The National Cyber Security Centre (NCSC) is responsible for educating individuals and business owners about how to keep their data secure. As cloud computing has gotten more popular, the NSCS guidance has incorporated cloud security into their guidance, which includes the most recent release.

Reviewed on May 10, 2022, the newest version of the NCSC’s cybersecurity guidance places a heavy focus on cloud security. With cloud adoption numbers rising dramatically, security is more important than ever.

What does the NCSC’s new guidance cover?

In a nutshell, the new set of cybersecurity guidance covers security advice for organizations just looking into the cloud and those who have been using the cloud for a while. It covers security tips for choosing a secure cloud provider, implementing basic security measures, and how to assess the level of security offered by a given provider. 

The guide also covers 14 cloud security principles, which are summarized on page 9 of the report linked above. Of these principles, there are several key points to take away.

• Encrypting data in transit is critical. Data can be stolen/intercepted when in transit, so end-to-end encryption is essential.
• Physical data storage assets need to be protected. It’s critical to know who is accessing your physical backup systems and servers.
• Trust in personnel is of high importance. You need to know you can trust the people who are in charge of your physical resources as well as the people you grant permission to access your digital files.
• DevSecOps is important for application development. Security needs to be incorporated in the development process from day one. The best way to achieve this is with DevSecOps.
• Third-party vendor security is essential. If your vendors aren’t keeping your data secure, you’ll be the one to suffer. It’s important to verify how third-party vendors implement security because if you’re bound by data security regulations, like HIPAA, you can be held responsible for a data breach even when it happens on a third-party’s server.
• User management and restricted access is a requirement. Users, including employees and contractors, should only have access to the files and folders they need.
• Device-based authentication is helpful. It’s no longer acceptable to have usernames and passwords alone. Users must be authenticated, and the best way is by using software that recognizes them by their device.

Why is new guidance being issued now?

In the last few years, many businesses have transitioned to operating entirely online with a completely remote-based staff. Remote work has been largely effective for businesses and a relief for workers, but it comes at the cost of leaving businesses vulnerable to cyberattacks and data breaches. 

Organizations don’t have much control, if any, over how remote workers access company accounts, which puts their data at risk around the clock. For example, some remote workers work from coffee shops using unsecured Wi-Fi. Public Wi-Fi is always a security risk, but what makes it worse is the potential for hackers to set up a fake Wi-Fi network where they steal data from devices that connect to their decoy network.

Another problem with remote workers is the potential for other people to use their devices. Sometimes people share their laptops with friends and family members, which means company data is also being shared. 

The guide makes a good case for multi-factor authentication 

The new guidance touches on some important security features that some organizations let slip, like multi-factor authentication. For instance, the guide discusses how multi-factor authentication can make cloud applications more secure by preventing leaked, stolen, or shared passwords from being usable without a second verification step.

Hackers use leaked and stolen login credentials every day to access personal information and financial data. However, two-factor authentication (2FA) renders stolen login credentials useless. With 2FA enabled, logging in requires accessing another verified source of authentication, like a registered email or text message, to retrieve a one-time code. Without that code, even valid login credentials are useless.

Shared passwords are also a big security problem for many businesses, so when users are required to confirm their identity through an email or a text message, shared passwords become less of a risk.

Multi-factor authentication (MFA) is especially useful when an employee is terminated and already has a co-worker’s login credentials. With MFA enabled, the co-worker will get the email or text and will know not to give the code to the fired employee. 

As cybersecurity threats grow, so do security methods

Since cybersecurity incidents tend to grow in number and frequency, it’s critical for cybersecurity professionals to stay on top of security, which includes creating stronger methods for protection whenever possible.

The new guide published by the NCSC is an important piece of the puzzle for businesses and individuals who know they need to clamp down on security, but don’t know where to start. There will certainly be additional updates as cyberattacks become more sophisticated, but for now, the current guide is an excellent starting point for all.