Commentary on NCSC Annual Report – 2023
November 2023 by Gil Kirkpatrick, Chief Architect, Semperis
NCSC’s 2023 Annual Report offers a chilling reminder that ransomware attacks in the UK have increased over the past 12 months. And that poor cyber hygiene by organisations is the leading cause of most attacks. And that not all attacks are being carried out by large ransomware groups such as LockBit, although they are surely responsible for many of them. In fact, the ransomware-as-a-service business model has evolved over the past year and increased entry points for smaller crime gangs to carry out attacks and yield profits.
The bottom line is that every organisation can improve their cyber hygiene, reduce risk and turn back bad actors attempting to breach organisations. Also, it’s not unreasonable to assume that identity compromises from phishing attacks often provide hackers with initial access to networks, with unsuspecting employees clicking malicious links in emails. Defenders in the UK can make their organisations so difficult to compromise that adversaries look for other companies to attack. To that end, organisations should consider conducting security awareness training, adopting around-the-clock threat hunting, monitoring for unauthorised changes occurring in their Active Directory environment which threat actors use in most attacks - and having real-time visibility to changes to elevated network accounts and groups.
It should also come as no surprise that threat groups NCSC tracks that are involved in attacks on CNI (Critical National Infrastructure) are expressing their desire to achieve more disruptive and destructive outcomes from their attacks. In the year ahead, there is a strong possibility that website defacement attacks will be augmented by impactful attacks on banking systems, healthcare systems, electric grids and more. And unlike ransomware attacks that are financially motivated and more opportunistic, attacks on national critical infrastructure networks will often by state-sponsored and less amateurish in nature.
Stopping destructive attacks requires a change in the behaviour of organisations trying nobly to protect themselves. Unless governments take steps to improve cyber, unless companies lean into cyber and become more resilient, there is a strong chance the adversaries will have the upper hand. Collectively, we need to constantly uplevel the cyber discussion, bring it to the boardroom. Invest more in people and best practices. Security is a sport played, not watched.