What are the 10 Steps to Cyber Security?

Cyber and Information Security Framework in 2022

Over the last several years, the cyber and information security landscape has seen many changes. From a rapid shift to remote work, to the rise of ransomware and other forms of sophisticated state-backed cybercrime.

As such, official guidance around these topics has likewise evolved, with the UK's National Cyber Security Centre's (NCSC) '10 Steps to Cyber Security' being no exception.

"We have not only seen changes in the external environment (such as the growth of cloud services), but also changes in the nature of the threats facing organisations."

Richard M, Chief Technical Officer for Economy & Society, NCSC

Originally developed in 2012 by the NCSC's predecessor, the National Technical Authority for Information Assurance (CESG), the 10 Steps to Cyber Security guidance was created as a resource for organisations and individuals alike to help protect against a broad array of cyber and information security risks.

Though still largely applicable today, the NCSC has recently announced they have 'refreshed' these steps. Now squarely aimed at security professionals and technical staff within medium to large businesses (though applicable to all organisations), the '10 Steps to Cyber Security' is an increasingly important resource in helping protect your information and organisation.

What are the 10 Steps to Cyber Security?

Below is a general overview of the NCSC's '10 Steps to Cyber Security'. Detailing the main points and concepts, as well as noting some of the updates and changes that have been made to the guidance.

Risk Management

As with all forms of risk management, within the context of cyber security, risk management is chiefly about protecting the technologies, systems and information used by your organisation in the most appropriate way.

"Risk management informs decisions so that the right balance of threats and opportunities can be achieved to best deliver your business objectives."

From assessing and ranking the importance of these various elements of your organisation, to embedding this management approach into your culture, when cyber security-based risk management is being executed correctly, it should ultimately complement the way you manage all your other business risks.

Additionally, as well as looking at elements within your organisation, the 10 Steps guidance also details how risk management also applies to wider risk concerns, such as your supply chain, use of third-party services and cloud services.

Engagement and Training

As the NCSC rightly points out, people are at the centre of any effective cyber or information security strategy. By providing staff with the resources and information they need to protect your organisation, you not only reduce your overall risk, but also demonstrates a commitment to security.

"Good security takes into account the way people work in practice, and doesn't get in the way of people getting their jobs done."

The guidance also emphasises the importance of having positive and relevant security awareness training. Focusing on information that is not only appropriate, but training that motivates staff to act correctly and help, rather than stressing the consequences of them doing something wrong.

Asset Management

From unpatched software, to exposed databases or wrongly classified documents, improper asset management can have an extremely significant impact on your organisation. By establishing and maintaining the necessary knowledge of assets, an organisation can then take the steps required to mitigate cyber and information risk.

Encompassing hardware, software, firmware and data, assets take many forms; though each directly affect your organisation's ability to operate. Asset management is an essential element of cyber security that feeds directly into other cyber and information security steps -- in particular, risk management.

Architecture and Configuration

Information and cyber security have never been so important. As such, it is an essential reminder that these concerns should be a fundamental element in which systems and services are architected from the outset.

"A well architected and configured system or service will help you gain confidence that your security controls are mitigating the risks that your organisation cares about."

By designing and constructing systems with risk in mind, this can not only allow an organisation to create systems that can be more easily maintained and updated to adapt to new threats, but also reduce the need for reworking these systems in the future.

Vulnerability Management

A significant portion of cyber security incidents and breaches occur when malicious actors exploit publicly disclosed vulnerabilities. As such, it is vital that organisations have management systems in place to ensue that security updates are installed as soon as possible.

"Some vulnerabilities may be harder to fix, and a good vulnerability management process will help you understand which ones are most serious and need addressing first."

Requiring a range of tactics, from automating system updates to vulnerability scanning, and even active penetration testing, with all these steps vulnerability management is heavily dependant on the specifics of an organisation but is nevertheless a vital step in managing cyber and information security risk.

Identity and Access Management

Primarily focused on measures such as multi-factor authentication for users, identity and access management is about understanding who and what need access to certain systems, and under what specific conditions.

"Ensure you have an identity and access management policy that covers who should have access to which systems, data or functionality, why, and under what circumstances."

By limiting the access of users to what is necessary, as well as having the systems in place to authenticate and identify those users, effective identity and access management should strike a balance between making access as difficult as possible for inauthentic users, whilst remaining as simple as possible for the authentic.

Data Security

Regardless of an organisations type, information is key, and protecting its confidentiality, integrity, and availability (CIA triad) is essential. From ensuring that personal data being held is adequately encrypted, to having the backups necessary to survive a ransomware attack, data and information security can no longer be overlooked.

"Ensure you know what data you have, where it is stored and what you consider most sensitive, and apply protections based on the risks you have identified."

As well as protecting against attackers, data security is also an issue of compliance, and by ensuring that appropriate and effective measures are in place, an organisation helps to defend against reputational damage and the costs of non-compliance.

Logging and Monitoring

Accurately understanding how your systems are being used can only be achieved with proper logging and monitoring. Allowing an organisation to not only understand what has happened, but to also provide insights into what should happen, and thus protect against that which should not.

"Security monitoring provides insight into systems, and allows for the active detection of threats and potential security incidents."

Again, logging and monitoring is a cyber security step specific to each organisation, but designing a solution appropriate to your system allows for threats and risks to be addressed in real time; before an incident can become a breach.

Incident Management

As noted above, measures such as logging and monitoring will allow an organisation to respond to incidents quicker, but having appropriate incident management policies in place will further aide in reducing the impact of an incident.

"Effective incident management lessens the impact of a cyber incident."

From managing the costs, productivity, and potential reputational damage, having a practical and practiced response plan in place requires a broad range of cooperation across teams. As such, senior management, security staff, HR and legal are all needed to lend their expertise.

Supply Chain Security

A new addition to the NCSC's 10 Steps to Cyber Security, supply chain management is an often-overlooked element of an information and cyber security strategy.

Depending on the organisation, supply chains can be both large and complex, but working with suppliers and partners to help minimise risk inside and outside is a cyber security step which can benefit everyone involved.

"Be prepared to provide assistance when necessary, where security incidents in your supply chain have the potential to affect your business or the wider supply chain."

Though an organisation may not be able to influence the security of all elements of its supply chain, actively working with vendors and suppliers who also demonstrate their own effective cyber security should be part of the process.

Security Awareness Training

As the NCSC explains in its 10 Steps to Cyber Security guidance, training and engagement is an essential step in mitigating risk, which is why at Hut Six we have developed effective and relevant training that gives staff the tools they need to make the correct security choices.

From detailed tutorials imparting the foundations of information security, interactive tutorials in which users make realistic practical decisions, to simulated phishing campaigns, online information security training is increasingly the choice for organisations wanting to get serious about their security.

All of these specialised online information security training features allow an employer to not only provide their staff with necessary training, but to also monitor users' progress and demonstrate compliance.