Preparing your organisation for cyber attacks and data breaches is complicated, and you should look for advice wherever you can get it. One of the most trusted resources is the NCSC’s (National Cyber Security Centre) ten-step guide.
In this blog we summarise its guidance and recommend tools and resources to help you along the way.
1. Create a risk management regime
For any cyber security strategy to be effective, it needs to be supported by senior managers and applied across the whole organisation. After all, it’s no use having the IT department securing systems if no one else in the organisation does their part.
A risk management regime is a top-level framework for addressing security issues. It outlines the organisation’s budget and provides a broad plan of action, a system to notify individuals when new policies and procedures are created and a method for decision-making.
2. Secure your configurations
Misconfigured applications, databases and networks are one of the most common causes of delays and data breaches. The NCSC advises organisations to “develop a strategy to remove or disable unnecessary functionality from systems, and to quickly fix known vulnerabilities”.
The best way to do this is with penetration testing. This involves an ethical hacker looking for vulnerabilities in your systems in the same way as a crook would. Most weaknesses can be patched or otherwise addressed relatively simply.
3. Review your network security
Cyber criminals often look to exploit the connections between your networks and the Internet. You can reduce this risk by implementing policies and architectural and technical responses. It won’t always be possible to cover the entirety of your networks, so you should focus on the parts of your organisation where “data is stored and processed, and where an attacker would have the opportunity to interfere with it”.
4. Manage user privileges
Organisations must always have access controls in place to ensure employees can only view information that’s necessary for their job. This reduces the threat of malicious insiders and insider error, and limits the amount of damage a crook can cause if they hack into employees’ accounts.
5. Conduct staff awareness training
Your employees are the ones following your policies and procedures, so they are directly responsible for keeping threats such as ransomware and phishing at bay.
As such, we recommend that you enrol all employees on annual staff awareness courses covering the essentials of cyber security and specific topics, such as phishing and the EU GDPR (General Data Protection Regulation).
Managers and those closely involved in information security should take more in-depth training courses that give them the opportunity to gain qualifications.
6. Implement an incident management system
It’s essential for organisations to understand that, although their security measures can greatly reduce the risk of security incidents, a data breach will happen eventually. That’s why it’s important to implement a CIR (cyber incident response) management system.
A CIR improves an organisation’s ability to respond to all manner of disruptions, including cyber attacks, technological failures, infrastructural damage and extreme weather events.
7. Scan for malware
Malware describes any software or code that has malicious effects. As the NCSC notes, “any exchange of information carries with it a degree of risk that malware might be exchanged”. You can reduce the risk with anti-malware software and policies that instruct employees to avoid actions that often lead to malware infections (such as opening attachments from unknown senders).
8. Set up system monitoring
System monitoring enables organisations to detect criminals’ attempts to attack systems and business services. It plays a major role in your ability to detect data breaches, and helps you determine whether your systems are being used appropriately and in accordance with your policies.
9. Enforce policies regarding removable devices
Criminals often bypass an organisation’s network security measures by injecting malware into USBs and other removable devices. When an employee plugs the device into a work computer, the malware spreads to other computers.
Some organisations avoid this problem by banning removable devices in the workplace. This might not be possible for you, in which case you should enforce policies regarding the way removeable devices are used.
10. Establish procedures for home and mobile working
It’s now standard practice for employees to be given remote access to their organisation’s systems. They might work from home permanently or occasionally, or simply need access to their accounts on the go. These each come with their own risks, and organisations need to establish policies and procedures to deal with them.
For example, remote workers’ Internet connections won’t have the same protections as the office network, so you should consider revoking access to more sensitive files and applications. You should also train employees on the risks associated with remote access, and advise them on how to stay secure.
How effective are your existing measures?
We’d bet that your organisation has at least some of these measures in place, but before you start filling in the gaps, it’s a good idea to perform a cyber health check. This involves a security expert performing a structured analysis of your organisation, identifying your weakest security areas and recommending appropriate measures to mitigate your risks.
This helps you build defence measures that are appropriate to the specific threats you face, and ensures that you don’t end up with a patchwork of policies, processes and technologies that are impossible to manage and review.
Choosing IT Governance to conduct your cyber health check means you’ll receive guidance that draws from the NCSC’s advice, as well as from ISO 27001, the international standard for information security, and from the UK government-backed Cyber Essentials scheme.