The 2023 Cyber Breaches Survey has been released, highlighting key findings about the state of the UK’s cyber health.

This year’s study found that cyber security breaches and attacks remain a common threat, with 32% of businesses and 24% of charities recalling any breaches or attacks within the last 12 months – but with cyber security taking a back seat in the minds of many, falling behind economic issues like inflation.

In more positive news, a majority of businesses and charities have a broad range of measures in place, with the most common being endpoint security software (75%), cloud backups (70%), restricted admin rights (67%) and network firewalls (66%).

However general cyber hygiene may actually be getting worse. The report also highlights that the routine avoidance of relatively unsophisticated threats needs greater attention over more advanced hacking, with smaller businesses in particular losing ground in some very fundamental areas, including:

Use of password policies (79% in 2021, vs. 70% in 2023)
Use of network firewalls (78% in 2021 vs. 66% in 2023)
Restricting admin rights (75% in 2021, vs. 67% in 2023)
Security updates within 14 days (43% in 2021, vs. 31% in 2023).

A mere three-in-ten businesses have undertaken any kind of cyber security risk assessment – again showing low scores among smaller firms and driven in most cases by either changes at board level or the demands of customers – corresponding to an increase in businesses reporting checks on their own suppliers.

“Taken together, these findings highlight an increasing cyber hygiene challenge among small to medium enterprises (SMEs) in the post-pandemic era.”

Fewer than four-in-ten businesses have cyber security insurance, just 21% have an incident response plan, and only 14% of businesses are even aware of the NCSC’s important Cyber Essentials Scheme. A mere 9% successfully adhere to ISO 27001 standards.

In particular, the survey highlighted the food and hospitality sectors, entertainment and the construction sectors for reporting low take-up of cyber security measures. The UK’s largest businesses generally report higher scores across all areas, with the exception of patch management (44%) and restricting access to organisation-owned devices (31%).

Among the 11% of businesses that have suffered cyber crime in the last 12 months, the annual (mean) cost of an incident is now estimated to be approximately £15,300 per victim.

For Cyber Security advice and expertise, please contact our team today.

Each year GCHQ’s National Cyber Security Centre issue stricter new rules for business and organisations looking to secure UK Cyber Essentials (CE) and Cyber Essentials Plus (CE+) Certification.

Continuing themes from last year, there are now tighter rules on account access, thin clients, device firmware, remote desktops, antivirus/EDR solutions and more. Despite the success of the Cyber Essentials scheme, the past year has seen some notable cyber attacks on British organisations, and renewed calls for cyber security vigilance.

We’ve compiled a summary to help organisations prepare for what revisions are coming down the line in April.

Multi-Factor or Else.

Even sooner than many expected, Cyber Essentials will now require not only Administrators to have Multi-Factor Authentication enabled – but all end-user accounts as well, across all platforms. Previously exemptions were granted for services without this option available, now that gap closes.

Instead, where a service doesn’t support MFA this will now be declared a non-conformity, bringing digital services fully into line with the rules enforced on UK online banking, and even applying to school children – right down to reception-age.

That’s likely to pose a challenge for companies (and particularly schools) using any software or web services which don’t yet offer MFA – so many organisations may need to look at augmenting their IT setups with 3rd-party MFA solutions like Cisco Duo.

Don’t forget the Firmware!

Software version controls now extend to hardware device firmware – with the definition clarified to specifying “firewall and router firmware” in particular – which was always essential, given the perimeter nature of these devices. In a rare step back, firmware on servers, PCs and other devices has been removed from the scope.

Device Clarifications

The NCSC has admitted third-party devices have been a point of confusion – and has published a revised table clarifying which devices are within the scope of Cyber Essentials. Updates will apply only to devices which are not domain-joined, or when unlocked have limited access to data (smartphones, handheld scanners etc.) If the a vendor does not allow configuration to see CE standards, the application may use the vendor defaults without incurring a non-conformity.

Given that the definition partly rests on who owns the device in question, we predict more changes in future years.

Not Just Any Anti-Malware

Antivirus solutions no-longer need to be ‘Signature-based’ – since the best EDR solutions don’t rely on signature-based detection of threats anyway. CE+ audits will include extra tests to verify that anti-malware software is effective (beyond simple EICAR tests) and application allow-listing is being encouraged.

Scoring Changes

Minor/Major non-conformities have been merged with a single Non-Conformity mark. Any applicant receiving three non-conformities will receive an instant failure. Corrective actions must now be completed within two days, despite some exceptions are available for larger organisations.

However, unsupported operating systems become an unfortunate immediate triple-word score: the presence of any unsupported operating system within the scope is an automatic fail.

