What are the 10 steps to cyber security?

Anyone looking for advice on how to achieve effective cyber security should consider the NCSC’s (National Cyber Security Centre) 10-step guide.

Originally published in 2012, it is now used by the majority of FTSE 350 organisations.

In this blog, we explain each step and provide advice on how to get started.

1. Risk management regime

Organisations must understand the risks they face before implementing security measures. This enables them to prioritise the biggest threats and ensure their responses are appropriate.

A risk management regime also helps keep the board involved in your cyber security efforts, and enables you to adjust your approach as the threat landscape changes. For example, you might request changes or additions to your cyber security policies or staff awareness programme.

2. Secure configuration

One of the most common causes of data breaches is misconfigured controls, such as a database that’s not properly secured or a software update that hasn’t been installed.

Highlighting the importance of configuration can ensure that you remove or disable unnecessary functionality from systems and address known vulnerabilities promptly.

3. Home and mobile working

Many organisations offer employees the chance to work from home or on the go, but this comes with security risks. Remote workers don’t get the same physical and network security that’s provided in the office, so organisations must respond accordingly.

That should include limiting access to sensitive systems and creating policies for protecting laptops, removable devices and physical information outside the office.

4. Incident management

No matter how robust your defence measures are, you will experience a security incident at some point.

You must prepare for this by establishing policies and procedures to help mitigate the damage and get you back up and running as quickly as possible.

5. Malware prevention

There are many ways malware can infect an organisation’s systems. It could be sent in an email attachment, worm through a vulnerability or be plugged into an office computer via a removeable device.

To mitigate these risks, organisations should implement anti-malware software and policies designed to help prevent employees from falling victim.

6. Managing user privileges

Organisations must create access controls to ensure that employees can only access information that’s relevant to their job.

This prevents sensitive information being exposed should someone gain unauthorised access to employees’ accounts, and makes it less likely that an employee will steal sensitive information.

7. Monitoring

System monitoring enables you to detect successful or attempted attacks. This helps you in two essential ways. First, you will be able to identify incidents promptly and initiate response efforts.

Second, you’ll gain first-hand evidence of the ways criminals are targeting you, giving you the opportunity to shore up your defences and look for vulnerabilities before crooks identify them.

8. Network security

The connections from your networks to the Internet contain vulnerabilities that could be exposed.

You won’t be able to eradicate all of those vulnerabilities, but you should be aware of them and remove as many risks as you can with architectural changes. Likewise, you should implement policies and technical measures to reduce the likelihood of them being exploited.

9. Removable media controls

USBs and other removable devices are the source of many security issues. Not only are they often used to inject malware but they are also involved in many insider incidents. Employees are prone to losing removable devices or leaving them plugged into computers where unauthorised parties can access them.

Organisations must therefore create policies emphasising the need to keep removable devices on your person or in a secure location.

10. User education and awareness

Employees play an essential role in their organisation’s security practices, so they need to be taught their responsibilities and shown what they can do to prevent data breaches.

Training can come in many forms, from introductory e-learning to classroom-based certification courses. It’s up to you to decide which level of training is appropriate for your employees.

Win the war against cyber crime

Much of the NCSC’s advice mirrors that of Cyber Essentials, a government-backed scheme that helps organisations tackle the most common causes of security incidents.

Cyber Essentials is a great starting point for anyone looking to tackle the threat of cyber crime and data breaches. That’s why it’s the first objective of Operation Cyber Secure, IT Governance’s new framework for effective security.

Register for the strategy and you’ll receive a free copy of the Cyber Security Combat Plan, as well as weekly emails containing in-depth advice on how to complete each task.

Enlist in Operation Cyber Secure >>