In December, the UK National Cyber Security Centre published guidance to raise awareness of digital threats to high-risk individuals, democratic processes, and institutions. At the same time, the agency published an advisory warning that Star Blizzard, a hacking group linked to Russia, continues to target high-risk individuals and organizations with tailored phishing attacks. The Guardian reported that Star Blizzard “is part of an aggressive FSB unit that sought to stoke scandal over Brexit, and hamper European NGOs investigating war crimes in Ukraine.” The guidance is part of the UK’s efforts to advance the cybersecurity of civil society and support the communities at highest risk. The Cybersecurity and Infrastructure Security Agency, NCSC’s counterpart in the U.S., launched its high-risk communities webpage earlier this week. 

Crafting good security guidance is hard, especially for a large and diverse audience. You want to strike the right balance between giving the reader enough information to take action, but not so much that they become overwhelmed and give up. The guidance from NCSC is brief and to the point, covering best practices without being too technical or too scary. I appreciate that the agency highlights the importance of securing personal accounts; after all, securing a high-risk individual means securing a person and how they work, not just their corporate accounts and devices. There’s even a mention of Apple’s Lockdown Mode, a security feature designed to protect devices against sophisticated attacks–such as the use of commercial spyware. 

The guidance for high-risk individuals has a total of nine steps, split into protections for accounts and devices. Rather than aim to be as comprehensive as possible, NCSC prioritizes mitigations that are likely to make the biggest difference for someone’s personal security. I’m a bit confused as to why disk encryption is missing from the guide, though. The feature provides an extra layer of security by ensuring someone cannot gain access to the data on your computer without first entering the password. Disk encryption is especially helpful in the event your computer is lost, stolen, or seized. Also missing are any mentions of encrypted phone backups for Android and iOS; end-to-end encryption for iCloud; and end-to-end encryption for WhatsApp backups.

NCSC opted to recommend the password manager functions built into Android and iOS. These are easy and convenient options, but sadly lack features you’ll find in other password manager solutions–such as secure notes and the ability to securely share passwords. I think it would be helpful for this high-risk guidance to also mention that other solutions with more features exist, and perhaps elaborate on those features as well. 1Password is one such option which provides discounts to journalists and others helping to make the world a better place. 

For two-factor authentication, the agency is clear about authentication apps being “more secure and convenient than SMS.” The agency recommends using Google Authenticator and Microsoft Authenticator: two apps which sync to the cloud. I think NCSC ought to stress that if you do back up your two-factor codes with these apps, you must secure these accounts with two-factor authentication as well. NCSC should also include Google’s Advanced Protection Program (and Google should mention it more too). The program enables two-factor with security keys and is designed with high-risk individuals in mind.

For sharing access to a social media account, NCSC suggests that you “consider using a social media management service.” The idea is that using such a service allows your team members to create posts for you, without you having to share your password. The downside is that many (most?) focus solely on making scheduling and posting easier, without ensuring multiple individuals can securely share access to an account. When considering a social media management service, I recommend that you look for one which–at the very least–supports two-factor authentication. 

Overall, I think the guidance from NCSC is a good start and worth a read. I’m really looking forward to seeing what else the agency adds throughout the year.