At LRQA we have the great advantage of seeing first-hand how organisations of all shapes and sizes approach cyber security. And like all good consultants, we are magpies; borrowing the best and worst of what we see and absorbing it into our accumulated knowledge. This approach means that when we advise our customers, we’re able to draw on a vast body of knowledge and experience, saving our customers’ time by avoiding the mistakes we have observed within other organisations.
In this blog post, we'll look at why the NCSC 10 Steps guidelines are a good place to start when evaluating your cyber security posture, as well as advice on how to implement these guidelines.
What's the problem?
Government reports show that of all the businesses that identified a data breach, half are impacted. The damages of such breaches include costs ranging from over £3k for a small business, to £22k for a large business.
When businesses who reported that their work was impacted by a breach, many reported that it prevented employees from completing their day-to-day duties. Taking these figures into account, you might assume that businesses are still failing to recognise the need for cyber security. To some extent this is true, however three quarters of businesses surveyed say that cyber security is a priority for them. Despite this, just over a third have responsibility for cyber security assigned at board level, nearly 20% never update their senior staff on cyber security, and just under 3 in 10 businesses provide their employees with security awareness training.
Whilst many businesses claim to have some of the basic cyber essential controls in place, the frequency of breaches suggests this figure may not be entirely accurate. This could be because organisations believe their controls are in place, however in reality they are not effective.
Why the NCSC 10 Steps to cyber security is a good place to start
The old adage that you never stop learning could not be truer in Information Security, and that’s why it’s important that as a community we come together and share knowledge. Most of us are familiar with standards such as PCI DSS, ISO27001, or the NIST cyber security Framework – which of course are built with input from professionals across the industry, and based on both positive and negative experiences.
This is why, when an organisation decides to get serious about Information Security, they often look to align to or certify against a recognised standard. Some, such as PCI DSS, are very focussed on protecting particular types of data (in this case credit card information). Others, for example ISO27001, are better described as an approach to protecting information that you care about, and allow an organisation to define the scope of the management system.
Whilst there’s undoubtedly benefit in all of these approaches, we do also speak to many customers who simply “want to do security better”. In these cases there’s often no particular need to prove compliance, no desire for an audit, and the motivation is driven purely by a desire to protect what they care about.
This is a great aspiration, but how do we actually achieve it? You could define what you think good looks like, but this will ultimately be biased and limited by your organisation’s position and your own views and experience. Instead, LRQA recommend that organisations reference the NCSC’s 10 Steps to cyber security.
NCSC’S 10 Steps to cyber security
The NCSC 10 Steps to Cyber Security provides guidance on how organisations can enhance their cyber security posture. The guidance includes advice on risk management, policies, procedures, network architecture and other critical protective measures. It’s published by the National Cyber Security Centre (NCSC), an organisation of the United Kingdom Government that provides advice and support for the public and private sector on how to avoid computer security threats. The NCSC believe that understanding the cyber environment and “adopting an approach aligned with the 10 Steps is an effective means to help protect your organisation from attacks”.
In the below infographic from the NCSC, we can see the 10 that these guidelines focus on. A copy of this can be downloaded here and referred to as a handy resource.
Introducing the Remote cyber security Review
Whilst the above information gives guidance on best cyber security practices, sometimes it's difficult for SME's to implement this without a large in-house IT team or in-house cyber security experts. Likewise, as a large organisation, implementing these guidelines may be alot easier, however it's always great to get peace of mind from an outside pair of eyes. That's where we come in!
In accordance with the NCSC 10 Steps cyber security guidelines, LRQA offer a Remote cyber security Review.
The benefits of a remote cyber security review
A remote cyber security review, performed by a LRQA Information Security Consultant, can help organisations gain better visibility and greater assurance that the controls and governance they have in place are effective. Some of the main benefits include:
- By ensuring the correct measures are in place, you could stop the domino effect of a cyber-attack on your organisation.
- Evaluate board-level awareness and identify how best-practice can be implemented from the top down.
- Recommendations from our in-house certified experts for each step of the process.
- Identify quick win area, saving you time and budget
- Recognise existing good practices
What's involved in a remote cyber security review?
LRQA will deliver an on-site, or remote assessment against the NCSC Ten Steps.Our review also offers our customers a gap analysis against the NCSC 10 Steps. During this process we review against the 10 Step requirements, and identify where gaps exist. We also seek to understand where quick wins are possible, and then document the findings in a detailed report, providing recommendations against gaps identified.
We don’t limit the process to the just the 10 Steps, but build on this great foundation by using our own expertise in other areas such as change management, secure development, incident response, cloud computing, and physical security.
When we’ve completed an analysis we advise our customers to use this as a starting point. As well as implementing those tactical “quick wins”, we support them in developing a strategic roadmap to implement improvement and mature their cyber security posture.
The following is delivered as part of this service:
- On-site or remotely-delivered cyber security reviewed by Information Security Consultant
- Review organisation against the 10 Step requirements and other applicable areas
- A detailed report with the outcomes, required action and recommendations for improvement.
The 10 Steps/Areas that will be evaluated are:
• Risk Management Regime
• Secure configuration
• Network security
• Managing user privileges
• User education and awareness
• Incident management
• Malware prevention
• Monitoring
• Removable media controls
• Home and mobile working
In addition to reviewing against the NCSC’s 10 steps, we can also include other applicable areas as needed, including:
• Secure development practices
• Physical security
• Third-party risk
• Cloud security, including Office 365
• Alignment to ISO27001 Annex A controls
Ready to get started with a Remote cyber security Review? Contact your local LRQA team to get started.