Skip to Main Content

No Time to Spy: GCHQ Issues Its 10 Steps to Cyber Security

Authored by Stephen Bradford, SVP EMEA, SailPoint

It was in GoldenEye that ‘M’ (a very modern incarnation played by Judi Dench), derided Bond as a ‘relic of the Cold War’ and a ‘dinosaur.’

Her sobriquet of Bond is likely something he wore with pride but let’s face it—the Bond incarnations of Connery, Moore, Lazenby, and Craig have not kept up with their computer skills. The last place we would expect to find them is in a white hat boot camp.

But modern-day spying has moved on. The UK’s spy HQ, the National Cyber Security Centre (NCSC), is part of GCHQ. It has issued the 10 Steps to Cyber Security for modern businesses. We think a catchier title would have been ‘No Time to Spy.’

The 10 recommendations from the GCHQ include two key learnings for identity security.

Architecture and Configuration – Design, Build, Maintain and Manage Systems Securely On average, it takes 74 days to find and contain a malicious actor, and 80 percent of breaches involve privileged credentials. Furthermore, 67 percent of companies breached could not produce a report showing who has access to sensitive systems and accounts within a 24-hour period.

The perimeter as we know it is no longer relevant – we are the new attack vector. The perimeter today is all about identity.

To protect a business, companies need to use a contextual, identity security-based approval system that provides information to employees based on their level within a business. Managers can agree or approve access according to the security requirements of the business.

Taking this approach prevents any worker from having too much access to the apps and data they need to do their job. They also need to do so in a way that doesn’t slow down their productivity, but securely enables them to accomplish their jobs at every step.

Securing access is not just critical for every employee (including human and non-human workers) across the business but is also critical along the supply chain. It controls which partners or other third parties have access to company information and at what level.

There are a slew of identity decisions a typical business needs to make every single day – who has access to what, how access is used, whether it needs modification as a person’s role changes, areas of overlapping or conflicting areas of access ̶ and the list goes on.

To speed those decisions in an intelligent way, identity security must take advantage of advanced analytics, artificial intelligence (AI), and machine learning (ML). This not only prevents access decisions from becoming a bottleneck for the business but also helps to sort through data for better detection of potential threats and breaches due to compromised worker credentials.

These tools provide an additional level of security by spotting information that may be sensitive and to prevent unregulated or compromised access. It can flag items that may be high risk to certify if information should be going to certain levels of employees.

AI makes recommendations and asks questions such as whether managers should approve information access. Should this data be flagged as high risk? It gives us the information we need to make informed decisions on access approvals that otherwise may go unnoticed.

Data Security – protect data where it is vulnerable

Cybercriminals no longer break into enterprise organisations through the network perimeter. Instead, they target users like employees, contractors, vendors, and even software bots. If a user account is compromised, the hacker can then access everything they see.

That is why it is critical that users only have the privileges they need to do their jobs.

Identity security today means putting in place a layered approach to both applications and the sensitive data that lives within the hundreds, if not thousands, of applications that make up a typical business. Only those qualified workers will have access to certain pieces of technology and the business data within.

These protections ensure we can reserve the most sensitive levels of company information for those who need to know. It ensures compliance with data regulations such as GDPR. And importantly, it ensures protection for sensitive company data from overprovisioned access in the same way that we manage access to applications within the business.

New Ways of Working

The pandemic has created new ways of working, with the traditional office model moving into a remote or hybrid model for most businesses. We are now in an era where Slack and Zoom dominate business meetings. It has thrown the identity net even further afield. We no longer just have an office server room or data centres that are protected by a firewall; the perimeter of home working colleagues just got a whole lot wider. They are on the front lines of enterprise security.

The 10 Steps of Cyber Security could not be more appropriate to apply to this new challenge. With IT skills in short supply, and threats continuing to target workers’ credentials as a means of hacking into the business, putting identity security at the centre of today’s cybersecurity strategy is critical.

Cybersecurity may be entering a new paradigm. But it is good to know that if the old Bond has been left out in the cold, the boffins at GCHQ are on top of their game. The 10-Steps guide is invaluable to protect any organisation or business – and laying the building blocks for identity security could well be the most important steps of all—something a new-age Bond would most certainly approve.

This article first appeared in Teiss.