The growing threat of cyber warfare

Cyber security expert explains how to bolster your defences

Worried about cyber warfare? You’re not alone. With the threat of imminent attack from overseas malware and state-sponsored hacks increasing, the National Cyber Security Centre (NCSC) is calling for UK businesses of all sizes to “strengthen their cyber resilience” in response to the ongoing situation in Ukraine.

But what does cyber resilience mean, and what actionable steps can businesses take to bolster their defences? Anthony Green, CTO and cyber security expert at FoxTech, discusses:

“Intelligence suggests that cyber warfare will target critical infrastructure such as hospitals, schools, and energy supply chains. However, the real risk for the majority of businesses is collateral damage, and it’s never been more necessary for UK services and businesses to make cyber resilience an urgent priority.

“The goal of cyber resiliency actions is to give your organisation the best chance of preventing an attack and making a quick recovery if it does happen. Many organisations don’t even have basic cyber hygiene controls in place, which means that cyber education is vital and could have a potentially huge impact on the UK’s overall resiliency to cyber threats.”

FoxTech has provided its guide to the practical steps that businesses can take from today to strengthen their cybersecurity defences:

Stay informed

Can your IT strategy be summed up with the phrase ‘ignorance is bliss’? Businesses who are not fully aware of the extent of the threat and the actions they need to take will be the most vulnerable to attack. So, it’s vital to get informed.

As part of the Government Communications Headquarters (GCHQ), the NCSC website is frequently updated with the latest guidance, making it one of the best resources for UK businesses to get accurate, up-to-date advice to protect their IT ecosystem from attack. Brief your wider team on the heightened threat to ensure that your whole organisation is on board with the further security actions you may need to take.

Protect your devices

It’s vital to protect all devices that connect to your network, including those that are used remotely.

  • Ideally, make sure your employees are using company devices. If you do not provide company devices, ensure that all personal devices that connect to your network are secured
  • Ask employees not to conduct personal business on their company device
  • Ensure that all users’ laptops, desktops, and mobile devices have been tested and patched (patching is a process that repairs security vulnerabilities)
  • Turn on automatic updates and always install new updates as soon as possible

Practise password security

User accounts are a common entry point for attackers – make sure yours are not an easy target.

  • Install two factor authentication
  • Disable frequent password updates that encourage employees to write down their password as a reminder
  • Protect against password spraying by ensuring users choose uncommon passwords. The NCSC guidance recommends disabling complexity requirements which encourage password re-use, and instead use three random words, such as phoneradiuswhile or yelljamdistance

Secure your third-party software

All your third-party software needs to be secured and any vulnerabilities should be patched. If you don’t have the expertise to do this in-house, it is highly recommended that you consult cyber security experts who can conduct vulnerability scanning and implement remedial measures for you.

  • Check that any third-party software such as browsers, office productivity suites, firmware and cloud-based services are patched
  • Make sure your firewall, endpoint security and anti-virus is properly installed and correctly configured (if it’s configured incorrectly then you may not be protected)

Review what you’re showing the internet

It’s essential to review all your internet-facing data, as you might be displaying more than you realise.

  • Get a low-cost or free attack surface map to discover what you have exposed to the internet
  • Get an expert to conduct vulnerability scanning on your internet-connected services and patch any vulnerabilities
  • Secure your domain registration data by implementing a strong password on your registry account

Protect against phishing

Phishing emails are by far the most common form of attack, with 83% of UK businesses experiencing a phishing attempt every week.

  • Take advantage of the NCSC’s free cyber security training which has a useful module on spotting and reporting phishing emails – remember that employees are the first line of defence against phishing attempts
  • Instil a ‘no blame’ culture to encourage employees to report when they suspect they have clicked a phishing email

Only allow necessary access

Restrict access to your systems to only those who need it and ensure that all access is secured.

  • Delete any inactive accounts
  • Check your administrative access and ensure that only those who need to are enabled to access the network to make changes
  • Anyone not authorised to make changes should be set to view-only
  • Implement strong multi-factor authentication to all administrative accounts
  • Get a handle on any third-party organisations who have access to your IT estate. Understand what they do, who is allowed access and what privileges they have. Remove any access that is no longer required

Create an incident response plan

If the worst does happen, you need to have a comprehensive incident response plan in place. Only 31% of companies have an agreed cyber attack response plan set up, so this step will be an urgent action for many businesses.

