Today the UK’s National Cyber Security Centre (NCSC) opened to great fanfare. But it will have its work cut out to fulfil its mission of making the UK “the safest place to live and work online.” UK organisations of all shapes and sizes are under continual attack – whether from state-sponsored spies, hacktivists or financially motivated cyber gangs. So this is a great chance to marshal our response and make sure we are all able to take advantage of what NCSC boss Ciaran Martin has called a “new era of online opportunity.”
Organisations should use the occasion to revisit and reinvigorate their identity and access management (IAM) strategies by phasing out password-based log-ins. If they don’t, they’ll probably continue to get breached, despite spending tens of billions on cybersecurity globally each year.
Keys to the Kingdom
If you were in any doubt of the scale of the threat facing UK organisations, the past few days should have persuaded you otherwise. NCSC boss, Ciaran Martin, claimed the government has had to fend off at least 188 high-level attacks in the past three months alone. Chancellor Phillip Hammond went further, saying the new centre has already blocked 34,550 “potential attacks” on government and individuals over the past six months.
The figures chime with a new Forrester study, commissioned by Centrify, which reveals that two-thirds of organisations have suffered five security breaches on average in the past two years alone. Often, it all comes down to passwords: the Achilles heel of modern IT security. They can be cracked, hacked and phished with alarming ease these days -- especially as users often maintain weak credentials, and reuse them across multiple sites.
With these all-important credentials, attackers can camouflage themselves as legitimate users logging in. That means traditional IT security defenses have no chance spotting the intruders. And if a hacker gets hold of privileged account credentials -- for example, those of an IT administrator -- then they have the keys to the kingdom.
The repercussions could be catastrophic. Some estimates claim data breaches cost UK organisations on average over £1 million. And that’s not even factoring in the incalculable reputational damage. But increasingly, cyber attacks are becoming more aggressive, targeting critical infrastructure in a bid to hold organisations to ransom. This threat will only grow as the Internet of Things becomes all-pervasive.
Time to retune IAM
All organisations are potentially at risk. If you think you’re too small to be a target, just remember attackers may look to steal your users’ passwords to hack a partner or client. These “stepping stone” attacks are what caught out US retailer Target in one of the biggest breaches ever recorded.
The NCSC will be a great resource going forward. Backed by GCHQ, it will have some of the brightest and best at its disposal, and its 10 Steps to Cyber Security guide is a good start. But we need a laser-focus on IAM. The Forrester study found 83 per cent of organisations still don’t have a mature approach to IAM, leaving them hopelessly exposed. The end goal should be to migrate away from password-based log-ins to some form of multi-factor authentication. But the journey is different for all organisations, so with that, here are some quick wins:
- Never run systems with default passwords – this is tantamount to opening the virtual door to hackers.
- Minimise the number of privileged user accounts, thus reducing your attack surface.
- Operate a policy of “least privilege” – so each user has just enough privileges to do their job and no more.
- Educate staff not to click on links or open attachments in unsolicited mail -- these are classic phishing tricks.
- Improve password management by ensuring employees don’t reuse passwords, write them down or use weak, easy-to-guess/crack credentials.
- Switch to multi-factor authentication (MFA): one of the best ways to mitigate the risk of attackers infiltrating the organisation via stolen passwords. This requires a user to provide another ‘factor’ of authentication typically something they know, something they have, or something they are.
- Consider a risk-based access approach to reduce user friction. This would offer single sign-on (SSO) to those whose behaviour is judged low risk but escalate to MFA for higher risk sessions such as a log-in attempt from an unusual location.