Five recommendations from the NCSC

At the CBI conference in September 2018 the CEO of GCHQ’s National Cyber Security Centre (NCSC), Ciaran Martin, delivered The Board Guidance Tool Kit. Here is a summary of his five recommendations, together with some suggested security approaches and/or remediation tactics.

“Control the use of your privileged IT accounts”
Ciaran Martin – CEO at NCSC

Insider risk: Be it from a disgruntled and malicious employee or due to accidental user actions, the threat for those within a business is always great. For example, a server administrator decides, for whatever reason, to erase all the company’s sensitive data and the backups in one keystroke. This erratic behaviour is unpredictable and the administrator has all the access and tools to accomplish it (no malware needed).

This type of action (malicious or accidental) needs to be addressed. Tight access controls and monitoring can be used to thwart such behaviours.

“Defend your organisation against phishing attacks”
Ciaran Martin – CEO at NCSC

Email attacks: Spear phishing continues to be the source of many campaigns. This is because it works. We often don’t think twice about opening a Word doc or a PDF file. In fact, many of us do it on a daily basis; it’s just a part of our job. For just this reason, cyber criminals exploit our daily routine of ‘not thinking’.

Staff awareness training and safe simulated phishing campaigns can help guard against and mitigate such attacks.

“Ensure that your software and devices are up to date”
Ciaran Martin – CEO at NCSC

Patching: Patching is an important hygiene factor for applications, systems, infrastructures and architectures. It is not possible to patch every system, but you don’t need to, because not every system will impact your business if breached. However, it is essential those systems that are part of your key business ecosystems (your ‘Crown Jewels’) are patched regularly and in line with the providers minimum recommendations.

It is essential that new applications go through the testing to ensure they are released ‘Secure by Design’. So pre-production application development must never be overlooked. Corporate digital transformation programmes can bring huge pressure to deliver change and shorten application time-to-market. But this must not be at the cost of either quality or security.

“Ensure our partners and suppliers protect the information we share with them”
Ciaran Martin – CEO at NCSC

Third-party risk: One of the biggest cyber security risks organisations face is not a specific threat, but that of our ability (or inability) to modernise our defensive approach to keep up with shifts in the threat landscape. For example, many organisations continued to focus on a perimeter defence approach long after it became clear that the adoption of laptops had shifted the threat to mobile devices. This happened again as infrastructure and software shifted to the cloud, opening another threat window. In each wave, organisations spend years trying to catch up.

Today, threats are shifting yet again. Taking advantage of our increasingly interdependent world, attacks are now coming via our third-party partners.

The risk posed by third parties, such as suppliers, affiliates, partners and contractors, has been brought increasingly into the spotlight by several high-profile and very public breaches. One of the largest was Target Corporation’s breach which occurred through an attack on an HVAC supplier that gave hackers direct access to Target through their supplier portal. More than 60 million customer records and 40 million credit card numbers were leaked, resulting in over $18 million in lawsuit settlements, the resignation of the CEO, a nearly 50% drop in operating profit, and an incalculable loss of customer confidence.

Third-party risk can be managed through onboarding procedures, risk identifications, peer and industry comparisons, and, critically, continuous monitoring.

“Ensure robust authentication methods are used to control access to systems and data”
Ciaran Martin – CEO at NCSC

Improve authentication methods: Recommendations for improvements to authentication methods have been around for many years, but companies are still largely behind the curve. The vast majority of data breaches have occurred through compromised authentication. Although having a strong password is important, this is only one step in securing your network and data.

Multi-factor authentication must be used. It is essential for the cyber security of any business. Which is why it is still right up there in Ciaran Martin’s Top 5 recommendations for Boards to improve.

[1] Ciaran Martin’s speech at the CBI Cyber Conference (