Over the weekend, as we learnt more about the WannaCry ransomware, we published some short guides for enterprise administrators and for home users/small businesses. The guides suggest immediate steps to take to protect yourself and your organisation.
In situations such as this, where there is emerging (and sometimes contradictory) information, the NCSC tries to strike a balance with our mitigation advice. Our goal is to provide simple and effective measures that organisations and individuals can take, without accidentally spreading misinformation.
At the start of the week, we updated some of this guidance. These updates remain relevant to all organisations, and I encourage you to read them. The majority of changes we've made have been the results of the useful feedback we received either via Twitter, through our contact form, and other routes. We've also worked with our Economy and Society team to make sure the guidance works for small businesses.
In addition to updating the WannaCry-related guidance, we have also updated our guidance on managing the risks from obsolete platforms. This is guidance, originally published by CESG for the UK Public Sector, has been updated so it's applicable to a wider audience. A number of the comments we received noted that our advice at the weekend focused on patches and updates, and didn't mention other approaches such as network segregation and isolation for legacy, or hard-to-update devices. You'll find these described in the obsolete platform guidance.
One final observation. We had a few comments and tweets asking why we hadn't mentioned 'user education', such as telling users not to click on phishing emails. There are two reasons for this.
Firstly, we have seen no evidence to-date that phishing was used a route for WannaCry to spread, and so (as mentioned) we didn't want to spread inaccurate information about what was happening.
Secondly - and probably more importantly - our experience shows that telling users not to fall for phishing emails can never wholly succeed, and should form only a small part of our full range of phishing defences. We believe users are the strongest - not weakest - link in security, and so we would only suggest a warning like this if we had evidence that phishing was instrumental to the attack.
As always, your constructive comments have helped us to improve our guidance and advice, and we're really grateful to everyone who took the time to send us suggestions.