Cyber security is just ten steps away
Cyber security can sometimes feel overwhelming and complex which is why the National Cyber Security Centre’s (NCSC) Ten Steps to Cyber Security are a good place to start for a broad overview of what needs to be addressed.
The Ten Steps look at cyber security holistically, outlining everything the board of any organisation should have on their agenda. Often cyber security is wrongly considered to be solely an IT problem, but it is important to look at cyber security from an organisational point of view too. While some of the steps do concern IT security and technology, the issue goes deeper and wider, which the Ten Steps make clear by covering people and process too.
The Ten Steps are:
- Risk management
- Engagement and training
- Asset management
- Architecture and configuration
- Vulnerability management
- Identity and access management
- Data security
- Logging and monitoring
- Incident management
- Supply chain security
The Ten Steps are aligned to cyber security frameworks, such as those outlined by ISO 27001 and Cyber Essentials, which all have a similar approach of addressing cyber security through people, process, and technology. We need those complementary capabilities because technology alone is not enough. If you inadvertently give your username and password to an attacker, they can get into the system and do what they want. Education and training, for example, helps make your people a strong line of defence.
The CCoE is a newly formed organisation which aims to make the UK the safest place in the world to live, work and play online. Between the organisations that make up the CCoE, the collective expertise covers the breadth of the Ten Steps and more. The CCoE can do an initial assessment against all of the areas listed above. It is about getting that initial picture to see how an orgnaisation is doing and then working with them to see what could be done to improve in each area. While the Ten Steps are a good catch all which enable us to outline the broad areas of risk, on-the-ground we use a more bespoke framework which is more comprehensive with around 128 areas to go through in detail.
Without addressing all the areas that fall under the Ten Steps, organisations are leaving themselves open to both insider and outsider risk. Outside the organisation we are seeing an increase in state sponsored cyber attacks and state sponsored organised crime groups but also there is a growing number of insider threats that are accidental. It only takes one individual to send the wrong email to someone or to click on a malicious link. Supply chain security is also very important. You may have 100 suppliers and you need to know how secure they are. You may not be attacked but your supply chain could be, potentially severely affecting you even if you were not the intended target.
The other important thing to remember is that the Ten Steps are not set in stone, they will adapt and change in response to the threat as that adapts and changes. Addressing the Ten Steps is necessary, but it is not job done, you can’t stand still. This is a continual process and the CCoE can help in looking at want to do next and how to respond to the latest type of threats.
- You can see a list of the NCSC’s Ten Steps to Cyber Security here: Risk management – NCSC.GOV.UK
David Woodfine is the managing director of Cyber Security Associates (CSA), a company which offers a trusted advisor service helping clients with aspects of cyber security such as assessments, help gaining certifications, incident response, general cyber road maps and development. He is on the advisory board of the CCoE, an organisation set up to act as a one-stop-shop to assist local government members through their cyber security journey, and CSA is one of the CCoE’s operational partners.
