The UK official NCSC (National Cyber Security Centre), part of the Government agency GCHQ, has released its sixth annual report on ‘Active Cyber Defence’.
Included are the NCSC Takedown service (that finds malicious sites, typically extortion mail servers, and sends notifications to the host or owner to get them removed); Mail Check (for assessing email security compliance); and the Centre’s free Suspicious Email Reporting Service (SERS).
Despite the fall in takedowns, cryptocurrency investment scams continue to be a high-volume attack type, the report noted. These attacks usually use celebrities or well-known brands to appear more legitimate. Scammers continue to use topical events to make phishing attempts more believable, and to target the vulnerable. In September and October, for example, the NCSC saw an influx of phishing attempts about the UK Government’s Energy Bills Support Scheme.
Jonathon Ellison, NCSC Director for National Resilience and Future Technology, said: “In a cyber threat environment that resembles the Hydra – cut down one attack, another springs up in its place – ACD is once again doing unparalleled work to keep the country safe.
“As this latest report shows, cyber security is not the sole preserve of tech specialists: businesses are increasingly alive to and eager to engage with the cyber risks they face, signing up in swathes to make the most of NCSC data and expertise.
“Small businesses have a key role to play in making it safer to work and live online, which is why we’re making it even easier for them to shore up their defences with accessible, free tools and soon, to manage these effortlessly via our integrated MyNCSC platform.”
You can read the 43-page report on the NCSC website.
Comments
Jasson Casey, CTO at Beyond Identity, said: “As technology and cybersecurity resilience evolve, so do the capabilities of threat actors. You can’t have truly effective data protection if you are still using passwords. With social engineering, particularly phishing attacks, threat actors are all but walking through organisations’ front doors.
“Passwords often rely upon the human element of cybersecurity, requiring employees, customers, and vendors alike to uphold quality password hygiene at the risk of severe organisational compromise. Unfortunately, humans are not perfect and to expect them to operate as such, with so much at risk, is impractical. Beyond human error, threat actors often have “brute force” software at their fingertips, allowing them to easily guess common passwords across vulnerable accounts.
“Authentication that has been designed to accelerate the journey to zero trust security paradigms significantly reduces risk by ensuring continuous authentication whilst eliminating all credentials and codes that attackers use to plant ransomware crops. By leveraging the combination of biometrics and Passkeys based on the Fast Identity Online (FIDO) standards, organisations are able to always know who and what device is requesting access. Removing the single largest vulnerability facing your organisation should be a no-brainer!”
And Matt Aldridge, Principal Solutions Consultant at OpenText Cybersecurity, called it great news that businesses are reporting more of the malicious URLs and phishing emails that they are targeted by – testament to increasing awareness and education around cyber threats, he said.
“It’s clear that the number of scams has risen dramatically since the pandemic, with cybercriminals and fraudsters often using the latest news agenda and topics of concern to lure innocent people into clicking on links and giving up details or spending large amounts of money from their accounts. For example, our Advanced Email Threat Protection AETP quarantined nearly 7.3 billion emails that were classified as bulk spam, scams, and non-targeted phishing threats in 2022 — a 12.5pc increase over 2021.
“We’re seeing more scams using keywords based on emotive keywords such as the cost-of-living crisis than ever before – and these are often effective as they are top-of-mind for the targets. The NCSC is doing great work in helping to raise awareness of these scams, but businesses can also support by ensuring employees undertake thorough security awareness training programmes. These are now advanced enough to inform and educate employees on the latest threats in real-time, including information security, social engineering, malware, and industry-specific compliance topics – as well as how to report suspicious emails and URLs. Businesses can also use attack simulations to automatically send users for re-education should any training issues be identified.”
