Business owners are being urged to help keep their home working staff safe from cyber attacks by testing their defences in a roleplay exercise devised by the NCSC.
The ‘Home and Remote Working’ exercise is the latest addition to the National Cyber Security Centre’s Exercise in a Box toolkit, which helps small and medium sized businesses carry out drills in preparation for actual cyber attacks.
Launched last year, the toolkit sets a range of realistic scenarios which organisations could face, allowing them to practise and refine their response to each.
The latest exercise – the tenth in the series – is focused on home and remote working, reflecting the fact that for many organisations this remains a hugely important part of their business.
Sarah Lyons, NCSC Deputy Director for Economy and Society Engagement, said: “We know that businesses want to do all they can to keep themselves and their staff safe while home working continues, and using Exercise in a Box is an excellent way to do that.
“While cyber security can feel daunting, it doesn’t have to be, and the feedback we have had from our exercises is that they’re fun as well as informative.
“I would urge business leaders to treat Exercise in a Box in the same way they do their regular fire drills – doing so will help reduce the chances of falling victim to future cyber attacks.”
The exercise follows a range of products developed by the NCSC – which is a part of GCHQ – to support remote working during the coronavirus pandemic, including advice on working from home and securely setting up video conferencing.
The new ‘Home and Remote Working’ exercise is aimed at helping SMEs to reduce the risk of data compromise while employees are working remotely.
The exercise focuses on three key areas: how staff members can safely access networks, what services might be needed for secure employee collaboration, and what processes are in place to manage a cyber incident remotely.
Some of the most popular exercises include scenarios based around ransomware attacks, losing devices and a cyber attack simulator which safely imitates a threat actor targeting operations to test an organisation’s cyber resilience.
As part of the exercises, staff members are given prompts for discussion about the processes and technical knowledge needed to enhance their cyber security practices. At the end an evaluative summary is created, outlining next steps and pointing to NCSC guidance.
Exercise in a Box is an evolving tool and since it was launched the NCSC has continued to work on the platform. It has recently been given a new refreshed look to make it even more intuitive for users and soon micro-exercises – ‘bite-sized’ exercises that focus on a specific topic – will be added.
Jonathan Miles, Head of Strategic Intelligence and Security Research at Mimecast, said: “This new NCSC tool is a fantastic measure and will be welcomed universally as the threat of cyber attack continues to rise. In fact, our State of Email Security shows that 91% of UK organisations believe their organisation volume of web and email spoofing will increase in the coming year, while 59% of UK organisations have observed an increase in phishing attacks over the last year. It’s important that organisations prioritise cyber security, especially at a time where remote working has become the norm and connecting corporate devices via the home router becomes commonplace. This provides greater opportunity for malicious actors to infiltrate and obtain sensitive corporate data through unsecured home devices, so it’s important that businesses educate their staff on the tell tale
s signs of compromise and the benefits of good cyber hygiene practices.
“Regular cybersecurity awareness education is also key. Our State of Email Security report found 56% of organisations don’t provide awareness training on a frequent basis, leaving organisations incredibly vulnerable. This is supported by further research which found that enterprises that didn’t utilise Mimecast awareness training were 5x times more likely to click on malicious links as opposed to those companies that did. Often such training and education exercises may be viewed as burdensome or tedious, but it’s crucial that organisations work to change this perception and using tools such as these provided by the NCSC and others can significantly help. Our research has identified that awareness training, which is fun, interactive, and done in intervals can significantly help with retention, in addition to bolstering cyber defence in depth.”