Advice on managing enterprise security published after major cyber campaign detected

4 Apr 2017 11:04 AM

TARGETED expert advice aimed at Managed Service Providers and their customers has been published after a global cyber attack was uncovered by a multi-organisation collaboration led by the National Cyber Security Centre (NCSC).

• Third parties who manage large organisations’ IT services attacked
• NCSC leading investigation in partnership with Cyber Incident Response partners
• Advice urges enterprise security teams to discuss risk with Managed Service Providers

The attacks are against global Managed Service Providers (MSPs), which are third parties who help to manage large organisations’ IT infrastructure and services. MSPs are particularly attractive to attackers because they have privileged access to other organisations’ systems and data.

Due to the incident affecting mainly larger organisations, the NCSC believes the risk of direct financial theft from individuals is unlikely.

The attacks provide a reminder about the importance of organisations choosing and monitoring their outsourcing partners carefully, so the NCSC has posted a range of advice on their website about what people should be done to mitigate against risks.

Ciaran Martin, CEO of the government’s National Cyber Security Centre Said:

“This scale of hostile activity is significant and our intervention is aimed at giving the UK the ability to tackle this threat head-on by giving organisations the tools and information they need.

“We always encourage enterprises to discuss this threat with their MSP, even if they have no reason to believe they have been affected. This incident should remind organisations that entire supply chains need to be managed and they cannot outsource their risk.

“The response to this attack is an example of the new NCSC at work with our partners. It would not have been possible to uncover the scale and significance of this incident as quickly without our close partners in Cyber Incident Response (CIR) initiative, including PWC and BAE Systems.”

The guidance reflects the technical advice and mitigation measures offered to U.K. industry and government departments on the Cyber-security Information Sharing Partnership (CISP) platform.

Organisations who outsource IT infrastructure are recommended to have an open dialogue with their provider and to understand what model they use to manage your services. If their model is unsatisfactory, the organisation should demand that they change it immediately.

The NCSC recommends that MSPs who are unwilling to work closely with customers or are unwilling to share information should be treated with extreme caution. They also advise that having an independent audit of your MSP is critical for security management – an organisation that neglects such monitoring is unlikely to ever be able to effectively manage the risk.

The NCSC, which is part of GCHQ, is the UK’s technical authority on cyber security. The NCSC was opened by HM The Queen in February 2017 and provides a single, central body for cyber security at a national level. It manages national cyber security incidents, carries out real-time threat analysis and provides tailored sectoral advice. 

The UK government is fully committed to defending against cyber threats and address the cyber skills gap to develop and grow talent. A five year National Cyber Security Strategy (NCSS) was announced in November 2016, supported by £1.9billion of transformational investment.

Notes to editors

• Managed Service Providers are third parties that provides a set of defined services to a customer and assume the responsibility of running, maintaining, and securing those services. 
• If MSPs are targeted the impact can be quite large as they are a single point of entry into their customers. However, having a third party manage complex services can result in a better provision of service due to the economies of scale, contractual obligations.
• There is a lot of information in the public domain around this series of attacks. We have notified all members of the Managed Service Provider Information Exchange (MSPIE) and all Managed Service Providers on CISP have access to our technical information.
• In addition to following the advice and guidance detailed on the NCSC website and CISP, we also recommend that business follows published best practise guidelines, such as 10 Steps to Cyber Security and the Cyber Essentials Scheme.
• Cyber-security Information Sharing Partnership (CISP) is a joint industry and government initiative set up to exchange cyber threat information in real time, in a secure, confidential and dynamic environment, increasing situational awareness and reducing the impact on UK business.
• The cyber security of the UK is a top priority for the Government which is why we are investing £1.9 billion and have opened the National Cyber Security Centre to help make the UK the safest place to live and do business online.
• The UK Government can’t do this alone. Every citizen, business and organisation must play their part. Government can help provide some of the tools and information needed to manage cyber security risks. However, organisations and company boards are also responsible for managing their cyber security risks and should ensure that their networks are protected and secure.
• If you are a member of the public and you believe that you are the victim of cyber crime, or cyber enabled fraud, you should contact Action Fraud. You can report the incident using Action Fraud’s online fraud reporting tool anytime of the day or night, or call 0300 123 2040. For further information see www.actionfraud.police.uk.
• For more information please contact NCSC press office:  pressoffice@ncsc.gov.uk / 07468 838 906 or 07468 838 893. Out of Hours: 07990 987 083