Ukraine was being hit by cyberattacks well before Russia launched its invasion. DDoS attacks and wiper malware were among the cyber threats that targeted Ukrainian government ministries, banks, media and other services, but there are also other examples from recent history.
Russia has been accused of being behind attacks that took down Ukrainian power grids in December 2015, and it’s thought that the Russian military was also behind the widespread and disruptive NotPetya malware attack of June 2017. NotPetya was designed to target organisations in the Ukrainian financial, energy and government sectors, but the impact quickly spread to organisations around the world.
And as the conflict continues, firms far from that geography have been urged to check their security posture. As NCSC CEO Lindy Cameron commented just a few days ago, “Cyberattacks do not respect geographic boundaries”, warning that these incidents have international consequences – intentional or not.
The NCSC has urged organisations to take action to secure their networks. And there are steps that can be taken – some of which are relatively simple – that can increase resilience against cyberattacks.
1. Apply patches and security updates
Applying patches and security updates to operating systems and software is the best way to close vulnerabilities in networks. Many cyberattacks actively look to exploit unpatched software as an easy backdoor into networks. Devices and software with known security vulnerabilities should be patched immediately.
2. Use strong passwords
A common way for cyber attackers to breach networks is to simply guess usernames and passwords – particularly if the organisation uses cloud services such as Microsoft Office 365 or Google Workspace. Users should be urged not to use common, easy-to-guess passwords and instead use a password manager. Any devices on the network with default passwords should be changed.
3. Use multi-factor authentication
Multi-factor authentication (MFA) provides an additional barrier to cyberattacks and should be applied to all users. The benefit of multi-factor authentication is that, even if a username and password has been stolen or correctly guessed, it’s still very difficult for attackers to access the account. If MFA is correctly configured, the user will be alerted to any attempts to log in to their account – and if they are alerted to an attempt to access an account and it wasn’t them, they should be encouraged to report it to the information security team.
4. Teach phishing awareness
Many cyberattacks start with phishing emails and staff should be trained in how to identify some of the most common techniques cyber attackers use, as well as how to report phishing emails for further investigation. Some phishing attacks are more sophisticated and harder to identify, but even in those cases, if a user thinks they’ve fallen victim to a phishing attack, they should be encouraged to come forward – without repercussions – in order to help identify and detect the attack to remove the intruders and secure accounts.
5. Use antivirus software and ensure that it works
Antivirus software and firewalls can help to detect suspicious links, malware and other threats distributed by cyberattacks and they should be installed on every device. Like other software, it’s important to confirm that antivirus software is up to date with the latest updates and that it’s active and working correctly.
6. Know your network
You can’t defend your network if you don’t know what’s on it, so information security teams should actively be able to identify all devices and users on the network – as well as being able to detect potentially suspicious activity. If a device or user account is acting unusually by accessing files they don’t need for their job or moving to parts of the network that are irrelevant to them, it could be an indication that their account has been compromised by cyber criminals attempting to plant malware. Keep logging activity for at least month, so older activity can be traced to identify how a breach happened.
7. Backup your network – and regularly test backups
Backups are a vital component to ensuring cyber resilience and they can play a big role in minimizing disruption in the event of a cyberattack, particularly ransomware or wiper malware. Backups should be made at regular intervals, a copy of the backups should be stored offline and they should be regularly tested to make sure they work.
8. Be mindful of third-party access to your network and supply chains
Managing IT networks can be complex and that sometimes requires organisations to bring in outside help, providing non-regular users with high-level access. Organisations should have a comprehensive grasp on what access outside users can have and be mindful of removing security controls.
Any access that’s no longer required should be removed. Organisations should also attempt to understand the security practices of businesses in their supply chain – it’s possible that if one of those organisations is breached, their network could be used as a gateway to the larger target.
9. Have an incident response plan
Even if organisations have followed all of the relevant advice, they should still draw up a plan of how to react in the event of a cyberattack. For example, if the network is down, how will they communicate a response? Thinking about different scenarios, as plannning ahead and running training exercises can reduce the impact of a successful cyberattack.
“Organisations should recognise the risk that cyber presents to their operations and ensure that they have strong cyber resilience and an ability to detect, respond and remediate threats, and make sure plans are in place to counter any disruptive attacks,” says Stuart McKenzie, SVP of consulting at Mandiant.
10. Brief the wider organisation about cyber threats
It’s the job of information security to know about cyberattacks and how to deal with them, but outside the cybersecurity team, it’s unlikely to be common knowledge. Staff from the boardroom to the shopfloor should be aware of the importance of cybersecurity and be made aware of how to report suspected security events. In order for a business to be secure, it’s crucial everyone plays a part.