The 12 Steps to Cyber Security Report, issued by the National Cyber Security Centre,  breaks down and outlines the steps needed for companies to implement an effective cybersecurity system. The report recognises that with an increased reliance on technology comes an increased need for preparation in the event of an attack.

This report was compiled in the knowledge of the high revenue that cybercrime generates and how, as stated by The Economist, “the world’s most valuable resource is no longer oil, but data”.

The 12 Steps to Cyber Security Report tackles the issue of cybersecurity by breaking it down into 12 manageable steps. The NCSC recommends that a new step is implemented each month. The recommended 12 Steps are as follows:

12 Steps to Effective Cyber Security

1: Establish governance and organisation:

1. Ensure that the company has the support of its senior management
2. Create and assign roles within the organisation for cyber risk management
3. Develop and adopt cyber risk management policies and standards
4. Understand key business plans and strategies

‍

2: Identify what matters most:

1. Establish what the most important components of the business are
2. Outline all business objectives, products, services, data flows etc
3. Take note of all third parties involved in the business
4. Map out all assets and rank them in order of criticality to the business

‍

3: Understand the threats:

1. Identify who the company’s threat actors (those who may attack it) are
2. Establish a Cyber Threat Intelligence (CTI) capability to allow the business to establish its top threat actors and its potential attack scenarios
3. Understand who potential attackers are and the motives behind their attack
4. Understand potential attack vectors (how an attack may be carried out)
5. Take part in industry forums that share cyber intelligence information
6. Remember: Understanding threats enables companies to implement policies that protect against the most likely attacks

‍

4: Define your risk appetite:

1. Set out what a cyberattack, according to each of the scenarios identified, may cost the business – usually, a range of figures emerges
2. Define the company’s risk appetite – set out, and have senior management approve, what risks the company is willing to take
3. Consider taking measures to reduce risks that fall outside of the company’s risk appetite

‍

5: Focus on education and awareness:

1. Ensure that employees are up to speed on good cybersecurity practices
2. Consider more comprehensive and extensive training for greater targets such as top executives
3. Consider implementing a news flash system that will alert employees while an attack is taking place
4. Look at third parties who have access to the company network and consider their level of cybersecurity awareness

‍

6: Implement basic protections:

1. Ensure that the company has basic cybersecurity measures in place
2. This includes but is not limited to:
3. Anti-malware software
4. Firewalls and patched systems
5. Secure access from devices used to access company systems
6. Ensuring that sensitive data is encrypted
7. Ensuring that vulnerabilities are established and protected against
8. Establishing an Identity and Access Management programme to ensure:
9. Employees only have as much access to the company network as necessary to do their jobs
10. Passwords are of appropriate strength and are changed regularly
11. Users with privileged access are trained and vetted

7: Be able to detect an attack:

1. Decide what system activities should be logged and how long the logs should be retained for
2. Consistent logging is essential to monitoring activity and helps to establish why/how a successful attack occurred.
3. After logging parameters have been established, the next step is to monitor them for suspicious activity – a Security Operations Centre (SOC) may be useful to implement at this stage
4. Remember: Detecting an attack is paramount to responding to one

‍

8: Be prepared to react:

1. Set up a trained incident response team
2. Draw up a plan detailing how incidents will be detected, responded to, investigated and recovered from
3. Include considerations of relevant legal frameworks such as the GDPR and other regulations
4. Remember: The impact of an attack will be reduced if organisations have a strategy in place to respond to one

9: Adopt a risk-based approach to resilience:

1. Draw up recovery plans that the business can follow in the event of an attack
2. Ensure that Business Continuity and Disaster Recovery plans are in place
3. Remember: With the likelihood of attacks increasing, resilience is key to a company’s survival

‍

10: Implement additional automated protections:

1. Note: This step sets out to upgrade the basic protective measures outlined in step 6
2. Implement technologies such as Intrusion Prevention Systems and Web Application Firewalls
3. Establish a cyber risk reporting programme to liaise between the IT department and senior management

‍

11: Challenge and test regularly:

1. Ensure to regularly test the strength of your organisation
2. Perform pen-testing etc and encourage proactive hunting for threat actors

‍

12: Create a cyber risk management lifecycle:

1. Always look for ways to improve the programme the company has in place
2. Remember: As cyber risks evolve, it is important to reflect on and improve your company’s current cyber risk management programme

Following these 12 steps will transform a poor cybersecurity system into one not only able to recover from attacks but capable of proactively monitoring and eliminating potential threats. With global cybercrime increasing, it is imperative that every company ensures it takes appropriate to protect its business.