12 Steps to Effective Cyber Security

The "12 Steps to Cyber Security" Report, issued by the National Cyber Security Centre, breaks down and outlines the steps needed for companies to implement an effective cybersecurity system. The report recognizes that with an increased reliance on technology comes an increased need for preparation in the event of an attack.

This report was compiled with the knowledge of the high revenue that cybercrime generates and how, as stated by The Economist, "the world's most valuable resource is no longer oil, but data."

The "12 Steps to Cyber Security" Report tackles the issue of cybersecurity by breaking it down into 12 manageable steps. The NCSC recommends that a new step be implemented each month. The recommended 12 Steps are as follows:

12 Steps to Effective Cyber Security

1. Establish governance and organization:

  • Ensure that the company has the support of its senior management.
  • Create and assign roles within the organization for cyber risk management.
  • Develop and adopt cyber risk management policies and standards.
  • Understand key business plans and strategies.

2. Identify what matters most:

  • Establish what the most important components of the business are.
  • Outline all business objectives, products, services, data flows, etc.
  • Take note of all third parties involved in the business.
  • Map out all assets and rank them in order of criticality to the business.

3. Understand the threats:

  • Identify who the company’s threat actors (those who may attack it) are.
  • Establish a Cyber Threat Intelligence (CTI) capability to allow the business to establish its top threat actors and its potential attack scenarios.
  • Understand who potential attackers are and the motives behind their attacks.
  • Understand potential attack vectors (how an attack may be carried out).
  • Take part in industry forums that share cyber intelligence information.
  • Remember: Understanding threats enables companies to implement policies that protect against the most likely attacks.

4. Define your risk appetite:

  • Set out what a cyberattack, according to each of the scenarios identified, may cost the business – usually, a range of figures emerges.
  • Define the company’s risk appetite – set out, and have senior management approve, what risks the company is willing to take.
  • Consider taking measures to reduce risks that fall outside of the company’s risk appetite.

5. Focus on education and awareness:

  • Ensure that employees are up to speed on good cybersecurity practices.
  • Consider more comprehensive and extensive training for greater targets such as top executives.
  • Consider implementing a news flash system that will alert employees while an attack is taking place.
  • Look at third parties who have access to the company network and consider their level of cybersecurity awareness.

6. Implement basic protections:

  • Ensure that the company has basic cybersecurity measures in place. This includes but is not limited to:
    • Anti-malware software.
    • Firewalls and patched systems.
    • Secure access from devices used to access company systems.
    • Ensuring that sensitive data is encrypted.
    • Ensuring that vulnerabilities are established and protected against.
    • Establishing an Identity and Access Management program to ensure:
      • Employees only have as much access to the company network as necessary to do their jobs.
      • Passwords are of appropriate strength and are changed regularly.
      • Users with privileged access are trained and vetted.

7. Be able to detect an attack:

  • Decide what system activities should be logged and how long the logs should be retained for.
  • Consistent logging is essential to monitoring activity and helps to establish why/how a successful attack occurred.
  • After logging parameters have been established, the next step is to monitor them for suspicious activity – a Security Operations Centre (SOC) may be useful to implement at this stage.
  • Remember: Detecting an attack is paramount to responding to one.

8. Be prepared to react:

  • Set up a trained incident response team.
  • Draw up a plan detailing how incidents will be detected, responded to, investigated, and recovered from.
  • Include considerations of relevant legal frameworks such as the GDPR and other regulations.
  • Remember: The impact of an attack will be reduced if organizations have a strategy in place to respond to one.

9. Adopt a risk-based approach to resilience:

  • Draw up recovery plans that the business can follow in the event of an attack.
  • Ensure that Business Continuity and Disaster Recovery plans are in place.
  • Remember: With the likelihood of attacks increasing, resilience is key to a company’s survival.

10. Implement additional automated protections:

  • Note: This step sets out to upgrade the basic protective measures outlined in step 6.
  • Implement technologies such as Intrusion Prevention Systems and Web Application Firewalls.
  • Establish a cyber risk reporting program to liaise between the IT department and senior management.

11. Challenge and test regularly:

  • Ensure to regularly test the strength of your organization.
  • Perform pen-testing, etc., and encourage proactive hunting for threat actors.

12. Create a cyber risk management lifecycle:

  • Always look for ways to improve the program the company has in place.
  • Remember: As cyber risks evolve, it is important to reflect on and improve your company’s current cyber risk management program.

Following these 12 steps will transform a poor cybersecurity system into one not only able to recover from attacks but capable of proactively monitoring and eliminating potential threats. With global cybercrime increasing, it is imperative that every company ensures it takes appropriate steps to protect its business.

Was this page helpful?