Cyber Resilience Week 2017
If cyber security isn’t among your organisation’s biggest concerns, you haven’t been paying attention.
Just last week, personal data belonging to 44 million British citizens was stolen in a hack on US credit rating firm Equifax. Second-hand electronics retailer CeX lost two million customers’ data in August. And it was only May, lest we forget, when the NHS was crippled by a strain of ransomware known as WannaCry.
In a networked world, with ever more services and devices connecting to the internet, organisations are putting troves of sensitive data within hackers’ reach. As this potential bounty grows, so does the risk of a hack or intrusion, and it doesn’t take a cyber security expert to see the devastation these attacks can wreak.
Organisations need a robust cyber strategy and the latest technology, but also, crucially, a culture of cyber security awareness. From the CEO on down, every member of an organisation needs to understand how to protect themselves online, handle sensitive data, and keep their devices safe. A network is, after all, only as secure as its weakest link.
To that end, Stuart Hyde QPM, a member of the Europol Internet Security Advisory Board and aql’s regional ambassador for CiSP, has put together a checklist to help organisations keep themselves, and their customers, safe.
Cyber security checklist
Network security
Protect your networks from attack. Defend the network perimeter, filter out unauthorised access and malicious content.
Monitor and test security controls.
User education and awareness
Produce user security policies covering acceptable and secure use of your systems.
Include in staff training.
Maintain awareness of cyber risks.
Malware prevention
Produce relevant policies and establish anti-malware defences across your organisation.
Removable media controls
Produce a policy to control all access to removable media.
Limit media types and use.
Scan all media for malware before importing onto the corporate system.
Secure configuration
Apply security patches and ensure the secure configuration of all systems is maintained.
Create a system inventory and define a baseline build for all devices.
Managing user privileges
Establish effective management processes and limit the number of privileged accounts.
Limit user privileges and monitor user activity.
Control access to activity and audit logs.
Incident management
Establish an incident response and disaster recovery capability.
Test your incident management plans. Provide specialist training.
Report criminal incidents to law enforcement.
Monitoring
Establish a monitoring strategy and produce supporting policies.
Continuously monitor all systems and networks.
Analyse logs for unusual activity that could indicate an attack.
Home and mobile working
Develop a mobile working policy and train staff to adhere to it.
Apply the secure baseline and build to all devices.
Protect data both in transit and at rest.
Set up your Risk Management Regime
Assess the risks to your organisation’s information and systems with the same vigour you would for legal, regulatory, financial or operational risks. To achieve this, embed a Risk Management Regime across your organisation, supported by the Board and senior managers.
In collaboration with Digital Leaders’ Cyber Resilience Week.
For more information on keeping your organisation safe, visit www.ncsc.gov.uk