The UK's new National Cyber Security Centre aims to make the UK "the safest place to live and work online". But Teiss guest blogger Andy Heather warns that this can't happen unless business takes on board the need to manage access as part of a wider cyber security strategy.
Today the UK’s National Cyber Security Centre (NCSC) opened to great fanfare. But it will have its work cut out to fulfill its mission of making the UK “the safest place to live and work online”. UK organisations of all shapes and sizes are under continual attack – whether from state-sponsored spies, hacktivists or financially motivated cyber gangs. So this is a great chance to marshal our response and make sure we are all able to take advantage of what NCSC boss Ciaran Martin has called a “new era of online opportunity.”
Organisations should use the occasion to revisit and reinvigorate their identity and access management (IAM) strategies by phasing out password-based log-ins. If they don’t, they’ll continue to get breached, despite spending tens of billions on cyber security globally each year.
Keys to the kingdom
If you were in any doubt of the scale of the threat facing UK organisations, the past few days should have persuaded you otherwise. NCSC boss, is reported as claiming that the government has had to fend off at least 188 high-level attacks in the past three months alone. Chancellor Phillip Hammond went further, saying the new centre has already blocked 34,550 “potential attacks” on government and individuals over the past six months.
The figures chime with a new Forrester study, commissioned by Centrify, which reveals that two-thirds of organisations have suffered five security breaches on average in the past two years alone. It all comes down to passwords: the Achilles heel of modern IT security. They can be cracked, hacked and phished with alarming ease these days – especially as users often maintain weak credentials, and reuse them across multiple sites.
With these all-important credentials, attackers can camouflage themselves as legitimate users logging in. That means traditional IT security defences have no chance spotting the intruders. And if a hacker gets hold of privileged account credentials – for example, those of an IT administrator – then they have the keys to the kingdom.
The repercussions could be catastrophic. Some estimates claim data breaches cost UK organisations on average over £1 million. And that’s not even factoring in the incalculable reputational damage. But increasingly, cyber attacks are becoming more aggressive, targeting critical infrastructure in a bid to hold organisations to ransom. This threat will only grow as the Internet of Things becomes all-pervasive.
Time to retune IAM
All organisations are potentially at risk. If you think you’re too small to be a target, just remember attackers may look to steal your users’ passwords to hack a partner or client. These “stepping stone” attacks are what caught out US retailer Target in one of the biggest breaches ever recorded.
The NCSC will be a great resource going forward. Backed by GCHQ, it will have some of the brightest and best at its disposal, and its 10 Steps to Cyber Security guide is a good start. But we need a laser-focus on identity and access management (IAM). Our Forrester study found 83 per cent of organisations still don’t have a mature approach to IAM, leaving them hopelessly exposed. The end goal should be to migrate away from password-based log-ins to some form of multi-factor authentication.
But the journey is different for all organisations, so with that, here are some quick wins:
- Never run systems with default passwords – this is tantamount to opening the virtual door to hackers.
- Minimise the number of privileged user accounts, thus reducing your attack surface.
- Operate a policy of “least privilege” – so each user has just enough privileges to do their job and no more.
- Educate staff not to click on links or open attachments in unsolicited mail – these are classic phishing tricks.
- Improve password management by ensuring employees don’t reuse passwords, write them down or use weak, easy-to-guess/crack credentials.
- Switch to multi-factor authentication (MFA): the best way to mitigate the risk of attackers infiltrating the organisation via stolen passwords. MFA systems typically generate one-time passwords, ensuring any credentials intercepted by a hacker will be useless the next time they are used.
- Consider a risk-based access approach to reduce user friction. This would offer Single Sign On (SSO) to those whose behaviour is judged low risk but escalate to MFA for higher risk sessions such as a log-in attempt from an unusual location.
Twitter: @ARHeather and @Centrify
Andy Heather is Vice President and Managing Director for Europe, Middle East and Africa (EMEA) for Centrify.
Andy joined the company in June 2016 from HP where he led its EMEA Data Security team and has over 25 years of IT experience in sales, sales management, engineering and professional services.
Prior to his role at HP Andy held a number of senior sales management roles at organisations including Tripwire, Affiniti, Opsware, NetApp, Sun Microsystems and IBM.