Advice for Larger Organisations

The majority of cyber attacks are untargeted and opportunistic in nature, with the attacker hoping to take advantage of a weakness (or vulnerability) in a system, without any regard for who that system belongs to. These can be just as damaging as targeted attacks; the impact of WannaCry on global organisations – from shipping to the NHS – being a good example. If you’re connected to the internet then you are exposed to this risk. This trend of untargeted attacks is unlikely to change because every organisation – including yours – will have value to an attacker, even if that is simply the money you might pay in a ransomware attack.

Board Toolkit

The vast majority of organisations in the UK rely on digital technology to function.

Good cyber security protects that ability to function, and ensures organisations can exploit the opportunities that technology brings. Cyber security is therefore central to an organisation’s health and resilience, and this places it firmly within the responsibility of the Board.

The Board Toolkit been created to encourage essential discussions about cyber security to take place between the Board and their technical experts.

Board members don’t need to be technical experts, but they need to know enough about cyber security to be able to have a fluent conversation with their experts, and understand the right questions to ask.

The Board Toolkit therefore provides:

1. A general introduction to cyber security.

2. Separate sections, each dealing with an important aspect of cyber security. For each aspect, we will:

- explain what it is, and why it’s important
- recommend what individual Board members should be doing
- recommend what the Board should be ensuring your organisation is doing
- provide questions and answers which you can use to start crucial discussions with your cyber security experts

3. An Appendix summarising the legal and regulatory aspects of cyber security.

NCSC Board Toolkit

This guidance is aimed at medium to large organisations that have someone dedicated to managing the organisation’s cyber security, or those organisations with a greater degree of maturity in cyber security. For smaller organisations our Small Organisations guidance might be a better place to start, though the principles here in the 10 Steps are applicable to all organisations.

The guidance within the 10 Steps to Cyber Security is comprehensive and will take time to implement, but will achieve the greatest degree of security for your organisation. The first step in implementation would normally be to establish a baseline of where your organisation is, before conducting a gap analysis between the baseline and what you would like to achieve. This process should become a cycle of steady improvement and review.

Risk Management

Taking risks is a natural part of doing business. Risk management informs decisions so that the right balance of threats and opportunities can be achieved to best deliver your business objectives. Risk management in the cyber security domain helps ensure that the technology, systems and information in your organisation are protected in the most appropriate way, and that resources are focussed on the things that matter most to your business. A good risk management approach will be embedded throughout your organisation and complement the way you manage other business risks.

Engagement and Training

People should be at the heart of any cyber security strategy. Good security takes into account the way people work in practice, and doesn’t get in the way of people getting their jobs done. People can also be one of your most effective resources in preventing incidents (or detecting when one has occurred), provided they are properly engaged and there is a positive cyber security culture which encourages them to speak up. Supporting your staff to obtain the skills and knowledge required to work securely is often done through the means of awareness or training. This not only helps protect your organisation, but also demonstrates that you value your staff, and recognise their importance to the business.

Asset Management

Asset management encompasses the way you can establish and maintain the required knowledge of your assets. Over time, systems generally grow organically, and it can be hard to maintain an understanding of all the assets within your environment. Incidents can occur as the result of not fully understanding an environment, whether it is an unpatched service, an exposed cloud storage account or a mis-classified document. Ensuring you know about all of these assets is a fundamental precursor to being able to understand and address the resulting risks. Understanding when your systems will no longer be supported can help you to better plan for upgrades and replacements, to help avoid running vulnerable legacy systems.

Architecture and Configuration

The technology and cyber security landscape is constantly evolving. To address this, organisations need to ensure that good cyber security is baked into their systems and services from the outset, and that those systems and services can be maintained and updated to adapt effectively to emerging threats and risks.

Vulnerability Management

The majority of cyber security incidents are the result of attackers exploiting publicly disclosed vulnerabilities to gain access to systems and networks. Attackers will, often indiscriminately, seek to exploit vulnerabilities as soon as they have been disclosed. So it is important (and essential for any systems that are exploitable from the internet) to install security updates as soon as possible to protect your organisation. Some vulnerabilities may be harder to fix, and a good vulnerability management process will help you understand which ones are most serious and need addressing first.

Identity and Access Management

Access to data, systems and services need to be protected. Understanding who or what needs access, and under what conditions, is just as important as knowing who needs to be kept out. You must choose appropriate methods to establish and prove the identity of users, devices, or systems, with enough confidence to make access control decisions. A good approach to identity and access management will make it hard for attackers to pretend they are legitimate, whilst keeping it as simple as possible for legitimate users to access what they need.

Data Security

Data needs to be protected from unauthorised access, modification, or deletion. This involves ensuring data is protected in transit, at rest, and at end of life (that is, effectively sanitising or destroying storage media after use). In many cases data will be outside your direct control, so it important to consider the protections that you can apply as well as the assurances you may need from third parties. With the rise in increasingly tailored ransomware attacks preventing organisations from accessing their systems and data stored on them, other relevant security measures should include maintaining up-to-date, isolated, offline backup copies of all important data.

Logging and Monitoring

Collecting logs is essential to understand how your systems are being used and is the foundation of security (or protective) monitoring. In the event of a concern or potential security incident, good logging practices will allow you to retrospectively look at what has happened and understand the impact of the incident. Security monitoring takes this further and involves the active analysis of logging information to look for signs of known attacks or unusual system behaviour, enabling organisations to detect events that could be deemed as a security incident, and respond accordingly in order to minimise the impact.

Incident Management

Incidents can have a huge impact on an organisation in terms of cost, productivity and reputation. However, good incident management will reduce the impact when they do happen. Being able to detect and quickly respond to incidents will help to prevent further damage, reducing the financial and operational impact. Managing the incident whilst in the media spotlight will reduce the reputational impact. Finally, applying what you’ve learned in the aftermath of an incident will mean you are better prepared for any future incidents.

Supply Chain Security

Most organisations rely upon suppliers to deliver products, systems, and services. An attack on your suppliers can be just as damaging to you as one that directly targets your own organisation. Supply chains are often large and complex, and effectively securing the supply chain can be hard because vulnerabilities can be inherent, introduced or exploited at any point within it. The first step is to understand your supply chain, including commodity suppliers such cloud service providers and those suppliers you hold a bespoke contract with. Exercising influence where you can, and encouraging continuous improvement, will help improve security across your supply chain.