Understanding UK’s National Cyber Security Strategy to Achieve Cyber Resilience in 2022

UK government data shows that within the last year cyber-attacks against UK businesses are becoming more frequent. Today almost one in three businesses state they experience breaches or attacks at least once a week.

In light of the increased frequency of attacks against the UK, the government has established its National Cyber Security Strategy for 2022 with cyber resilience at its core.

The Cybersecurity Challenge

In the face of the growing cyber threat, the strategy acknowledges that “there remains a significant gap between where government cyber resilience is now and where it needs to be.” That gap is illustrated by an inconsistent level of cyber security awareness, capability, maturity, and investment across government organizations.

Other challenges include:

• Ransomware attacks on local councils and their impact on public services
• Nation state attackers, where the UK became the third most targeted country in the world behind Ukraine and the USA.
• The struggle to retain and hire new cyber security professionals
• Internal competition in attracting those cyber professionals “at the expense of knowledge retention and sustained change.”
• The need to improve cyber resilience in an increasingly digital world, as dramatically illustrated by the COVID-19 pandemic and change in how the government does its business

The strategic pillars of cyber security resilience

The UK approach to resilience is based on two complementary strategic pillars:

1. Build a strong foundation by “ensuring that government organizations have the right structures, mechanisms, tools and support in place to manage their cyber security risks.”

2. Set up a resilience posture across all government organizations that “will harness the value of sharing cyber security data, expertise and capabilities to present a defensive force disproportionately more powerful than the sum of its parts.” This includes ruthlessly iterating on and identifying weak and compromised passwords as well as blocking password spray attacks that attempt the same password on many accounts.

Each government organization must have the wherewithal to understand cyber security risks with “robust assurances” and accountability across all organizations. This will be reinforced by the Government Cyber Coordination Centre (GCCC), and other security agencies.

UK government cyber security resilience goals

Establishing an improved cyber security resilience will meet the following goals:

• Evaluating a cyber security event or breach and mitigating risks before they affect government services and functions.
• Responding to any cyber security incident with mechanisms that exercise and test incident response plans—again, ensuring minimal disruption of government services to the public sector.
• Cultivating cyber security knowledge and skills and establishing a culture of cyber security awareness across the entire government.

Ultimately, the UK’s national cyber security strategy can be encapsulated as follows:

1. The nature of the risk needs to be understood.

2. The government needs to take action to secure systems to prevent and resist cyber-attacks.

3. Everyone must understand and recognize some attacks will still happen. Preparation, however, must be resilient enough to minimize the impact and provide avenues for recovery. 

The first line of cyber defense

In 2018 the British Government introduced MCSS (Minimum Cyber Security Standard) which laid out clear of technical standards and mandatory cyber resilience outcomes that all government departments must achieve. Standards 6 and 7 focus on the protection of key operational systems and privileged accounts. Each must not be vulnerable to common cyber-attacks.

The first line of defense against cyber-attacks is bolstered when password security is taken seriously. As over 85% of today’s hacking related breaches are due to lost or stolen credentials, astrong password policy that can enforce strong passwords and block compromised passwords is essential.

 As passwords are vulnerable to attack it’s not surprising password related attacks are on the rise. Specops’ Weak Password Report provides some troubling insights:

• Password length and variety of characters are no guarantees against hacking
  • Passwords of 8 or more characters were used at a rate of 93% in brute force attacks.
  • Passwords used in real attacks included at least two character types at a rate of 68%.
• Over half (54%) of organizations lack tools to manage work passwords.
• In just under half (48%) of organizations, anyone can call an IT service desk without user verification.

Standard password policies are not enough

Out-of-the-box password policy capabilities from Microsoft continue to fall short in security and compliance requirements and simply have are not evolved in line with todays sophisticated threat landscape. Specops Password Policy fills this gap effectively nullifying the success of brute-force password attacks and preventing attackers from entering key backend systems. Additionally, Specops Password Auditor identifies existing weak and compromised passwords which need to be changed to prevent them from posing a security threat.

Want to learn more? See how your organization can block over three billion compromised passwords from your Active Directory with a free trial.