While delivering in-depth security validation exercises, we have often encountered customers relying on just the products or policies. It is vital to be aware of what is important, what to protect and how to protect before shopping for security products.
The introduction of mobile, cloud technologies and mobile working, in addition to regular business operations has led businesses to deal with large volumes of sensitive data. Organisations must have a secure baseline or cyber hygiene to deal with all eventualities. This includes supporting policies, specialist training and education, relevant incident management plans, disaster recovery capability and processes, including full disaster recovery capability capabilities and familiarity with regional law enforcement authorities.
In this article, you will understand what cybersecurity entails and the breakdown of NCSC’s 10 steps to cyber security that you must know.
What are the 10 Steps to Cyber Security?
The following are 10 steps to cyber security, according to the National Cyber Security Centre. This guide was originally published in 2012 and is currently used by most FTSE 350 firms to assess the organisation’s cyber security.
1. Risk management regime
Ensuring an understanding assess the cyber security risks across the organisation is the foremost action point.
Organisations must first assess the risks affecting their systems before they can defend themselves. With this understanding, an organisation can prioritise the biggest risks and adequately allocate resources for response.
With a risk management regime, the stakeholders, the board, senior managers will have an idea of the cyber risks and take action around management processes accountable for risks.
2. Malware prevention
Malware equals malicious software. When a malicious program executes, it remains running in the background performing malicious tasks such as modifying programs, capturing credentials and user privileges, sending data to attacker-controlled systems and so on. This malicious content is why strong malware prevention security measures are essential.
Businesses should have strict policies around anti-malware, third-party mobile device usage and acceptable and secure use of the internet to avoid putting the entire organisation at risk.
3. Network security
Business without the internet these days is unimaginable. Your network connectivity to the internet adds to the attack surface of your organisation. Implementing network security policies and technical measures ensure wider coverage.
Restrictions, audit logs and monitoring ingress (incoming) and egress (outgoing) network traffic are important elements to limit suspicious or unusual activity that could indicate an attack. Other technical concepts include following network design principles such as internal network segmentation that limits an attacker’s capability for a widespread compromise.
4. Removable media controls
It is important to restrict remove media usage (USB, flash drives) through strict policies defining the limited of removable media controls and types acceptable for use. Emphasis on the official media device usage would reduce the attack surface related to this concern.
This threat relates to insider attacks linked with staff including third-party vendors and contractors who may use this weakness to their advantage. The solution is to have media controls policies that restrict personal or any other media for use via the corporate system. If required, organisations must emphasize the need for the secure use of official removable devices.
A good monitoring strategy will apply the secure baseline to help you detect security incidents or attempted attacks or unauthorised access attempts ahead of times. You can then apply the secure baseline to quickly identify unusual activity when they happen and initiate an incident response to solve such concerns.
Besides, it gives you a first-hand view of the various methods used by threat actors attacking your infrastructure.
6. Secure configuration
A secure configuration baseline is one of the cheapest and longest-serving controls in an asset’s lifecycle. A data breach is common these days, and the leading causes for many organisations are known vulnerabilities or misconfigured controls helping threat actors to steal data easily. Security threats may be inevitable when security systems do not get their regular updates, there is a lack of process to disable unnecessary functionality or when databases are not following their baseline configuration and security policies.
Implement a technical security baseline defining specific steps around different asset types of information gathered from a system inventory. Ensure these are strictly adhered to before any assets are released in production.
7. Managing user privileges
One of the 10 steps is for companies to create Identity and access management plan to create access controls for their employees. The risk management regime must keep the number of privileged accounts in its systems on a need-to-know basis. By managing user privileges, the management can control how much sensitive information is available to members of staff. All access controls requests and concerns should follow the principle of least privilege (PoLP).
8. Incident management
As a company, you must prepare yourself ahead of rainy days. That is where the an incident response and disaster management policy or procedure comes in. Planning and developing incident management plans, response and disaster recovery capabilities to ensure business continuity, whether small or big incidents is a key capability. Relevant teams must be aware of how to respond to an incident and test the various incident management, response and disaster recovery plans regularly.
The purpose of incident response and disaster recovery processes in cyber security is to restore operations quickly, minimising the impact on business operations by prioritising assets based on their criticality. This allows organisations to maintain service quality levels while staying operational. For example, product databases and websites may be more critical for a retail business than their HR payroll system, although both are important.
9. Remote working
Year 2020 is a testament to the massive increase in cyber attacks and exploitation of network security and IT products used in working form home. While remote working has been said to increase productivity, it comes with risks that must be understood. The following items relate to multiple steps (remote home and mobile working, configuration, network and user policies, risk management) under 10 steps to cyber security approach.
- Apply technical security baselines (such as baseline build checklist) to systems and devices to offer minimal attack surface.
- Ensure that secure encryption configuration practices are used for data at rest and data in transit.
- Assess your attack surface regularly by commissioning external network penetration tests and other security audits.
10. User education
Although a lot is said about users being the weakest link in cyber attacks and security kill chain, equally they can be the strongest link connecting these 10 steps to cyber security strategy.
The foremost point in this section is ‘Do not blame users’.
User education and awareness should be practical, interactive and, most importantly constantly evolving based on the changing threat landscape. For instance, home and mobile working change the cyber landscape of an organisation, and mobile working devices, including BYOD policies are some of the key areas to create security conscious culture these days.
Everyone should be part of this training and awareness process without any exceptions. This should also include your supply chain, including contractors, third party vendors, suppliers, etc, who connect to or use your company assets.
but where to start …
Have you performed a gap analysis of your organisation based on the above 10 steps to cyber security? You must do this to analyse gaps at the organisational level, technical and functional levels to know what you should do. This is often using organisation-wide health checks, penetration testing programmes or Information security reviews.
Here are some of the offerings from our technical services section. Get in touch to schedule any organisational-wide security reviews.
Book a consultation today with Cyphere’s security consultants.
Harman Singh is a security professional with over 15 years of consulting experience in both public and private sectors.
As the Managing Consultant at Cyphere, he provides cyber security services to retailers, fintech companies, SaaS providers, housing and social care, construction and more. Harman specialises in technical risk assessments, penetration testing and security strategy.
He regularly speaks at industry events, has been a trainer at prestigious conferences such as Black Hat and shares his expertise on topics such as ‘less is more’ when it comes to cybersecurity. He is a strong advocate for ensuring cyber security as an enabler for business growth.
In addition to his consultancy work, Harman is an active blogger and author who has written articles for Infosecurity Magazine, VentureBeat and other websites.