10 Steps to Cyber Security Part 1 of 2


25 Sep 2018

10 Steps to Cyber Security Part 1 of 2

Through discussions with various clients and perspective clients, at conferences, events and forums, it is very apparent that a lot of companies know that they need to do “something about cyber” but many, particularly in the Small and Medium Enterprise (SME) arena, are unsure of what that something should be.

My response to them is generally along the same lines, and I thought I’d share it with you now. My apologies for those of you who are seasoned cyber professionals, as you will no doubt know this subject inside out, but for those of you who are wondering just how to get started and are looking for a jargon free, pragmatic explanation, read on…

As far back as 2012 the UK government produced the 10 Steps to Cyber Security which companies should follow to help make them more secure, as part of the drive to make the UK a safe place to do business. Those were followed in 2014 by the Cyber Essentials scheme. Both the 10 Steps and Cyber Essentials have had updates over the years, but those updates relate more to guidance and clarification rather than changes to content.

This article sets out the first 5 requirements of the 10 Steps to Cyber Security: I’ll provide the remaining 5 in my next post which will be in a week or so. You will see that a number of these topics overlap, and that’s absolutely fine. There are some very blurred lines, but so long as the topics are covered then that has to be a good thing, right?

1. The first step is to set up a Risk Management regime. This sounds scary, but could be as simple as having an Excel spreadsheet or a Word document where you list all the risks to your business, determine how severe those risks are, and document how you will mitigate those risks. It doesn’t have to be onerous – it could just be your top 5 or 10 risks to start with.

  • For example, if your business relies exclusively on internet orders eg as a retail outlet, then lack of access to the internet would be a serious risk and mitigation measures could involve something like hosting your website with a specialist hosting provider which can provide protection against physical issues like flooding or power cuts and some technical measures such as denial of service attacks.

  • You should bear in mind that this is a regular, repeated process, where you review your risk register regularly and agree with the board appropriate measures based on a cost benefit analysis and your company’s risk tolerance.

2. The second step is to look at Secure Configuration of your systems. All this really means is that you need to make sure that your systems are patched appropriately, that anti-virus / anti-malware software is installed, updated and running, that you have an inventory of the equipment you have and what software is installed on it, and that where possible you’ve documented a standard build for all your devices. Let’s look at those in turn, as it all sounds very complicated:

  • Patches are software updates provided by vendors to address vulnerabilities which are found in all software. These are typically graded in terms of severity from low to critical, the idea being that you apply all critical patches as fast as possible, while low severity are less important.One of the reasons the Wannacry ransomware outbreak hit people so hard in May was because a Critical patch released by Microsoft in March hadn’t been applied to the systems affected: that’s a good example of what can go wrong if you don’t keep patches up to date. Many systems allow patches to be downloaded and installed automatically and, if you don’t have an IT department, it’s a good idea to use that option.

  • Antivirus software is similar to patches, in that vendors release regular updates to tackle new viruses. With the volume of viruses increasing massively on a daily basis, it’s a good idea to install these updates as they come out – at least daily. Many of the larger virus companies such as McAfee and Symantec have products which update automatically, and are well worth considering.

  • As an aside, there are rumours that Mac devices aren’t susceptible to or targeted by viruses: this is not the case anymore so make sure those devices are protected too.

  • Keeping an inventory is sensible: if you don’t know what you’ve got, how can you protect it? And if you don’t know what software is running, how do you know you have all the licenses you need, and how do you know how to rebuild the machine if it is damaged or unavailable for some reason? It just stops you starting from the very beginning, and allows you to be more proactive. Knowing what should be on each machine also helps you to develop a strategy for removing or disabling unnecessary functionality on it. Again, going back to Wannacry in May, one of the methods used by the ransomware from machine to machine was through a network protocol which wasn’t really necessary on most machines. Maintaining an up-to-date inventory could help you identify vulnerabilities like that and close them down quickly.

  • The benefits of having a documented standard build have pretty much been covered in above. It also means that when a new machine is bought, your IT team / support company knows exactly what to install and how to configure it to meet your business needs. This saves time and effort.