For Cyber Security and Cyber Essentials expertise, please contact our team today.

The National Cyber Security Centre (NCSC) has released its annual ‘Cyber Security Breaches Survey’.

The survey is used to inform government policy on digital security, educate British businesses, and ensure UK cyber space remains safe.

Data collected across over 2,400 business and 850 charities produced some startling statistics concerning the ever-looming threat of cyber-attacks infiltrating UK businesses’ digital footprint.

The report discovered that 39% of UK businesses detected an incoming cyber-attack during 2021. Phishing attacks made up a fifth of all threats identified – the most frequent type of malicious attack.

Organisations also revealed that ransomware was being recognised as a serious digital threat with 56% of businesses stating they have installed or will be introducing a company policy to not pay ransoms to cyber criminals.

Whilst 58% of small and medium businesses disclosed to outsourcing their IT Support service, only 23% of surveyed businesses had a cybersecurity incident management strategy in place that is more advanced than a basic endpoint antivirus.

NCSC promote a blend of regular cyber security learning and training processes within your business to better inform the deployment of traditional cybersecurity software measures across all the organisation’s IT systems.

This multi-layered approach aims to counteract the report’s discovery that a lack of cyber technical expertise amongst UK businesses is to blame for threats going undetected.

Similarly, a company-wide policy of digital hygiene erodes the false assumption that managed cybersecurity strategies are a cost to the business rather than a strategic, protective investment.

31% of business admitted being attacked at least once a week showing that any weak link in an organisation’s cyber defence can have grievous financial implications.

To mitigate this, we recommend organisations follow the NCSC’s guidance and adopt Cyber Essentials and Cyber Essentials +. The scheme requires businesses to meet or exceed an assured set of security requirements each year to protect against common forms of online crime, technology dangers and digital threats.

It is estimated that a Cyber Essentials certification can reduce your organisation’s risk of a cyberattack by 98.5% – contact Lineal to assist with your organisation’s application and to help you meet the requirements for a successful certification or re-certification today.

This year GCHQ’s National Cyber Security Centre have introduced stricter new rules for businesses and organisations hoping to achieve UK Cyber Essentials (CE) and Cyber Essentials Plus (CE+) Certification.

In addition to promoting the scheme’s key priorities, the new terms for successful assessment are widely believed to be partially a response to recent events – including more widespread remote and home-working via cloud-based web services during Covid-19, and a series of devastating ransomware attacks that disrupted major infrastructure in the US.

Need a taster of what’s to come? Here are our key take-aways:

Cloud Services under the spotlight

In previous years organisations could exclude many cloud-based platforms from the scope of their assessment – but with the wholesale move to the cloud only accelerating under working from home, and web-services containing ever more data, cloud-based systems such as Microsoft 365 and Google Workspace move squarely into the frame.

Multiplying multi-factor

Most critically this year, two-factor authentication will become compulsory for all administrator accounts registered to cloud-based services – as the NCSC tries to stop hackers obtaining credentials and then remote accessing their way to cyber-devastation. Expect user accounts to follow in 2023 – an exemption may be granted under certain circumstances, but it’s clear the days of the old ‘password-only’ login are numbered.

2022 also places new restrictions on passwords: organisations are encouraged to have password managers enforcing random 8-characters or more, or a 12-character pattern, at a minimum. Mobile devices and similar should have minimum 6-figure pin or biometric security – with a recommended lock-out for ten failed password attempts.

Sub-networks under scrutiny

Sub-networks may now only be excluded if they don’t have a connection to main networks or no internet-access – meaning many organisations will now have to detail their satellite and subordinate operations more fully.

Patching-discipline is said to be the most common reason for failing a Cyber Essentials assessment – the 14 day patch window remains, but automated updates should now be enabled if available. Thin client devices are to be included from next year, and unsupported software should be air-gapped on sub-networks that don’t have internet access.

A question of hats

All super-users are now meant to have distinct user and administrator accounts, with stronger security on the latter. This distinction extends to cloud-services, meaning administrators will have to swap between their day-to-day functions completed on user accounts, and their admin roles where they have elevated privileges.

In the wake of the Colonial Pipeline ransomware attack and others, it’s clear rules for admin accounts will only become more stringent.

Greater auditing

Cyber Essentials Plus Certification will increasingly require more in-depth auditing by independent inspectors – including sending malicious test-emails, validating software versions, testing file access, and confirmation of the all-important admin/MFA rules described above.

Lineal are a Cyber Essentials Plus certified organisation, and can help your team achieve certification. Contact our team today.