View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Technology
  2. Cybersecurity
August 8, 2013updated 22 Sep 2016 10:56am

10 steps to cyber security

10 issues to consider to help keep businesses secure.

By Duncan Macrae

The UK’s Cyber-security Framework for Business (published by the Department for Business, Innovation and Skills, the security arm of GCHQ) is a 10-step framework to stop around 80% of today’s cyber-attacks – and build the resilience to cope with the other 20%.

Non-executive director’s (NEDs) and those in the financial profession may find this approach useful as they understand the importance of securing information, the flow of it across the enterprise and the reputational risk at stake.

1.Board-led Information Risk Management Regime

Do you have an effective risk governance structure, in which your risk appetite and selected controls are aligned? Do you have appropriate information risk policies and adequate cyber insurance?

2.Secure Home and Mobile Working

Do you have a mobile and home-working policy that staff have been trained to follow? Do you have a secure baseline device build in place? Are you protecting data both in transit and at rest?

3.User Education and Awareness

Content from our partners
Scan and deliver
GenAI cybersecurity: "A super-human analyst, with a brain the size of a planet."
Cloud, AI, and cyber security – highlights from DTX Manchester

Do you have Acceptable Use policies covering staff use of systems and equipment? Do you have a relevant staff training programme? Do you have a method of maintaining user awareness of cyber risks?

4.User privilege management

Do you have clear account management processes, with a strong password policy and a limited number of privileged accounts? Do you monitor user activity, and control access to activity and audit logs?

5.Removable media controls

Do you have a policy controlling mobile and removable computer media? Are all sensitive devices appropriately encrypted? Do you scan for malware before allowing connections to your systems?

6.Activity monitoring

Do you have a monitoring strategy? Do you continuously monitor activity on ICT systems and networks, including for rogue wireless access points? Do you analyse network logs in real time, looking for evidence of mounting attacks? Do you continuously scan for new technical vulnerabilities?

7.Secure Configurations

Do you have a technical vulnerability patching programme in place and is it up-to-date? Do you maintain a secure configuration for all ICT devices? Do you have an asset inventory of authorised devices and do you have a defined baseline build for all devices?

8.Malware protection

Do you have an appropriate anti-malware policy and practices that are effective against likely threats? Do you continuously scan the network and attachments for malware?

9.Network security

Do you protect your networks against internal and external attacks with firewalls and penetration testing? Do you filter out unauthorised or malicious content? Do you monitor and test security controls?

10.Incident Management

Do you have an incident response and disaster recovery plan? Is it tested for readily identifiable compromise scenarios? Do you have a incident forensic capability and do you know how to report cyber incidents?

Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how Progressive Media Investments may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.