Recently, I have been reading reports on the NCSC CiSP platform on the threats posed by various hacking groups; some possibly state actor groups. At the end of these reports (not publicly available, but very similar reports have appeared in mainstream media) the NCSC provides advice on how to mitigate the risk posed by these groups.
Some of the mitigation advice is aimed at IT professionals. For example, details of what to look for to determine if you have been hacked or not. The majority of the advice provided by NCSC is applicable to organisations of any size. Many smaller organisations believe that they are “too small” to be of interest to hacking groups. This is simply not the case. Information is valuable no matter where it comes from. The hacking tools used by criminal gangs are highly automated and do not favour one firm over another.
It, therefore, makes sense for even small organisations to protect themselves in the same manner as huge corporations. Here is a summary of the advice provided by the NCSC to help protect the firms fron these threats:
* This is probably the only piece of technical advice that is potentially beyond the ability of smaller firms to make use of. However, there are many IT companies can provide security event monitoring as a service. Search on-line for “siem as a service”.
As you can see there is no magic to protecting an organisation. Following a few straight forward steps will provide any organisation with strong cyber defenses.
ICAEW cyber hub is here: icaew.com/cyber
NCSC advice for small businesses is here.
NCSC staff training is here.