Stay up to date
Stay up to date with the latest threat reports, articles & mistakes to avoid.
Simple, yet important content.
No salesy pitches and all that, promise!
In this article, you will understand what cyber security entails and the breakdown of NCSC’s 10 steps to cyber security that you must know. During our third-party security validation exercises or customer communication, we have often come across customers without answering ‘what actually their IT and security products are protecting’. It is vital to be aware of what is important, what to protect and how to protect before shopping for security products.
The introduction of mobile, cloud technologies and mobile working in addition to regular business operations has led businesses to deal with large volumes of data. Organisations must have a secure baseline or cyber hygiene to deal with all eventualities. This utilises supporting policies, specialist training and education, relevant incident management plans and processes, including disaster recovery capabilities and familiarity with regional law enforcement authorities. This topic’s main objective it to cover all topics under the sun that relate to the success of a cyber security programme in an organisation, that is protection of information security principles i.e. Confidentiality, Integrity and Availability.
If you prefer video format, there is a condensed version here:
Top 5 cyber threats you should know
To be cyber secure, you must understand the significant threats and issues that affect your cybersecurity. The following are five of the major cybersecurity threats in the world today.
- Ransomware: An attack involves executing a malicious program that encrypts user data and demands a ransom for data to be released. See cyber kill chain on how attack stages unfold in an attack.
- Malware: that is, viruses, trojans and internet risks quietly performing malicious activities
- Insider threat caused by unintentional, negligent and problematic insiders
- Phishing: an email-based attack where a user pretends to be another person to steal data from another computer user
- The use of third-party software innocuously performs malicious actions to steal user data including mobile security risks and cloud security risks (if cloud assets or services in use) and loss of other sensitive information.
Updated version – 10 steps to cyber security
Earlier this year, NCSC updated their 10 steps to cyber security. This advice is essential for technical teams and security professionals to ensure medium to large organisations have a starting point, review their current strategy and ensure that majority of the cyber-attacks are foiled while delivering business objectives.
Here is our updated view on the 10 steps to the cyber security 2021 version.
- Risk management – A risk-based approach to securing data and systems
- Engagement and training – Building security-conscious culture while balancing usability
- Asset management – You must know what and where are your data and systems
- Architecture and configuration – How to design, build, maintain and manage systems in a secure manner
- Vulnerability management – A process to ensure your systems are protected throughout their lifecycle
- Identity and access management – Securing access management on the need to know basis
- Data security – Data protection measures after identifying vulnerable and weak points in your systems
- Logging and monitoring – To be able to detect, alert and manage events
- Incident management – Planning and managing your cyber security incident lifecycle process
- Supply chain security – Ensuring a secure supply chain by collaborating with your suppliers and partners
What are the 10 Steps to Cyber Security?
The following are 10 steps to cyber security, according to the National Cyber Security Centre. This guide was originally published in 2012 and is currently in use by most FTSE 350 firms.
1. Risk management regime
Ensuring an understanding of risk across the organisation is the foremost action point.
Organisations must first assess the risks affecting their systems before they can defend themselves. With this understanding, an organisation can prioritise the biggest security risks and adequately allocate resources for response.
With a risk management regime, the stakeholders and organisation will have an idea of the organisation’s cyber risks.
2. Malware prevention
Malware finds its ways into an organisation through assets with internet exposure. It could be via a removable device, a seemingly harmless email attachment or any other sources. When this malicious program executes, it remains running in the background performing malicious tasks such as modify programs, capturing credentials, sending data to attacker-controlled systems and so on. This is why strong malware prevention controls are essential.
Businesses should have strict policies around anti-malware, third-party device usage and acceptable and secure use of the internet to avoid putting the entire organisation at risk.
3. Network security
Business without the internet these days is unimaginable. Your network connectivity to the internet adds to the attack surface of your organisation. Implementing network security policies and technical measures ensure wider coverage.
Restrictions, audit logs and monitoring ingress (incoming) and egress (outgoing) network traffic are important security elements to limit suspicious traffic. Other technical concepts include following network design principles such as internal network segmentation that limits an attacker’s capability for a widespread compromise.
