Executive Summary

This guidance is designed for organisations looking to protect themselves in cyberspace. The 10 Steps to Cyber Security was originally published in 2012 and is now used by a majority of the FTSE350.

The 10 steps guidance is complemented by the paper Common Cyber Attacks: Reducing The Impact. This paper sets out what a common cyber attack looks like and how attackers typically undertake them. We believe that understanding the cyber environment and adopting an approach aligned with the 10 Steps is an effective means to help protect your organisation from attacks.

Introduction to Cyber Security

An effective approach to cyber security starts with establishing an effective organisational risk management regime (shown at the centre of the following diagram). This regime and the 9 steps that surround it are described below.

10 Steps to Cyber Security at a Glance Image

IS Know How Pointer:

Why not use the above Infographic, to distribute amongst your Third Sector Organisation's Personnel for a little light reading?

Download the NCSC 10 Steps To Cyber Security infographic (PDF)

Risk Management Regime

Embed an appropriate risk management regime across the organisation. This should be supported by an empowered governance structure, which is actively supported by the board and senior managers. Clearly communicate your approach to risk management with the development of applicable policies and practices. These should aim to ensure that all employees, contractors and suppliers are aware of the approach, how decisions are made, and any applicable risk boundaries.

Secure configuration

Having an approach to identify baseline technology builds and processes for ensuring configuration management can greatly improve the security of systems. You should develop a strategy to remove or disable unnecessary functionality from systems, and to quickly fix known vulnerabilities, usually via patching. Failure to do so is likely to result in increased risk of compromise of systems and information.

Network security

The connections from your networks to the Internet, and other partner networks, expose your systems and technologies to attack. By creating and implementing some simple policies and appropriate architectural and technical responses, you can reduce the chances of these attacks succeeding (or causing harm to your organisation). Your organisation's networks almost certainly span many sites and the use of mobile or remote working, and cloud services, makes defining a fixed network boundary difficult. Rather than focusing purely on physical connections, think about where your data is stored and processed, and where an attacker would have the opportunity to interfere with it.

Managing user privileges

If users are provided with unnecessary system privileges or data access rights, then the impact of misuse or compromise of that users account will be more severe than it need be. All users should be provided with a reasonable (but minimal) level of system privileges and rights needed for their role. The granting of highly elevated system privileges should be carefully controlled and managed. This principle is sometimes referred to as ‘least privilege’.

User education and awareness

Users have a critical role to play in their organisation’s security and so it's important that security rules and the technology provided enable users to do their job as well as help keep the organisation secure. This can be supported by a systematic delivery of awareness programmes and training that deliver security expertise as well as helping to establish a security-conscious culture.

Incident management

All organisations will experience security incidents at some point. Investment in establishing effective incident management policies and processes will help to improve resilience, support business continuity, improve customer and stakeholder confidence and potentially reduce any impact. You should identify recognised sources (internal or external) of specialist incident management expertise. 

Malware prevention

Malicious software, or malware is an umbrella term to cover any code or content that could have a malicious, undesirable impact on systems. Any exchange of information carries with it a degree of risk that malware might be exchanged, which could seriously impact your systems and services. The risk may be reduced by developing and implementing appropriate anti-malware policies as part of an overall 'defence in depth' approach.

Monitoring

System monitoring provides a capability that aims to detect actual or attempted attacks on systems and business services. Good monitoring is essential in order to effectively respond to attacks. In addition, monitoring allows you to ensure that systems are being used appropriately in accordance with organisational policies. Monitoring is often a key capability needed to comply with legal or regulatory requirements.

Removable media controls

Removable media provide a common route for the introduction of malware and the accidental or deliberate export of sensitive data. You should be clear about the business need to use removable media and apply appropriate security controls to its use.

Home and mobile working

Mobile working and remote system access offers great benefits, but exposes new risks that need to be managed. You should establish risk based policies and procedures that support mobile working or remote access to systems that are applicable to users, as well as service providers. Train users on the secure use of their mobile devices in the environments they are likely to be working in.

What Next?

IS Know How Pointer:

You may also be interested to read the next phase of the 10 Steps;

Disclaimer:

The above resources and content "Contains public sector information licensed under the Open Government Licence v1.0." unless stated with the text "IS Know How Pointer:" which is where ISKH would like to input a call to action to it's visitor's and clients.

ISKH is in no way affiliated with, or working on behalf of the National Cyber Security Centre (NCSC). ISKH is quite simply reproducing their 10 Steps to Cyber Security information, to be able to put it in front of our Third Sector target audience(s) as much as possible.

Additionally, this should further support the NCSC's drive to show that Cyber Security, has a positive impact on a business or organisations Cyber / Data Security Positioning. Any externally linked NCSC content in the ISKH website, including PDF documents or video media, is offered for information purposes only, as is.

Contact Us

Phone
02921-679-021 (Sales ONLY)
Address
Britannia House, Caerphilly Business Park, Van Road, Caerphilly, Wales, UK. CF83 3GG
Legal Reg Info
Information Security Know How Ltd. is a Limited Company, Registered in England & Wales.

Company No: 09648503
VAT No: GB 232 2137 53

ISKH Site Newsletter

Sharpen your Third Sector Data & Cyber Security Mitigation Knowledge, by Subscribing to Our 'Mitigation Bits & Bytes'. Sharing a Myriad of Sector and Security Focused News, Infrequent Updates about IS Know How's Managed Cyber Security Service(s) Offers, Surveys, Research, Discussions and more...

Third Sector Organisation Personnel?

captcha 




By selecting 'Yes, Sign Me Up!' above, You Consent that we may Collect, Store and Process your Personal Data in accordance with Our Privacy Policy, Cookies Policy & Website Terms & Conditions.
All Newsletter Emails include an Unsubscribe / Modify Subscription link, where you may Opt-Out or Amend your Preferences at any time. You can also do the same from the 'My Account' menu, if you Register for a full FREE IS Know How Account.

Proud Members Of:

IS Know How is a Proud Member of Cyber Exchange

Our CEO & Founder, Robert Stones is also a ‘Member of the Fraud Advisory Panel’ See more information about them here: About the Fraud Advisory Panel

Payments By:

Powered by Stripe Logo
Stripe Subscription Accepted Payment Cards

Subscribe to the IS Know How 'Mitigation Bits & Bytes' Newsletter.

ISKHIcon100x100Instantly begin your Third Sector Data & Cyber Security Mitigation Journey Today!ISKHIcon100x100

Sharpen your Third Sector Data & Cyber Security Mitigation Knowledge, by Subscribing to Our 'Mitigation Bits & Bytes'. Sharing a Myriad of Sector and Security Focused News, Infrequent Updates about IS Know How's Managed Cyber Security Service(s) Offers, Surveys, Research, Discussions and more...

Third Sector Organisation Personnel?

captcha 




By selecting 'Yes, Sign Me Up!' above, You Consent that we may Collect, Store and Process your Personal Data in accordance with Our Privacy Policy, Cookies Policy & Website Terms & Conditions.
All Newsletter Emails include an Unsubscribe / Modify Subscription link, where you may Opt-Out or Amend your Preferences at any time. You can also do the same from the 'My Account' menu, if you Register for a full FREE IS Know How Account.