Cybersecurity update from NCSC

Tips to protect your business, including how to strengthen passwords

IP image

The National Cyber Security Centre (NCSC) continues to offer guidance to UK businesses and organisations during this period of heightened threat. Its latest advice can be found on the NCSC website.

In addition, NCSC is collating its advisories, threats and urgent comms and sending out regular messaging to those signed up to the ‘Threats and Advisories’ option on the NCSC Subscription Centre. Anyone can sign up to these subscriptions to receive the latest information from the NCSC.

Phishing and ransomware updates

This is a good time to review advice and guidance related to phishing and ransomware, which remain the most prevalent ways in which organisations find themselves compromised.

The NCSC ransomware guidance has been brought together in one location, to provide more information on what malware and ransomware is, preventative actions to take, steps to take if your organisation is already infected, and further advice.

Similarly, NCSC has a single place to find guidance for organisations on how to defend against phishing attacks. This guidance covers what phishing is and defences and mitigations to put in place to protect your organisation.

NCSC board toolkit

The NCSC continues to call upon organisations to bolster their online defences and its board toolkit is a useful resource to aid discussions.

This covers a range of cybersecurity topics, starting with an introduction to cyber security, and includes nine modules, each one filled with straightforward guidance and helpful questions that organisations can ask their technical teams.

The toolkit is designed to guide organisations through cybersecurity, no matter what their starting point. It can be seen as guidance to support organisations in getting up to speed on a topic they might not be familiar with.

The toolkit introduces key cybersecurity topics and explains why these are important to every organisation. Think of it as less of a manual to be read cover to cover, and more as a resource to be used to help you develop your own cybersecurity board strategy – one that can adapt to fit your own unique cultures and business priorities.

This presentation introducing the toolkit with voice-over provides a great introduction.

Why should my organisation use the toolkit?

Board-level engagement with cybersecurity is relatively low, with only 50% of businesses and 40% of charities having one or more board members with oversight of cybersecurity risks.

If your organisation is connected to the internet then it is exposed to cyber risk, and regulations such as GDPR make it clear that cyber security is not the responsibility of an individual but of the whole organisation.

The majority of cyber attacks are opportunistic and untargeted, with the perpetrator seeking to take advantage of a vulnerability in a system without being particularly interested in whose system it is.

There are three interrelated reasons that organisations need to take cyber security seriously:

  • nearly all organisations depend on digital technology to function
  • the potential cost of remedying a cyber incident 
  • the risk of reputational damage.

Taken together, it’s clear that cybersecurity is essential and needs to be understood as it enables organisations to function.

The new national Cyber Aware campaign from the NCSC was launched in March with ads across radio, social media, and outdoor digital display boards, encouraging citizens, microbusinesses and sole traders to take two practical actions to protect their main email accounts by:

  • strengthening passwords by using three random words (3RW)
  • enabling two-step verification (2SV), also known as multi-factor authentication. 

The campaign provides actionable advice on defending digital assets against the very real threat of online scams and is a combined effort of several government departments – the NCSC, the Department for Digital Culture, Media and Sport, the Home Office and Cabinet Office.

Since April 2020, members of the public have reported over 10.5 million suspicious emails to the NCSC, resulting in the take-down of 76,000 online scams. This is in addition to a 161% increase in unauthorised access to personal information offences – including hacking – last year.

The Cyber Aware campaign seeks to combat this threat through an engaging and light-hearted approach to get the attention of non-cyber enthusiasts and encourage them to take up two behaviours to best protect important accounts, particularly emails.

The Cyber Aware website gives clear instructions about how to set up two-step verification (2SV), as well as guidance on passwords based on three random words (3RW). The aim is to protect all of us and make life even harder for the scammers and opportunistic criminals who are taking advantage of people using digital devices.

Using three random words (3RW) allows us to set passwords that are unique, strong and easy to remember. Enabling two-step verification (2SV) significantly decreases the likelihood of an account being hacked. It is simple and dramatically reduces risks, including financial losses.

Stealing a password can be simple – stealing a password and a device used to authenticate a login is much harder.

If you want to publicise the Cyber Aware messaging in your organisation, download the assets, imagery and resources for the 2022 Cyber Aware campaign.

Additional resources

ACCA cybersecurity CPD packages

ACCA cybersecurity resources