Getting senior managers to take computer security seriously is a struggle within many organisations, despite the frequency of high-profile data breaches and hacking incidents.
Now the UK government's computer security agency, the National Cyber Security Centre (NCSC), has put together a list of five questions aimed at starting 'constructive' discussions between executives and their computer security teams.
According to the NCSC, two-thirds of boards have received no training to help them deal with a cyber incident, and 10 percent have no plan in place to respond to one. These conversation-starters aim to bridge the gap between executives who don't know about security issues and the IT department that may struggle to make its voice heard. Boards need to understand cyber risk in the same way they understand financial risk, or health-and-safety risk, said the NCSC.
"There is no such thing as a foolish question in cyber security. The foolish act is walking away without understanding the answer because that means you don't understand how you're handling this core business risk," said NCSC chief executive Ciaran Martin.
NCSC's five questions are listed below, with some suggestions to the sorts of responses they should expect from their computer security team.
- How do we defend our organisation against phishing attacks?
Phishing -- sending fake messages to staff -- is still one of the most common ways hackers attempt to gain access to a company's computer systems. The attackers may want staff to click on links in the email in order to install malware on their computers, or the links may direct them to fake websites that ask for sensitive information (such as bank details). A common con is the 'CEO-Fraud', where criminals send phishing emails claiming to be from a senior executive within the organisation, asking staff to transfer money -- which is then pocketed by the fraudsters.
While such messages can arrive by text message, over social media, or by phone, the most likely avenue of attack is by email.
NCSC said potentially good answers might include filtering or blocking incoming phishing emails, ensuring external email is marked as external, stopping attackers 'spoofing' emails, and helping staff with training.
Companies can also limit the impact of phishing attacks that get through by using a proxy server that prevents access to known bad sites, ensuring staff don't browse the web or check emails from an account with administrator privileges, and using two-factor authentication (2FA) on your important accounts or services.
- How does our organisation control the use of privileged IT accounts?
NCSC warned that granting elevated system privileges should be carefully controlled and managed. If an account with higher privileges is required to perform a role, staff should use a standard user account for day-to-day work, such as email and web browsing. A policy of using 'least privilege' when setting up staff accounts is a good answer, said NCSC, as is minimising the use of privileged accounts, and maintaining strong links between HR processes and IT so that accounts don't remain active when staff leave.
- How do we ensure that our software and devices are up to date?
Patching software and hardware is a time-consuming and tedious process, but skipping the patches could leave you at risk with disastrous consequences. Much of the impact of the WannaCry ransomware attack could have been prevented if organisations had made sure their software patches were up to date.
NCSC said good answers to this question include having processes in place to identify, triage, and fix any vulnerabilities, backed up by regular audits to ensure that the patching policy is being followed -- "just as you would with a critical financial policy". Companies should have an end-of-life plan for devices and software that are no longer supported, and ensure that their network architecture minimises the harm that an attack can cause -- handy in the case of a 'zero day' attack exploiting vulnerabilities for which no defence exists. NCSC also suggests that companies use cloud-based applications where security updates can be handled by the cloud vendor: "Allowing cloud providers to provision computing services can allow you to focus your scarce security resources on protecting your bespoke applications and user devices, something only you can do," said the agency.
- How do we make sure our partners and suppliers protect the information we share with them?
Any connection to your suppliers or customers could provide an attack path to your systems, and is often an overlooked weakness. Security should be built into all agreements and that all controls need to be checked and audited, NCSC said. Companies should also ensure that they minimise the number of services exposed and the amount of information exchanged.
- What authentication methods are used to control access to systems and data?
Password are an obvious access control, but not the only one and they need to be complemented by other controls to protect your enterprise. NCSC said that companies should encourage the use of sensible passwords and ensure that all default passwords are changed. To avoid unrealistic demands on users, companies should only enforce password access where it's really needed, the agency said, and only enforce regular password changes if there is suspicion of compromise.
"You should also provide secure storage, so staff can write down passwords, and keep them safe (but not with the device itself). Staff will forget passwords, so make sure they can reset their own passwords easily," NCSA suggests. Companies should also consider implementing 2FA where possible: "Setting up 2FA is the single most useful thing that you can do to protect important accounts and where possible, should be rolled out to staff and customer accounts."
READ MORE ON CYBER CRIME
- This new phishing attack uses an old trick to steal passwords and credit card details
- Phishing alert: Hacking gang turns to new tactics in malware campaign
- US charges 12 Russian hackers tied to DNC cyberattacks (CNET)
- Phishing schemes net hackers millions of dollars from Fortune 500
- Phishing attacks hit financial services, tech companies hardest: How to stay safe(TechRepublic)
- This phishing trick steals your email and then fools your friends into downloading malware