Cyber resilience good practice for firms

FCA, BoE and PRA have together published the annual cyber-attack resilience test report, with the report being fully released to the public for the first time. The simulation involved state actors, or advanced persistent threats (APTs), organised criminal groups and insider threats. The main findings and recommendations are:
1. Access management
The stronger, the better. Good practices include hardening of active directory and authentication for human accounts. Among the list of weaknesses were the following: absence of weak multi-factor authentication, lack of enforcement of policies regarding access management.
NCSC recommends that access to networks are properly documented and authorised.
2. Appropriate training of staff and their awareness
Staff could accidentally or intentionally cause harm if not properly trained. Good practices include timely response by security staff, usage of strong passwords, reporting phishing e-mails. Weaknesses were failure to identify the root of a threat or disclosing of sensitive data outside of the organisation.
NCSC recommends that staff is aware and trained of the risks in the organisation.
3. Secure IT configuration
The used systems should be adapted to the nature of work to prevent any unwanted access. A good practice is building a strong IT infrastructure. Weaknesses include gaps in that infrastructure or failure to exploiting saved passwords.
NCSC recommends organisations to understand the context and risks in their specific case in order to choose the right path for network security approach.
4. Network security
If there are gaps in the network security, it is easier for unwanted persons to sneak into the company’s infrastructure. Good practices include highly segmented networks or usage of industry standards to strengthen the infrastructure. Weaknesses include lack of corporate network segregation or group-owned networks.
NCSC recommends building strong architectural networks and segregating services.
5. Response to incidents and monitoring of security
Identifying threats and quickly isolating them from the infrastructure is one of the key activities to keep a network safe from attackers. Good practices include flexibility to adjust preventive controls or accurate and timely response capabilities and rates. Weaknesses are, among others, lack of trained staff or logging of activities.
NCSC recommends facilitating detection with incident management.
6. Data security
Critical data should be kept confidential. Examples of good practices include strong encryption algorithms. Weaknesses include inconsistency across the levels of data protection.
NCSC recommends protecting data including data in transit, at rest, on mobile devices and securing disposal.