3. The third step concerns Network Security. Again there are some jargon words around what this means and what has to be done, but I’ve broken it down as follows:

  • One of the reasons for network security is to protect your networks from attack. A simple way of checking to see how well the network is protected is by engaging a company such as the one I work for to run a penetration test against all your public facing connections. All that this means is that a trusted person, with your permission, tries to see how far they can get into your network: they then report back to you with details of the vulnerabilities they found and how these can be fixed / remediated. They are actually using the same tools and techniques as hackers, but because they have your permission this is known as ethical hacking.
           
  • Another area to look at in network security is defending your network perimeter. This means that you should have firewalls installed and configured correctly: the penetration test mentioned just now is one way of ensure that they are. Firewalls are typically installed at the place where your internal network meets the internet, often in a specially segregated area called a DMZ or “De-militarised zone”. It’s a way of stopping traffic from the internet getting directly on to your network.
           
  • As part of firewall configuration, you should ensure that unauthorised access and malicious content is filtered out. There are a range of companies which provide solutions for this sort of thing, but in simple terms your penetration test will help identify the biggest areas of concern. Network protocols are the ways in which computers talk to each other, and run across a range of different ports. You can think of the firewall as a giant colander, where you block up most of the holes (ports) other than those which are needed for passing a specific strand of spaghetti through a specific hole (port).
           
  • Last and not least in this section is the requirement to monitor and test security controls. We’ve already talked about testing – penetration testing – and monitoring is a way of measuring the effectiveness of your controls. There are a lot of monitoring toolsets available, ranging from reasonably cheap to quite expensive. It’s worth working out what you want to monitor / measure before starting to look for tools to help. This is one area where engaging a consultant may be beneficial.

4. We’ve already talked a little about Malware Prevention, the fourth step, when we talked about Secure Configuration above. What we didn’t mention is that it’s important to develop a policy around how you will use anti-malware software. For example, what happens when a virus is detected.

Should it be deleted automatically or perhaps quarantined for analysis? Is there a process for testing removable media such as USB sticks for malware before connecting them to corporate systems (this is often called a sheepdip process). It’s also important that anti-malware software is running on all devices connected to your business environment: monitoring and measurement will help confirm this.

5. Overlapping malware prevention is the fifth step, Removable Media Control. This again requires specific policy statements about the use of removable media: do you allow it or not, are only specific users in specific roles allowed to use it etc, and also sets out the requirements for scanning media for malware, perhaps using the sheepdip process outlines in 4 above.

When you’re ready, take a look at part two of this list for the remaining five steps, which are:

  • User education and awareness
  • Managing User Privileges
  • Incident Management
  • Monitoring
  • Home and Mobile Working

 

Download a print-ready version of this article  

Protection Group International believes that cyber security doesn’t need to be overly complicated, incomprehensible or vastly expensive. We specialise in delivering strategic vulnerability assessment services and offer a range of senior cyber awareness education to enable you to tackle cyber threats in-house. For more information click here.

Our partner company, Protection Vessels International, is focussed on the efficient delivery of high quality, cost effective security solutions for the maritime community. We invest in our well-maintained logistic infrastructure to enhance customers’ business continuity through the protection of their assets and people. For more information click here.

author

By Steve Mair

Senior Cyber Security Consultant

Share this article

RISK PORTAL

Your free global geopolitical
risk dashboard

PGI’s Risk Portal tool provides daily intelligence feeds, country threat assessments and analytical insights, enabling clients to track, understand and navigate geopolitical threats.

The Risk Portal gives users up-to-date information and analysis on global affairs.

The Risk Portal allows users to visualise information in a unique and instantly understandable way. Mapping filters enable the visualisation of incidents by threat category, time period, perpetrator and target type.

Risk Portal users can upgrade their accounts to include the Report Builder and Country Profile Generator features. The Report Builder allows users to select information, data and images from the Risk Portal and create bespoke reports and emails.

Subscribers to PGI’s Bespoke services receive tailored analysis on specific sectors and geographies of interest, delivered at a frequency they determine.