  • If you don’t have a cyber security incident response plan, see the NCSC’s guidance on creating one
  • If you do have a plan in place, ensure all information (especially contact details) are correct
  • Make sure that your plan details who has the authority to make decisions, and what will happen if the attack occurs out of office hours
  • Ensure your plan includes information on how you will communicate if your normal systems are down
  • Make sure data is regularly and securely backed up in a safe place that is unconnected to your network

Contact cybersecurity consultants

If you don’t have cyber security expertise in-house, then consulting a cybersecurity expert can help you implement the steps above. They can also carry out more advanced actions to find and fix any other vulnerabilities that are particular to your organisation.

  • Get an expert security assessment to scan for any remaining vulnerabilities in your network, programmes, and cloud-based services
  • Join a security operations centre, which can constantly monitor your system and analyse any abnormalities against the latest threat intelligence to identify and block breaches before the attacker is able to steal anything.
  • Undergo penetration testing (also known as ethical hacking) to understand how an attacker is likely to gain access
  • Get a free CyberRisk score from FoxTech (it operates like a credit score for your cyber security) to get an immediate indication of your security posture.

The consequences of falling victim to a cyber attack can be dire, so in the current threat landscape, cyber security should be at the forefront of any business’ strategy for 2022.

Companies interested in finding out their CyberRisk score can order this for free from FoxTech here: https://www.foxtrot-technologies.com/cyberrisk-score

Further NCSC resources can be found here: https://www.ncsc.gov.uk/

Revised schedule for City Plan

A report outlining a revised timetable for the City of Edinburgh Council’s City Plan 2030 will be now be considered by councillors on Wednesday, 10 March.

The report, which will be made public on Thursday (4 March), will say that the proposed plan will now be considered by councillors in the summer with the preference being for a committee in August.

The proposed plan was due to be considered by the Planning Committee this month but Scottish Environment Protection Agency was subject to a significant cyber attack just before Christmas which is still affecting its services.

This is having an impact on work on the Strategic Flood Risk Assessment required for the proposed plan as well as many other matters.

The proposed plan was originally due to be considered by councillors in December but disruption caused by the coronavirus pandemic has led to some technical reports not being fully completed

Cllr Neil Gardiner, Planning Convener, said: “The proposed plan will be ambitious and will help us build a more sustainable future as the Capital grows in the coming years. When complete, the proposed plan needs to be robust and not open to challenge on the credibility of the flood risk evidence, which is why we need to postpone its completion.

“I have every sympathy with SEPA and the challenges they are experiencing as a result of this incident and appreciate they are rightly focusing at the moment on immediate risks of flooding or significant breaches of the other regulatory responsibilities they have.”

SEPA: Cyber Attack update

  • SEPA issues further update on cyber-attack, data theft, service delivery and recovery.
  • Ransomware attack remains ongoing as SEPA reiterates it will not engage with criminals intent on disrupting public services and extorting public funds.
  • Data likely to be stolen by international serious and organised cyber-crime groups has been illegally published online.
  • SEPA working to recover and analyse data then contact and support affected organisations and individuals over coming days and weeks as quickly as identifications confirmed.
  • Dedicated data loss support website, Police Scotland guidance, enquiry form and support line available for regulated business and supply chain partners.
  • Priority regulatory, monitoring, flood forecasting and warning services continuing to adapt and operate.
  • Broader update on service delivery and recovery to be confirmed early next week.
  • SEPA continuing to work with Scottish Government, Police Scotland, the National Cyber Security Centre and cyber-security specialists to respond to what remains complex and sophisticated criminality. Subject of a live criminal investigation.
  • The latest information on the cyber-attack, limited data loss and how to contact the agency is available at sepa.org.uk/cyberattack

The Scottish Environment Protection Agency (SEPA) has provided a further update on the ongoing ransomware cyber-attack which has significantly impacted the organisation since Christmas Eve. 

The organisation reiterated that it will not engage with criminals intent on disrupting public services and extorting public funds.

As part of a broad update on data theft, service delivery and recovery, the environmental regulator confirmed that data stolen by what was likely to be international serious and organised cyber-crime groups has now been illegally published online.

In a previous update on 14 January (one of a series since the attack on Christmas Eve), SEPA confirmed the theft of circa 1.2 GB of data across four broad categories.  To provide some context, by comparison the theft was the equivalent to a fraction of the contents of an average laptop hard drive.  Nevertheless, it still means that at least 4,000 files may have been stolen by criminals. 

“Supported by Scottish Government, Police Scotland and the National Cyber Security Centre, we continue to respond to what remains a significant and sophisticated cyber-attack and a serious crime against SEPA” said SEPA Chief Executive, Terry A’Hearn. 

