These incidents highlight the fact that without basic cyber security measures in place, organisations are at risk of serious compromise. Organisations holding sensitive information, such as health data, are a target for criminals seeking to extort money.
The use of malware
A common element across these major incidents was compromised credentials harvested using infostealer malware.
Infostealers are a type of malware that focuses on stealing information from networks such as passwords, credentials, bank accounts, government IDs (such as RealMe accounts), crypto-wallets and any other information that is either considered valuable or able to be used to further access a network. Often one group of malicious actors will steal the information and sell it to others to use as access into a network.
'Malware' is any kind of malicious designed to damage or harm a computer system. Malware aims to gain access to your computer without you knowing it's there. Malware can enter your computer system when you download an infected file or visit an untrustworthy website.
Getting the basics right
The NCSC also observed that basic cyber security measures could have prevented these incidents from occurring. NCSC strongly recommends three measures organisations can put in place to guard against similar cyber threats.
- Multi-factor authentication (MFA): MFA is an additional security step that can be required when accessing an account. Authorisation to access the account requires confirmation through a second channel, such as a code or token. This is one of the most effective ways to keep online accounts secure.
- User access management. Accounts that use a system should only be able to access what they need to.. Organisations should have policies and procedures to limit user access to only what that user needs to do. Privileged accounts on a network need to be properly secured and monitored to minimise the chance of outside access to the network.
- Protect your ‘edge’. Where an organisation’s network is accessed from the outside, or where it connects to the internet, is called the ‘edge’ of their network. This space needs to be particularly well protected, utilising protections such as firewalls. Those looking in from the outside of a network should only be able to see what you need them to see.
Outsourced IT security
In the incidents analysed by NCSC, we noted that many organisations relied on their third-party IT providers to manage a lot (if not all) of their cyber security measures.
If your organisation is not running its own IT, you need to ensure that your service provider is actioning security measures. It is recommended that organisations implement the NCSC minimum cyber security standards, or similar standards.
You as an organisation have an obligation to protect your customers and their sensitive personal information, and it is important to ask your IT security provider the right questions.
Key questions to consider
In summary, organisations should consider the following:
- Are the privileged accounts in our network properly secured and monitored?
- Can our users only access what they need to?
- What is the edge of our network?
- Are the edges of our network fully protected?
- What monitoring is done of our access control and what reporting is provided?
- What regular security reporting can be provided to reassure these issues are being assessed and monitored?
For further information and guidance on how to protect your organisation from cyber threats, visit the Protect your organisation section of the NCSC website.