The UK Government has issued advice to businesses of all sizes as well as home users on how to reduce the likelihood of being hit by ransomware. The details were published on Gov.uk and can be accessed by clicking on the link above. It includes links to documents held on the National Cyber Security Centre website and on its own Cyber Aware website. We have updated the link to the Guidance for Home Users and Small Businesses as the one on the Gov.UK website contains an error.
Advice for Enterprises
There are two documents giving broad advice to enterprises. Both contain links to other government websites. The first document, Approaching Enterprise Technology with Cyber Security in Mind is a good start point. It provides some reasonable principles for the cyber security of the enterprise. Interestingly it starts with a statement that should be one the wall of every security team: “Enterprise technology requires sensible and pragmatic security which supports the users of the technology. Security which interferes in the way that users expect to interact with technology is bad security.”
Too many organisations fail to heed this advice. As a result, users inevitably find ways around security. This is not because they do not get or understand security but if it causes them more work they will look for an easier path. That path inevitably leads to security failures.
The document goes on to talk about end-user computing, network security, enterprise services and security operations. It doesn’t give you a playbook for each area that can be quickly implemented but it does provide pointers to useful documents.
Government advice on dealing with WannaCry
The second document is specific guidance for enterprise administrators on dealing with WannaCry. There is a different document for home users and small businesses. The level of technical advice differs between the two documents as they address different audiences. This does not mean that one is better than the other. The important statement is not to pay. As has been noted elsewhere over the last 10 days, paying does not guarantee getting files back.
How to be Cyber Aware
The document also contains a pointer to the UK Governments Cyber Aware website. This contains information on what all organisations and individuals should be considering as basic cyber security. Interestingly the Cyber Aware website contains the statement: “Britons urged to take cyber security as seriously as home security.” The problem with this is that people understand the general need to lock doors and close windows. Anecdotally, many police officers will say that a large proportion of burglaries from the home are due to insecure doors and especially windows. On that basis, it is not necessarily a good analogy.
Conclusion
The advice assumes that people are looking for cyber security advice from the government. The AIDs campaign of the 1980’s was seen as a success because it was widely promoted. It included the government leafletting every home, running TV campaigns and having posters in medical facilities. Today it seems to think a website is sufficient to educate people on cyber security.
How many people actually look on Gov.UK under announcements for information on cyber security? If it is a significant portion of a single percentage of the population that would make it a huge success. The reality is that this announcement and the associated documents are unlikely to reach many people at all. The UK and other national governments need to start putting out information that will help people understand the issue.