Visit the Risk Portal

GDPR Services

Making ongoing compliance easier for you and your business

GDPR is now in force – make sure your business meets the necessary requirements and assurance for all your customers and employees

PGI GDPR Services

A full audit of your business to assess the level of your compliance against GDPR requirements

Become GDPR compliant with minimal work – we’ll conduct an analysis, review, report and implementation of necessary changes to your business

We’ll carry out simple assessments of security to help you understand and mitigate the potential risks to your business

Find out more on GDPR

Compliance Services

Get your business ready to face the cyber challenge

We provide a full range of accredited, certified and bespoke services that assess the resilience of your cyber security posture

PGI GDPR Services

PGI’s Qualified Security Assessors (QSA) will help you meet Payment Card Industry Data Security Standards (PCI DSS)

Find out more on PCI DSS

Demonstrate your commitment to cyber security by achieving and maintaining accreditation for the globally-recognised information security standard

Find out more on ISO 27001

Expert assistance on the implementation and maintenance of governance requirements for personal data

Find out more on GDPR

Find out more on Compliance

Vulnerability Testing

Understand the threats of phishing and malware to avoid being targeted

Undertake our phishing capability assessment to reduce your organisation’s risk of of attack, by measuring the cyber awareness of your workforce.

Malware & Phishing Services

PGI will conduct a tailored phishing campaign, using multiple methods, to identify realism and train employees where necessary to mitigate future attacks

PGI monitor multiple metrics to identify the types of phishing, generate in-depth analysis reports and provide an informed decision to help improve your organisation’s level of security and awareness

Find out more on Vulnerability Testing

Cyber Security

Prevent attacks, respond to breaches and protect your business

Our bespoke range of cyber security services not only protect your critical assets but provide the education you need to keep your operations and data safe.

Malware & Phishing Services

implement the cost-effective cyber security measure launched by the government to prevent cyber-attacks, demonstrate commitment to your clients, and attract new business by being recognised as a secure organisation

Find out more on Cyber Essentials Accreditation

The most effective way to identify how attackers target your organisation’s weaknesses by evaluating your system and network security and reporting on any vulnerabilities that could lead to a business impact

Find out more on Penetration Testing

If your business has experienced breaches, network compromises or operational disruption, our team of cyber security specialists can deploy quickly, and efficiently begin the process of detecting and eliminating the threat

Find out more on Data Breach Response & Recovery

In the event of a computer security investigation, a vital part of the response process if making a copy of your data for safe forensic analysis. We will work with you to preserve and use this evidence to discover the extent of an intrusion

Find out more on Digital Forensics

Browse our Cyber Security services

Data Breach Response & Recovery

We prevent attacks, respond to security breaches, and protect your business

Our team of specialists can deploy quickly and efficiently to begin the process of detecting, eliminating and prevention of future threats of a breach.

Malware & Phishing Services

A vital part of the response process is making a copy of your data for safe forensic analysis. We will work with you to preserve and use this evidence to discover the extent of an intrusion

Find out more on Digital Forensics

We will identify and minimise the risks, as well as the possibility of future risks to your business

Consistent interaction with your management team and recommendations on how to approach all outcomes that need attention

Find out more on Data Breaches

Subscribe to our Cyber Bytes Newsletter

Keep yourself in the loop with PGI by signing up to our Monthly Cyber Bytes email. You will receive updates, tips and narrative around what has been happening in the world of information security.

Get in touch today

For more information on how we can help you or your business, please contact us via:

Related News

International Womens Day - Pioneering Women in Tec...

08 Mar 2017

Pioneering Women in Technology – Katherine JohnsonThe Oscar season has been and gone. The...

Read news article

Law Firms and why they need cyber security

07 Sep 2018

Why Law Firms need Cyber Security. Suffering a data breach can be devastating! From the experts at P...

Read news article

Content from the expert - GDPR and Cyber Governanc...

12 Jul 2017

Will there be a knock on effect regarding the General Data Protection Regulation (GDPR) after the UK...

Read news article
Back to the News Hub

+44 (0)207 887 2699
©2017 PGI - Protection Group International Ltd. All rights reserved.
PGI - Protection Group International Ltd is registered in England & Wales, reg. no. 07967865
Address: Unit 13/14, Swallow Court, Sampford Peverell, Tiverton, England, EX16 7EJ