1. Risk Management Regime – to understand the organisation's Risk Appetite
Defining and communicating your Managements Information Risk Management appetite is central to your organisation’s overall cyber security strategy.
Organisations rely on ICT to support their business goals and so it’s important that they apply a similar level of rigour when assessing the risks to its technology, systems and information assets as it would to other risks that could affect the business, such as regulatory, financial or operational risks.
This can be achieved by embedding an appropriate risk management regime across the organisation, which is actively supported by the Directors, Senior Managers and Employees. As a starting point, many businesses use a cyber security audit services to gain an understanding of the current risks faced by the business.
2. Secure Configuration – Device Management, Business Applications, Endpoint Protection & Updates
Having a process to define technology builds and processes and ensuring configuration management will greatly improve the security of systems. Businesses should develop a strategy to remove or disable unnecessary functionality from systems and to quickly fix vulnerabilities, by installing updates and patching as soon as possible. Not doing this will result in an increased risk of compromise of systems and information.
3. Home and mobile working
Remote and Mobile working provide great business benefits but expose new risks that need to be managed. Businesses should establish risk-based policies and procedures that support mobile working or remote access to systems for users and service providers.
4. Incident Management – Backup Restore & BC
Every business will experience security incidents at some point. Investment in good backup and establishing effective incident management policies and processes will help to improve resilience, support business continuity, improve customer and stakeholder confidence and potentially reduce any impact.
5. Malware prevention
Malicious software or malware is an umbrella term to cover any code or content that could have a malicious, undesirable impact on systems. Any exchange of information carries with it a degree of risk that malware might be exchanged, which could seriously impact your systems and services. The risk will be substantially reduced by implementing appropriate protection and security controls as part of an overall ‘defence in-depth approach.
6. User Privileges
We advocate the principle of ‘least privilege’. Meaning that all users should be provided with a reasonable (but minimal) level of system privileges and rights needed for their work.
Giving users unnecessary system privileges or data access rights means that if the account is misused or compromised the impact will be more severe than it needs to be. Therefore the granting of highly elevated system privileges needs to be carefully controlled and managed to minimise the risk.
System monitoring provides a method to detect attacks on systems and services and it is essential in order to effectively respond to attacks. Cyber Security Monitoring and Response can also be seen as Prevention Detection and Response because it allows businesses to ensure that systems are being used appropriately in line with company policies. Monitoring is often required to comply with legal or regulatory requirements.
8. Network Security – Passwords, Servers, Services, Firewalls, LAN/WAN, Infrastructure
By configuring infrastructure, policies and processes the business can reduce the chances of attacks succeeding and causing harm to systems and information. If the company’s networks include other locations, as it most likely will, with home, mobile workers and cloud services, it makes defining a fixed network boundary difficult. Rather than focusing purely on physical connections, businesses must consider where the data is stored and processed, and where an attacker would have the opportunity to damage it.
9. Removable Media
A common route for the introduction of malware and the accidental or deliberate export of sensitive data is removable media. Businesses must be clear about the need to use removable media and apply appropriate restrictions. Removable media has the capability to transfer and store huge volumes of information as well as the ability to import malware.
10. User Education & Awareness
Users have a critical role to play in preventing cyber breaches and in the businesses security. It is important that security rules and the technology provided enable users to do their job as well as help keep the organisation secure.
Users should be supported by a systematic delivery of awareness programs and training that deliver security expertise as well helping to establish a blame-free security-conscious culture.