Protect businesses against cyber attacks to data, devices, networks, and systems.

The NCSC's top tips for cloud security.

Posted 11 September 2023 by Laura

Of course, cyber security should always be front of mind – but we know all too well that it often slips. But when the cyber threat is increased, it’s time to put it back to the top of any list that might be going.

It can help to get in the mindset of a ‘heightened alert’. We can’t type this quickly enough… this is not intended to panic – that’s just not how we roll. BUT a sense of urgency can really help to pull teams and strategies together, quickly and efficiently. But never rush.

We know there’s often a long list of things that need to be updated, reconfigured, added or removed. This is the time to prioritise the workload, allocate your resources and, in the first instance, get those high priority items nailed.

→ We've put together a free guide to cloud identity and access management so you can get clued up on security features like MFA, SSO and SSPR. 

Nine nifty tips from the NCSC to protect your business in the cloud:

1. Check your system patching Across all devices including third party software such as browsers. Turning on automatic updates will help manage this for you.

2. Verify access controls Staff should use unique passphrases and enable multi-factor authentication. Review user accounts and access privileges – remove old, unused, or unrecognised accounts – and carefully review privilege or administration rights.

3. Ensure defences are working Regularly monitor antivirus software and firewall configuration – specifically check for temporary rules that may have been left in place beyond their lifetime.

4. Logging and monitoring Sounds easy enough, but the first thing is knowing what logging is in place and where the logs are stored. Are they still fit for purpose?

5. Review your backups They’re great to have in place but… can the files actually be restored? Regularly test – it’s a belts and braces kinda scenario. And, if your cloud backups fail, it’s a good idea to have an offline one, too – y’know, just in case (the key is to make sure it’s backed up regularly enough that the data is recent enough for it to be useful).

6. Robust incident plan Something you hope you’ll never need… but man, having one feels pretty darn good. A well-planned, well-tested response plan should cover disaster recovery, business continuity and crisis management.

7. Phishing response The hype is real. Phishing attacks are taking the cybersecurity world by storm. Making sure staff know how to spot and report phishing emails is going to be really useful over the coming months. Consider adding it to staff training and new starter inductions.

8. Third party access Quite often third-party organisations have access to your network. This is the time review who has access to what – and decide if they're still worthy of their privileges.

9. Brief your wider organisation What you really need for any successful project is buy-in from the business; from entry level to the board. Listen to your colleagues, communicate the project’s objectives and milestones/timelines clearly, and give regular, easy-to-digest updates to the wider project team (in a way that can easily be transferred to the rest of the organisation). We have also found that a supply of baked goods can help…


Don’t panic, Mr Mainwaring
If the thought of a cyber attack has struck a chord of fear or despair in you, firstly, don’t panic. If you’re here, you’re taking the first step… be reassured that things can change, and, in the right hands, pretty quickly, too (Microsoft Secure Score, anyone?).

Download our free guide to cloud security.

Find out what it’s like to work with us.