mitigations are in place.
  • Also review existing business cases for known unpatched systems in view of the heightened threat.

Verify access controls

  • Ask staff to ensure that their passwords are unique to your business systems and are not shared across other, non-business systems. Make sure passwords for your systems are strong and unique and that any which are not are changed immediately.
  • Review user accounts and remove any old or unused accounts. If you have multi-factor authentication (MFA) enabled, check it is properly configured. Make sure it is enabled on systems and user accounts according to your policies.
  • Carefully review any accounts that have privileged or administrative access and remove old, unused or unrecognised accounts. Ensure that accounts that have privileged access or other rights are carefully managed and, where possible, use MFA. Privilege can refer to system administration, but also to access to sensitive resources or information, so ensure resources are also adequately protected.
  • Consider your overall system administration architecture to better understand your risk in this area.

Ensure defences are working

  • Ensure antivirus software is installed and regularly confirm that it is active on all systems and that signatures are updating correctly.
  • Check your firewall rules are as expected – specifically check for temporary rules that may have been left in place beyond their expected lifetime.
  • The NCSC’s device security guidance can help with secure configuration of common desktops, laptops and mobile devices.

Logging and monitoring

Understand what logging you have in place, where logs are stored and for how long logs are retained. Monitor key logs and at a minimum monitor antivirus logs. If possible, ensure that your logs are kept for at least one month.

Review your backups

  • Confirm that your backups are running correctly. Perform test restorations from your backups to ensure that the restoration process is understood and familiar.
  • Check that there is an offline copy of your backup – and that it is always recent enough to be useful if an attack results in loss of data or system configuration.
  • Ensure machine state and any critical external credentials (such as private keys, access tokens) are also backed up, not just data.

Incident plan

  • Check your incident response plan is up to date. See the NCSC’s Incident Management guidance.
  • Confirm that escalation routes and contact details are all up to date.
  • Ensure that the incident response plan contains clarity on who has the authority to make key decisions, especially out of normal office hours.
  • Ensure your incident response plan and the communication mechanisms it uses will be available, even if your business systems are not.

Check your internet footprint

  • Check that records of your external internet-facing footprint are correct and up to date. This includes things like which IP addresses your systems use on the internet or which domain names belong to your organisation.
  • Ensure that domain registration data is held securely (check your password on your registry account, for example) and that any delegations are as expected.
  • Perform an external vulnerability scan of your whole internet footprint and check that everything you need to patch has been patched. Internet-connected services with unpatched security vulnerabilities are an unmanageable risk.

Phishing response

Ensure that staff know how to report phishing emails. Ensure you have a process in place to deal with any reported phishing emails.

Third party access

If third party organisations have access to your IT networks or estate, make sure you have a comprehensive understanding of what level of privilege is extended into your systems, and to whom. Remove any access that is no longer required. Ensure you understand the security practices of your third parties.

Article published by – 10 March 2022

Back To Top