The UK’s National Cyber Security Centre has just released its annual review covering the period from 1 September 2022 to 31 August 2023. You can read the report yourself by visiting the NCSC website. However, if you are short on time, Pro Drive has summarized the key points that SME businesses should be aware of.
Threats and Risks
The NCSC has received reports from a variety of sectors, including academia, manufacturing, IT, finance, and engineering.
More than 80% of all reported UK fraud in 2021 was cyber-related. However, surveys found that only 32% of UK citizens thought they were likely to become a victim.
Cybercriminals and state-aligned actors (criminal gangs not employed by states but sympathizing with their causes) are constantly looking for ways to exploit vulnerabilities in critical national infrastructure (CNI). This is a new and emerging threat. Such actors have explicitly stated their desire to attack Western, including UK, targets.
AI technology is changing the face of cybersecurity. While it’s unlikely to create wholly new threats, it will almost certainly increase the speed and scale of some attacks.
The NCSC was made aware of 327 cases that involved the exfiltration (theft) and/or extortion of data, an increase from last year. This clearly demonstrates the value that cybercriminals see in data.
Public-facing applications (such as Citrix and Remote Desktop) are a common target for cybercriminals and account for the highest number of incidents handled by the NCSC. They exploit vulnerabilities in these applications to gain unauthorized access to your network.
Russia has been expanding its cyber operations, particularly since the start of the war with Ukraine. This now extends to academia, think tanks, logistics and transport hubs, manufacturing companies, supply chains, charities, and Internet of Things (or smart) devices.
The NCSC specifically states that people should not assume that they are not important enough for Russian spies to take an interest in if they can identify a way to further their objectives. This could be from something as simple as an unsolicited email or contact via social media, and this could be enough to let someone into your network.
Russian-language criminals operating Ransomware and ‘Ransomware as a Service’ (RaaS) continue to be responsible for the most high-profile cyber attacks against the UK.
‘Ransomware as a Service’ (RaaS) is making it considerably easier for individuals and smaller criminal groups to adopt ransomware and extortion tactics, which is having a significant impact. However, most ransomware incidents result not from sophisticated attacks but rather from poor cybersecurity controls and hygiene.
The popularity of Cyber Essentials continues to grow, and the number of certificates awarded in the past year has increased by 21%, while the number of Cyber Essentials Plus certificates issued has grown by 55%.
Data reported by insurance companies highlighted that there were 80% fewer insurance claims from organizations with Cyber Essentials in place.
On Critical National Infrastructure
Critical national infrastructure (CNI) includes the systems that keep the UK running, such as health and utilities, but also systems underpinning communications, financial networks, and the internet.
Canada has reported that the emergence of groups sympathetic to Russia as well as state-related groups have sought to project power by attacking strategic critical national infrastructure (CNI) targets of political adversaries, including attacks on the Operational Technology (OT) that operates this infrastructure.
The NCSC still identifies ransomware as one of the greatest cyber threats to UK CNI sectors. Examples of UK CNI attacks include those against South Staffordshire Water, Royal Mail International, and even one impacting NHS 111.
The NCSC has published a number of advisories about threats to CNI including one on Snake malware and China sponsored state actors n May 2023 and one from the threat of Russian State aligned groups in April 2023.
The NCSC also states that it’s important for organizations to understand how they will address periods of heightened threat, as we are seeing now, by temporarily increasing cybersecurity resilience measures.
On New Technologies
Regarding AI: The NCSC’s primary objective is to ensure that cybersecurity does not become a secondary consideration but is recognized as an essential precondition for the safety, reliability, predictability, and ethics of AI systems. Specifically, they state the need for AI to be ‘secure by design’ and built on secure foundations.
Quantum computing: Quantum computing has substantial economic potential but also provides a threat to cryptography, and there is a need to prepare for a future transition to post-quantum cryptography.
As you would expect, the NCSC predicts that considerable challenges with the Cyber Security landscape lie ahead, particularly with the development and use of artificial intelligence by cybercriminals, and everyone must keep focused on the future, ensuring they strengthen their resilience and sharpen their focus on emerging technologies.
If you are unsure about whether your firm is ready for emerging cyber threats, you feel a review is valuable or you are just confused about what is good cyber security practice, then get in touch using the form below to arrange a free meeting to benchmark your security against best practice.