Your cyber security risk mitigation checklist

Are you trying to figure out the best way to protect your organisation from cyber attacks and data breaches?

It can be tricky to know where to begin, which is why our Cyber Security Risk Scorecard contains a simple guide to help you secure your systems.

We’ve run through some of the essential steps in this blog, or download the full, free checklist from our website.

Install firewalls

Firewalls are one of many types of software that organisations should implement to protect their systems.

They are designed to create a buffer between your IT systems and external networks, by monitoring network traffic and block anything that could damage your computers, systems and networks.

This will help prevent cyber criminals from breaking into your networks and block outgoing traffic that originates from a virus.

Install antivirus software

Antivirus software is another essential technological defence – and contrary to what the name implies, it isn’t just designed to root out viruses.

Modern antivirus generally includes protection against a range of threats, including malware, ransomware, keyloggers, Trojan horses, worms, adware and spyware.

The software works by scanning your computer or network, looking for riles that match its built-in database of known malicious programs. The more advanced the software is, the larger that database will be and the more likely it is that it will detect a problem.


Our Cyber Security Scorecard provides a checklist of essential security controls.

Patch management

When software providers fix a vulnerability on their applications, its users are required to download the update (or ‘patch’).

Organisations tend to use many software providers, each of which releases regular patches – Microsoft, for examples, fixes vulnerabilities so often that the term ‘Patch Tuesday’ was coined.

As such, it makes sense to create a patch management plan to help you keep track of updates you’ve applied and to make sure each one has been installed successfully.

Conduct a cyber security risk assessment

A cyber security risk assessment helps organisations evaluate their weaknesses and gain insights into the best way to address them.

ISO 27001, the international standard that sets out the specification for an ISMS (information security management system), is built around risk assessments and contains step-by-step guidance on how to complete the process.

You don’t need to certify to ISO 27001 to follow its advice – or even follow the rest of the Standard’s guidance – although doing so clearly has many benefits.

Create an information security policy

Information security policies are the result of a risk assessment. They describe the vulnerabilities that have been identified and the measures that the organisation has adopted to prevent them.

The document should contain a thorough outline of each risk, the relevant control(s) and the organisation’s continual improvement strategy, including when and how they will review the effectiveness of the control.

Encrypt sensitive data

In an information security context, encryption is a way of ‘scrambling’ sensitive data, ensuring that it can only be accessed by authorised personnel with a decryption key.

By encrypting data, you guarantee that even if criminal hackers break into your systems, they are unable to view your files. This helps mitigate the risk of data breaches and could prevent a GDPR (General Data Protection Regulation) violation.

Create a remote working policy

The COVID-19 pandemic has reshaped the way organisations work, with the majority planning to permanently switch to remote working – whether that’s on a full-time basis or giving employees the opportunity to come into the office a few days a week.

As you will no doubt know, remote working comes with unique information security challenges, which you’ll need to address in a dedicated policy.

This will include guidance on storing devices securely, creating and maintaining strong passwords, and an acceptable use policy for visiting websites that aren’t work-related.

Organisations should also explain the technical solutions that they’ve implemented to protect sensitive data and how employees can comply with them. For example, we recommend applying two-factor authentication to any third-party service that you use.

Conduct vulnerability scans

Many cyber attacks are automated, with criminals searching for and exploiting known vulnerabilities.

Organisations can prevent these attacks by conducting their own scans to identify weaknesses before crooks exploit them.

But that’s not the only benefit of vulnerability scanning. The process will also help you determine the overall effectiveness of your security measures, save you time and money in the long run.

Conduct penetration tests

Penetration tests are a controlled form of hacking in which a cyber security professional, working on behalf of an organisation, attempts to find exploits in the same way that a criminal would.

These tests are more rigorous than automated scans, as they enable the actor to leverage weaknesses and gain a true insight into the way a criminal might access your sensitive information.

Penetration testers may, for example, exploit system misconfigurations or send staff phishing emails to gather login credentials.

With the vulnerabilities the ethical hacker discovers, organisations can implement defences to stop criminals before they’ve had a chance to target the organisation.

Create a business continuity plan

A business continuity plan outlines the steps an organisation must take to ensure its critical processes continue operating in the event of a major disruption.

This information is put into a document, which is regularly tested, developed and improved upon to make sure the organisation has recovery strategies in place for a range of threats.

Download our free checklist

You can learn more about the steps you should take to prevent and respond to cyber security incidents by downloading our Cyber Security Risk Scorecard.

This free document contains twenty questions you should ask yourself to determine whether you have the necessary defences in place.

It’s designed to give a broad indication of your organisation’s overall readiness, helping you understand what your next steps should be and how urgently you need to address cyber security.


The Weekly Round-up: subscribe now