The UK’s National Cyber Security Centre (NCSC) has published tailored guidance designed to support retailers, hospitality providers and utility services in protecting both themselves and their customers from the impact of cyber crime.
The guidance is specifically designed for organisations with an online presence, and in particular those that employ online customer accounts, and those that may be at risk of having their brand spoofed by malicious actors.
“Online shopping is bigger than ever, and that’s something to be welcomed – but unfortunately it comes with the risk of shoppers’ accounts being exploited,” said Sarah Lyons, deputy director for economy and society at the NCSC. “Businesses have a major role to play in protecting online shoppers, which is why we’ve produced new guidance to help them do so. Following this guidance will allow businesses to help keep their customers safe online, as well as protect themselves from potentially crippling cyber attacks.”
The guidance emphasises the need to add extra layers of security on top of passwords – such as multi-factor authentication (MFA), OAuth 2.0 or single sign-on, FIDO2, or one-time passcodes.
It stresses the importance of considering both the security and usability of each authentication method during the implementation process, and the interplay of those factors with the user base.
For example, a customer may be reluctant to buy from an online store if they need to buy an additional device to do so, so FIDO2 tokens – which often take the form of USB keys – will not always be appropriate.
It also offers step-by-step instructions on how to remove, or get hosting providers to remove, malicious websites spoofing their brand to appear legitimate, which can include false representation of products or services, fake endorsements or reviews, or exploitation as a phishing lure.
Alongside its guidance, the NCSC reminded the general public that they also have an important role to play when it comes to protecting themselves online.
As a first step, it encouraged people to take to heart the six core lessons set out in its ongoing Cyber Aware campaign:
- To use a strong and separate password for email accounts;
- To create strong passwords using the NCSC’s Three Random Words methodology;
- To save passwords in your browser;
- To switch on MFA when available;
- To keep devices and applications up to date;
- And to back up data.
With the Office for National Statistics (ONS) putting the number of computer misuse offences in the UK at 1.6 million in the 12 months to 31 March 2022 – an 89% rise from 2020 – it is clear there is still a growing cyber crime problem in the UK.
The government is committed to driving down such offences – which range from unauthorised access to systems, or hacking, to digitally enabled fraud, and stalking and sexual offences – and recently launched a call for information as it seeks to develop new proposals to arrest this growth.
The consultation, which is being run via the Home Office, is seeking input on the risks associated with unauthorised access to UK citizens’ online accounts and personal data; actions that are currently being taken to address the problem; and actions that should be taken to further address it, and where responsibility for doing so should lie.
The consultation will run until 27 October 2022, and more information on participating can be found here.