A step-by-step guide to cyber security
- Many organisations across the public and voluntary sectors collect, store and process large quantities of personal data
- It is important they put in place appropriate safeguards to protect this data and reduce the risk of it falling into the wrong hands
- Our step-by-step guide to cyber security sets out some of the key questions organisations should be asking themselves
Cyber security has become a critical issue for organisations across the public and voluntary sectors.
While any type and size of organisation could be vulnerable to a cyber attack, there are a number of ways to minimise the risks. We have produced a simple checklist that covers the essential elements of an effective cyber security programme.
- Does the board/leadership actively support the cyber security programme ensuring sufficient resources are committed to security?
- Is cyber security, and the potential consequences of a cyber attack, covered in your business continuity plan?
- Do you actively manage all hardware devices on the network so that only authorised devices are given access and any unmanaged devices are found and prevented from gaining access?
- Has a secure configuration baseline for both hardware and software been determined, including security controls to prevent users from changing important settings?
- Are processes in place to ensure new vulnerabilities are identified and existing ones are patched as soon as possible?
- Are administrative privileges only granted when necessary and is access secured through deployment of multi-factor authentication?
Understanding and prioritising data
- Do you maintain a current understanding of the location, quantity and quality of data important to the delivery of services?
- Do you have a clear system for categorising different types of data – e.g. public, internal, sensitive, confidential?
- Do you take steps to ensure data is removed in accordance with retention schedules?
- Does everybody in your organisation who handles data understand how to properly store, transfer, archive and destroy sensitive information?
Physical and digital security
- Is access controlled in areas of your premises where sensitive data may be held?
- Do you ensure that all mobile devices including memory sticks are encrypted?
- Have you created a separate wireless network for personal and untrusted devices?
- Do you configure devices – workstations, laptops and other mobile devices – to automatically lock sessions after a standard period of inactivity?
- Do you ensure that all data is removed from devices, such as multi-function printers, before disposal?
- Do you regularly update your antivirus software?
- Do you deploy tools on network perimeters that monitor for unauthorised transfer of data?
- Do you ensure backups are properly protected via physical security or encryption when they are stored as well as when they are moved across the network?
- Do you conduct regular penetration testing of systems in order to understand vulnerabilities and discover how easy it is to access the system?
Managing third-party risk
- Do you understand what access your suppliers and partners have to your systems, premises and information, and how you will control it?
- Have you considered building assurance requirements, such as Cyber Essentials Plus, penetration tests, external audit or formal security certifications as part of supplier/partner security requirements?
- Do you build the “right to audit” into contracts and do you exercise this?
- Does everybody in your organisation who processes data have a clear understanding of when data may be legally shared with third parties, including instances when the express approval of the data subject must first be obtained?
- If using cloud services, have you risk assessed your needs and potential providers using a framework such as the NCSC’s 14 Cloud Security Principles?
- Does your organisation encourage reporting security incidents and data breaches, giving staff the tools to do so and the confidence that they will not face repercussions for doing so?
- Are you aware of the penalties your organisation could face for data breaches under GDPR?
- Does your DPO report directly into the highest level of management?
- Do you provide staff with regular and relevant security awareness training including recognising social engineering attacks, causes of unintentional data exposures and incident reporting?
- If requested, could you demonstrate evidence of the training you provide?
- Do you plan and conduct incident response exercises to maintain awareness and comfort in responding to real world threats?
- Do you have procedures in place to learn from cyber incidents and near misses – including incidents that occur outside of your organisation?