The National Cyber Security Centre has 10 steps to follow for cybersecurity. This guidance was released to help companies protect themselves from cyber attack.
It sets 10 tasks for defending your networks and systems as well as data management and security. The 10 steps to cybersecurity were originally published in 2012 and are now used by a majority of the FTSE350.
To help guide you through these 10 steps we've broken down each one and given you some more detail on why they are important and how you can start to tackle them.
Set up your risk management regime
Start by assessing the risks to your company's information and your systems. Before you can start with cybersecurity you need to understand the risks your company faces. This will enable you to prioritise the biggest threats and ensure that you give them an appropriate response.
Having a risk management regime will help you keep the company up to date with your cybersecurity efforts. It will also let you adjust your approach as new threats appear.
Protect your networks from attack. The connections from your networks to the internet can be vulnerable and can be exposed. It's impossible to remove all those vulnerabilities but remove as many as you can.
Filter out unauthorised access or malicious content and continue to monitor and test these security controls.
User education and awareness
You need to teach your employees their responsibilities and how they can prevent data breaches. They play an important part in your company's cybersecurity. 88 per cent of UK data breaches are caused by human error.
Staff training can take on many different forms. There are introductory options online or you can go as far as certified courses. The level of training will depend on your business and the level of risk you face.
Malware can infect your company in many different ways. In can be sent as an email attachment, sneak through a vulnerability in your applications or even be physically plugged into a computer in a removable drive.
Your company will need to implement anti-malware software and create policies to help prevent your employees from falling victim to cybercriminals.
Removable media controls
USBs and other removable devices are the source of many security issues. Not only are they often used to inject malware but they are also involved in many insider incidents. Employees are prone to losing removable devices or leaving them plugged into computers where unauthorised parties can access them.
Produce a policy to control all access to removable media. Limit media types and use. Scan all media for malware before importing onto the corporate system.
Misconfigured controls are one of the most common causes of a data breach. Using a database or CRM that is not properly secured or not installing software updates is an example of misconfigured controls.
Creating a policy around configuration can ensure that you remove unnecessary functionality from systems or you install updates to known vulnerabilities promptly.
Managing user privileges
Your company should know who needs access to what data. Using access controls means employees can only access information that is relevant to their roles. This restricts access to data and means there are fewer access points that hackers can use to breach your security.
This will help prevent sensitive information being accessed should someone gain unauthorised access to an employee's accounts. It will also make it harder for employees to steal sensitive information.
No matter how strong and in-depth your cybersecurity measures are you will face a security incident at some point. That is why you need an incident response plan and a disaster recovery process.
Prepare for a security incident and establish policies and procedures. This will help you limit the damage of an incident and get your business back up and running as soon as possible.
Monitoring enables you to detect successful or attempted cyber attacks. Often when a business is hacked they are not even aware of it and that gives the hacker longer to either steal more information or move their way deeper into your network.
System monitoring will help you identify incidents quickly so you can initiate the correct response. It will also show you how criminals are trying to attack your company. You can use that information to improve your defences in the areas being targeted.
Home and remote working
Remote working is becoming more common-place but it has its own security risks. Remote workers don't get the same physical and network security that is provided inside of your office.
Employees working away from the office are also likely to be using their own devices to access your data or your network. You will need to make sure that the correct security is added to those devices.
Much of this advice offered by the NCSC mirrors that of Cyber Essential, as they are both Government-backed. Cyber Essentials is the government-backed scheme that guides companies to an essential level of cybersecurity.
By gaining the Cyber Essentials accreditation you will have peace of mind that you have put in place the essentials of cybersecurity.