4. Removable media controls
Removable media in the form of USBs, flash drives constitute a primary security concern for small businesses. Often, criminals use this tactic with social engineering tricks to inject malicious content into computing systems.
It is important to restrict remove media usage through strict policies defining the limited media types and their use. Emphasis on the official media device usage would reduce the attack surface related to this concern.
This security threat relates to insider attacks linked with staff, including third-party vendors and contractors who may use this weakness to their advantage. The solution is to have removable media controls policies that restrict personal or any other media for office work. Also, organisations must emphasize the need for the secure use of official removable media devices.
Discuss your concerns today
A good monitoring strategy will help you detect security risks or unauthorised access attempts ahead of times. You can quickly identify unusual activity when they happen and initiate an incident response to solve such concerns.
Besides, it gives you a first-hand view of the various methods used by threat actors attacking your infrastructure.
6. Secure configuration
A secure configuration baseline is one of the cheapest and longest-serving controls in an asset’s lifecycle. The data breach is common these days, and the leading cause for many organisations is misconfigured controls. Security threats may be inevitable when security systems do not get their regular updates, running unnecessary features or when databases are not following secure configuration policies.
Implement technical security baseline defining specific steps around different asset types. Ensure these are strictly adhered to before any assets are released in production.
7. Managing user privileges
One of the ten steps of cyber security is for companies to create access controls for their employees. The management must keep the number of privileged accounts in its systems on a need to know basis. By managing user privileges, the management can control how much information is available to members of staff. All access should follow the principle of least privilege (PoLP).
8. Incident management
As a company, you must prepare yourself ahead of rainy days. That is where the incident management policy or procedure comes in. Planning and developing incident response and disaster recovery capabilities to small and big incidents is a key capability. Relevant teams must be aware of how to respond to an incident and regularly test the incident response and disaster recovery plans. Similarly, organisations also plan and prepare information security plans to ensure business continuity and minimise disruption.
As an overview, or in case of a large scale outage, the purpose of incident management is to restore the business operations as quickly as possible. It is targeted at minimising the impact on business to maintain the service quality levels based on assets criticality. For instance, product environment databases and website may be critical for a retail business, and the HR payroll system may be lower in priority though important.
9. Remote working
The year 2020 is a testament to the massive increase in cyber attacks and exploitation of security and IT products used in remote working. While remote working has been said to increase productivity, it comes with risks that must be understood. The following items relate to multiple steps (remote working, secure configuration, network security, risk management) under ten steps to the cyber security approach.
- Apply technical security baselines to systems and devices to offer minimal attack surface.
- Ensure that secure encryption configuration practices are used for data at rest and data in transit.
- Assess your attack surface regularly by commissioning external network penetration tests and other security audits.
10. User education
The foremost point in this section is ‘Do not blame users’. Although a lot is said about users being the weakest link in the cyber kill chain, equally, they can be the strongest link connecting these 10 steps to security strategy.
User education and awareness should be practical, interactive and, most importantly, constantly evolving based on the cyber risks. For instance, home and mobile work change the cyber risks landscape of an organisation. Mobile devices, including BYOD policies, are some of the key areas these days.
Everyone should be part of this education process without any exceptions. This should also include your supply chain, including contractors, third party vendors, suppliers, etc., who connect to or use your company assets.
Individuals, businesses and corporate organisations have a role to play in keeping their systems safe from attack. The role of employees in an organisation’s security is massive. This is why training is one of the 10 steps to cyber security and should be part of user security policies.
How Cyphere can help
Cyphere have real-world expertise across multiple sectors helping businesses with offensive security and improvements on defensive controls. By utilising our sector-specific expertise and offensive security skill-set, we help organisations to assess and mitigate their risks across the estate continually.
Be it be a big or small business; security strategy should provide a balance between risk remediation and usability. To eliminate threats, actionable insights into your weaknesses and ongoing improvements towards current controls are two strengths of our team that help businesses improve their attacks preparedness.
Get in touch to discuss your concerns, and one of our consultants will be in touch with you.