Get Aligned!

You can download this infographic from the National Cyber Security Centre on the link below.

How can organisations protect themselves in cyberspace?

An effective approach to cyber security starts with establishing an effective organisational risk management regime (shown at the centre of the above diagram). This regime and the 9 steps that surround it are described below.

1. Risk Management Regime

Embed an appropriate risk management regime across the organisation. This should be supported by an empowered governance structure, which is actively supported by the board and senior managers. Clearly communicate your approach to risk management with the development of applicable policies and practices. These should aim to ensure that all employees, contractors and suppliers are aware of the approach, how decisions are made, and any applicable risk boundaries.

2. Secure configuration

Having an approach to identify baseline technology builds and processes for ensuring configuration management can greatly improve the security of systems. You should develop a strategy to remove or disable unnecessary functionality from systems, and to quickly fix known vulnerabilities, usually via patching. Failure to do so is likely to result in increased risk of compromise of systems and information.

3. Network security

The connections from your networks to the Internet, and other partner networks, expose your systems and technologies to attack. By creating and implementing some simple policies and appropriate architectural and technical responses, you can reduce the chances of these attacks succeeding (or causing harm to your organisation). Your organisation’s networks almost certainly span many sites and the use of mobile or remote working, and cloud services, makes defining a fixed network boundary difficult. Rather than focusing purely on physical connections, think about where your data is stored and processed, and where an attacker would have the opportunity to interfere with it.

4. Managing user privileges

If users are provided with unnecessary system privileges or data access rights, then the impact of misuse or compromise of that users account will be more severe than it need be. All users should be provided with a reasonable (but minimal) level of system privileges and rights needed for their role. The granting of highly elevated system privileges should be carefully controlled and managed. This principle is sometimes referred to as ‘least privilege’.

5. User education and awareness

Users have a critical role to play in their organisation’s security and so it’s important that security rules and the technology provided enable users to do their job as well as help keep the organisation secure. This can be supported by a systematic delivery of awareness programmes and training that deliver security expertise as well as helping to establish a security-conscious culture.

6. Incident management

All organisations will experience security incidents at some point. Investment in establishing effective incident management policies and processes will help to improve resilience, support business continuity, improve customer and stakeholder confidence and potentially reduce any impact. You should identify recognised sources (internal or external) of specialist incident management expertise.

7. Malware prevention

Malicious software, or malware is an umbrella term to cover any code or content that could have a malicious, undesirable impact on systems. Any exchange of information carries with it a degree of risk that malware might be exchanged, which could seriously impact your systems and services. The risk may be reduced by developing and implementing appropriate anti-malware policies as part of an overall ‘defence in depth’ approach.

8. Monitoring

System monitoring provides a capability that aims to detect actual or attempted attacks on systems and business services. Good monitoring is essential in order to effectively respond to attacks. In addition, monitoring allows you to ensure that systems are being used appropriately in accordance with organisational policies. Monitoring is often a key capability needed to comply with legal or regulatory requirements.

9. Removable media controls

Removable media provide a common route for the introduction of malware and the accidental or deliberate export of sensitive data. You should be clear about the business need to use removable media and apply appropriate security controls to its use

10. Home and mobile working

Mobile working and remote system access offers great benefits, but exposes new risks that need to be managed. You should establish risk based policies and procedures that support mobile working or remote access to systems that are applicable to users, as well as service providers. Train users on the secure use of their mobile devices in the environments they are likely to be working in.

The 10 steps guidance is complemented by the paper Common Cyber Attacks: Reducing The Impact. This paper sets out what a common cyber attack looks like and how attackers typically undertake them. We believe that understanding the cyber environment and adopting an approach aligned with the 10 Steps is an effective means to help protect your organisation from attacks.

Back to List

Related Stories

Protecting Your .UK Presence

Protecting Your .UK Presence

The clock is ticking on who can register a .UK domain in your name.

Nominet, the governing body of UK domain names, released shorter .UK …

Read Post

Checklist to Digital Transformation

Checklist to Digital Transformation

Digital Transformation is the novel use of digital technology to solve traditional problems.

It’s about finding new ways to deliver valu…

Read Post

AWS, Azure & Google: A Public Cloud Comparison Report

AWS, Azure & Google: A Public Cloud Comparison Rep…

The three leading cloud computing vendors, AWS, Microsoft Azure and Google Cloud, each have their own strengths and weaknesses that make the…

Read Post

Azure Infrastructure Cloud Migration Essentials

Azure Infrastructure Cloud Migration Essentials

To enable successful migration, it’s important to have a strong plan in place that covers the end-cloud environment, training and, most im…

Read Post

Technology is redesigning the workplace

Technology is redesigning the workplace

We are entering a new era of IT. One that fundamentally reimagines where we work, the way we work, and how we provide the tools for work. Th…

Read Post

Three Key Components of a Cyber Resiliency Framework

Three Key Components of a Cyber Resiliency Framewo…

Extortionists know that the availability of backups often determines whether they can collect on their ransom demands. Those without suffici…

Read Post

Moving Beyond the Perimeter

Moving Beyond the Perimeter

In this white paper, you’ll find – An overview of the new enterprise architecture, Detailed descriptions of new risks, How to protect agai…

Read Post

The headlines are clear - cyber attacks are imminent

The headlines are clear – cyber attacks are immine…

The UK’s National Cyber Security Centre (NCSC), the FBI, and the US Department of Homeland Security have issued a joint alert warning of a g…

Read Post

Paradigm Shifts - What to expect in 2018

Paradigm Shifts – What to expect in 2018

Skills and resources – these are the two elements that make up an attacker’s arsenal. An attacker, however, cannot set out to break security…

Read Post

The new breed of ransomware that's changing all the rules

The new breed of ransomware that’s changing all th…

The recent spread of WannaCry and NotPetya are rewriting the rules of ransomware, and it’s turning into something far more sinister. If thes…

Read Post