The original ‘10 steps to cyber security’ were published in 2012 and are now used by a majority of the FTSE350.
How do you protect your sensitive data and personal information? Implementing these fundamental precautions in your daily digital life are key.
1. Network Security
Put up-to-date security software in place to protect your networks against external and internal attack and unauthorised access to systems.
Security software should manage the network perimeter and filter out any unauthorised access and malicious content, but regularly monitor and test these security controls as well as managing internal security.
Social engineering / Phishing is an ever-popular form of entry via involved or unsuspecting staff.
2. User Education
Produce user security policies covering acceptable and secure use of the organisation’s systems.
Establish and include a staff training programme to maintain user awareness of cyber risks.
Ensure users understand the importance of basic cyber hygiene such as complex password creation, use of 2-factor authentication, working from home safety etc.
3. Malware prevention
Produce relevant policies and establish anti-malware defences that are applicable and relevant to all business areas of your organisation.
Scan for malware across the organisation. This is actually both a technical and a human control, there are technical cyber security controls such as, Firewalls, Web Filtering and endpoint protection but this needs to be supported by user security policies covering the acceptable and secure use of organisation’s systems.
4. Removable media controls
Produce a policy to control all access to removable media. The uncontrolled use of removable media can increase the risk of malware being transferred to critical business systems. Limit media types and use.
Scan all media for malware before importing on to a corporate system.
5. Secure configuration
Apply security patches and ensure that the secure configuration of all ICT (Information & Communications Technology) systems is maintained. Create a system inventory and define a baseline build for all ICT devices.
Security patches should be introduced quickly and effectively, and monitor the performance of external equipment suppliers.
6. Incident management
Establish an incident response and disaster recover capability. Produce and test incident management plans. Provide specialist training to the incident management team.
Report criminal incidents to law enforcement. Consider using an incident response and case management platform such as CyberCPR.
With CyberCPR you can effectively collate data and evidence, allocate tasks on a ‘need to know’ basis and securely communicate independently of your network.
7. Monitoring
Establish a monitoring strategy and produce supporting policies. Continuously monitor all ICT systems and networks. Analyse logs for unusual activity that could indicate an attack.
Collaborate with any suppliers on security arrangements and agree on a monitoring strategy together, Communicate and update regularly to ensure alignment.
8. Home / mobile working
Develop a mobile working policy and train staff to adhere to it.
Apply the secure baseline and build to all devices. Protect data both in transit and at rest. This is especially pertinent with the dramatic work from home (WFH) advice and move given the situation with Covid-19.
A WFH policy should be a priority if not in place already. Factors such as VPN use, video calling, device use etc. needs attention.
9. Information Risk Management Regime
It is important to assess the risks to your organisation and identify any obvious vulnerabilities to protect your network against internal and external data breach attempts.
Establish an effective governance structure by assessing the risks to your organisation’s information and systems at the same level you would for legal, regulatory, financial or operational risks. To do this, introduce and implement a Risk Management Regime across your organisation, that is fully supported by senior managers.
Ideally have a colleague in place as a Security Risk Lead who can take responsibility to assess and record mitigating actions against any security risks.
10. Manage user privileges
Establish effective account management processes and limit the number of privileged accounts. Limit user privileges to that which they need for their general work and monitor user activity.
Control access to activity and audit logs. The CyberCPR case management system is built on a ‘need to know’ basis, where users only have access to the specific area they are working on.
This is crucial during a security breach where access to remedial data and process needs to be protected.