Understanding UK’s National Cyber Security Strategy to Achieve Cyber Resilience in 2022
UK government data shows that within the last year cyber-attacks against UK businesses are becoming more frequent. Today almost one in three businesses state they experience breaches or attacks at least once a week.
In light of the increased frequency of attacks against the UK, the government has established its National Cyber Security Strategy for 2022 with cyber resilience at its core.
The Cybersecurity Challenge
In the face of the growing cyber threat, the strategy acknowledges that “there remains a significant gap between where government cyber resilience is now and where it needs to be.” That gap is illustrated by an inconsistent level of cyber security awareness, capability, maturity, and investment across government organizations.
Other challenges include:
- Ransomware attacks on local councils and their impact on public services
- Nation state attackers, where the UK became the third most targeted country in the world behind Ukraine and the USA.
- The struggle to retain and hire new cyber security professionals
- Internal competition in attracting those cyber professionals “at the expense of knowledge retention and sustained change.”
- The need to improve cyber resilience in an increasingly digital world, as dramatically illustrated by the COVID-19 pandemic and change in how the government does its business
The strategic pillars of cyber security resilience
The UK approach to resilience is based on two complementary strategic pillars:
1. Build a strong foundation by “ensuring that government organizations have the right structures, mechanisms, tools and support in place to manage their cyber security risks.”
2. Set up a resilience posture across all government organizations that “will harness the value of sharing cyber security data, expertise and capabilities to present a defensive force disproportionately more powerful than the sum of its parts.” This includes ruthlessly iterating on and identifying weak and compromised passwords as well as blocking password spray attacks that attempt the same password on many accounts.
Each government organization must have the wherewithal to understand cyber security risks with “robust assurances” and accountability across all organizations. This will be reinforced by the Government Cyber Coordination Centre (GCCC), and other security agencies.
UK government cyber security resilience goals
Establishing an improved cyber security resilience will meet the following goals:
- Evaluating a cyber security event or breach and mitigating risks before they affect government services and functions.
- Responding to any cyber security incident with mechanisms that exercise and test incident response plans—again, ensuring minimal disruption of government services to the public sector.
- Cultivating cyber security knowledge and skills and establishing a culture of cyber security awareness across the entire government.
Ultimately, the UK’s national cyber security strategy can be encapsulated as follows:
1. The nature of the risk needs to be understood.
2. The government needs to take action to secure systems to prevent and resist cyber-attacks.
3. Everyone must understand and recognize some attacks will still happen. Preparation, however, must be resilient enough to minimize the impact and provide avenues for recovery.
The first line of cyber defense
In 2018 the British Government introduced MCSS (Minimum Cyber Security Standard) which laid out clear of technical standards and mandatory cyber resilience outcomes that all government departments must achieve. Standards 6 and 7 focus on the protection of key operational systems and privileged accounts. Each must not be vulnerable to common cyber-attacks.
The first line of defense against cyber-attacks is bolstered when password security is taken seriously. As over 85% of today’s hacking related breaches are due to lost or stolen credentials, astrong password policy that can enforce strong passwords and block compromised passwords is essential.
As passwords are vulnerable to attack it’s not surprising password related attacks are on the rise. Specops’ Weak Password Report provides some troubling insights:
- Password length and variety of characters are no guarantees against hacking
- Passwords of 8 or more characters were used at a rate of 93% in brute force attacks.
- Passwords used in real attacks included at least two character types at a rate of 68%.
- Over half (54%) of organizations lack tools to manage work passwords.
- In just under half (48%) of organizations, anyone can call an IT service desk without user verification.
Standard password policies are not enough
Out-of-the-box password policy capabilities from Microsoft continue to fall short in security and compliance requirements and simply have are not evolved in line with todays sophisticated threat landscape. Specops Password Policy fills this gap effectively nullifying the success of brute-force password attacks and preventing attackers from entering key backend systems. Additionally, Specops Password Auditor identifies existing weak and compromised passwords which need to be changed to prevent them from posing a security threat.
Want to learn more? See how your organization can block over three billion compromised passwords from your Active Directory with a free trial.
(Last updated on November 17, 2022)
Compliance Falls Short: New Research Shows Up to 83% of Known Compromised Passwords Would Satisfy Regulatory Requirements
Organizations of all kinds look to regulatory recommendations and standards for guidance on how to best construct a secure password policy for their networks. However, new research shows regulatory password complexity and construction recommendations are not enough. Today, the Specops Software research team is sharing the results of their analysis on the number of compromised…Read More
PCI compliance requirements in the UK
In 2018, criminals successfully stole £1.3 billion through fraud and scams. Now more than ever, businesses that processes cardholder data look to the Payment Card Industry Data Security Standard (PCI DSS) for security recommendations. PCI DSS is a set of security standards introduced to the UK in 2006. PCI compliance is required for any business…Read More
£36m lost to fraud and cyber crime in 2020
In 2019, an estimated 1.93 billion people purchased goods or services online – and that number is growing year-on-year. However, those shopping online must be wary when making any online purchases, as our latest research has found that £36,262,000 has been lost to fraud and cyber crime in 2020 so far. Eager to support individuals in…Read More