“We’ve been clear that we won’t use public finance to pay serious and organised criminals intent on disrupting public services and extorting public funds”, he added.

“We have made our legal obligations and duty of care on the sensitive handling of data a high priority and, following Police Scotland advice, are confirming that data stolen has been illegally published online.  We’re working quickly with multi-agency partners to recover and analyse data then, as identifications are confirmed, contact and support affected organisations and individuals.”

The agency reiterated that whilst stolen data had now been illegally published and work was underway to analyse the data set, it does not yet know, and may never know the full detail of the 1.2 GB of information stolen. 

Some of the information stolen will have been publicly available, whilst some will not have been.  It confirmed that staff had been contacted based on the information available, were being supported and that a dedicated data loss support website, Police Scotland guidance, enquiry form and support line was available for regulated business and supply chain partners.

The agency also confirmed that priority regulatory, monitoring, flood forecasting and warning services were continuing to adapt and operate and that a broader update on service delivery and recovery would be confirmed next week.

Mr. A’Hearn added: “Sadly we’re not the first and won’t be the last national organisation targeted by likely international crime groups.  We’ve said that whilst for the time being we’ve lost access to most of our systems, including things as basic as our email system, what we haven’t lost is our 1,200 expert staff. 

“Through their knowledge, skills and experience we’ve adapted and since day one continued to provide priority regulatory, monitoring, flood forecasting and warning services.  Whilst some systems and services may be badly affected for some time, step-by-step we’re working to assess and consider how we recover. 

“We’ll issue a broader update on service delivery and recovery early next week, with weekly updates to be clear on what those we work with can expect and how we’ll prioritise progress.”

The agency stressed firm Police Scotland advice that organisations and individuals should not seek to search for the stolen information, as accessing the host site may place organisations, individuals and their computer infrastructure at risk.

Detective Inspector Michael McCullagh of Police Scotland’s Cybercrime Investigations Unit said: “This remains an ongoing investigation. Police Scotland are working closely with SEPA and our partners at Scottish Government and the wider UK law enforcement community to investigate and provide support in response to this incident.

“Enquiries remain at an early stage and continue to progress including deployment of specialist cybercrime resources to support this response.

“It would be inappropriate to provide more specific detail of investigations at this time.”

Jude McCorry, Chief Executive of the Scottish Business Resilience Centre, added: “There are many ways including ransomware a business can experience a cyber security incident, with varying levels of complexity and disruption. Cyber incidents can occur through deliberate targeting like we have seen with SEPA, or even human error, the end result is the same, a disruptive effect on business operations.

“At SBRC we are working in partnership with Police Scotland and Scottish government running the UK’s first collaborative cyber incident response helpline for organisations in Scotland.

“If you feel that you are a victim of a cyber attack your first call should be to Police Scotland on 101 to report the crime (whilst respecting your IT systems as a crime scene) and our incident response helpline on 01786 437472, we will assist you with immediate support and expert guidance,  and ensure you are speaking to the correct agencies and organisations to help you feel supported and get you back in operation securely.”

SEPA will provide further updates as quickly as possible at www.sepa.org.uk/cyberattack as more information becomes available.

Whilst the agency continues to work hard to understand and resolve the issues, members of the public, regulated businesses and suppliers can find additional information and contact options via:

SEPA responding to significant cyber attack

The Scottish Environment Protection Agency (SEPA) confirmed that it is responding to a significant cyber attack affecting its contact centre and internal systems.

Whilst core regulatory, monitoring, flood forecasting and warning services continue, communication into and across the organisation is significantly impacted.

David Pirie, Executive Director, said: “At one minute past midnight on Christmas Eve, SEPA systems were subject to a significant and ongoing cyber-attack. The attack is impacting our contact centre, internal systems, processes and internal communications.

“We immediately enacted our robust business continuity arrangements, with our core regulatory, monitoring, flood forecasting and warning services adapting and continuing to operate.

“Our Emergency Management Team is working with Scottish Government, Police Scotland and the National Cyber Security Centre to respond to what appears to be complex and sophisticated criminality.

“Whilst we continue to liaise closely with resilience partners, we’re asking for those who wish to contact us right now  to do so through our social media channels on Facebook and Twitter (@ScottishEPA).”

Further updates will be provided at sepa.org.uk as more information becomes available.

Whilst we work hard to understand and resolve the issues, the public can:

  • Report urgent pollution via facebook and twitter (@ScottishEPA) or call 07917 883 455
  • Check latest flooding information at floodline.sepa.org.uk