The National Cyber Security Centre's 10 steps to cyber security framework has been widely adopted by organisations throughout the UK. Originally published in 2012, it remains a useful guide for organisations looking to improve their cyber security. These highly influential guidelines were, however, last updated in 2018. With so many organisational processes and practices that have changed in recent months, these data security guidelines are in need of revision.
According to a report compiled by the Office for National Statistics (ONS), approximately 1.7 million employed individuals in the UK regularly worked from home in 2019.1 At the time the survey was undertaken, the total number of people employed throughout the UK stood at 32.6 million. This means that a total of 5% of the UK’s workforce regularly worked from home in 2019.
In 2020, the ONS conducted further surveys concerning homeworking. Publishing their findings in July, they revealed that 46.6% of the UK workforce performed some work from home in April of this year.2 This unprecedented increase means that cyber security strategies built using this framework are unlikely to have remained fit for purpose. Likewise, any organisation looking to develop a robust cyber risk management strategy will find the ten steps do not provide all of the information needed to remain secure post-pandemic.
Creating or revising a cyber security strategy
Ideally, you will have already assessed the cyber risks most likely to affect your organisation and then followed the remaining nine steps set out by the NCSC. You should, as a result, be in a position where you need to adapt your cyber security strategy to changing circumstances rather than develop one entirely.
If you are researching the ten steps or are yet to finalise your strategy, however, then this article will help you to complete this vital task. Additionally, it will enable you to develop a strategy that addresses the cyber security threats traceable to remote working and more typical organisational setups simultaneously.
This article has been compiled to assist both stakeholders that need to create and those that need to amend their cyber security strategies. In order to do this, each of the ten steps to cyber security and the means of achieving them will be outlined below. Additionally, each step will contain added information where I will outline how these steps have changed in ‘the new normal’. Here, we review the ten steps, and discuss how they’ve changed and what now needs to be considered.
The ten steps are as follows:
- Create cyber risk assessment systems;
- Secure networks;
- Educate and drive awareness amongst users;
- Determine means of preventing and combatting malware;
- Create and implement policies and procedures for removable media;
- Create uniform configuration policies;
- Audit and amend user privileges;
- Determine incident response processes;
- Develop system and network monitoring procedures; and
- Create home and remote working policies.
Want to develop an effective cyber security strategy? Let ROCK help.
1. Create cyber risk assessment systems
To start, it’s important to note that the steps outlined by the NCSC do not need to be undertaken in sequential order. Step six, for example, can be undertaken before step four and so on. The need to assess digital risk and create a framework that allows for the frequent analysis of the digital landscape and new threats that may emerge from it, though, is an obvious starting point.
The methodology set out by the NCSC recommends that organisations firstly establish that cybercriminals pose a significant risk and that this understanding permeates their entire board. Organisations should, the NCSC quite rightly states, treat cyber risk no differently than their legal, regulatory, financial or operational equivalents. Something that is lacking in an alarmingly large number of organisations in spite of the growing body of evidence demonstrating the devastating effects of cybercrime.
Once risks have been identified and the importance of addressing them enshrined within senior leadership, organisations should develop computer security policies to manage them. Doing so will require the in-depth consideration of the nine steps outlined below.
How has remote working changed this?
The process of identifying, prioritising and creating policies to manage risk should be viewed as cyclical. The switch to remote working has had little impact on this step as a result. Instead, it should serve to catalyse the identification of new threats and the development of policies that counter them.
2. Network security
All digital networks need to be protected from cyber-attacks. They are subjected to a multitude of threats including various viruses and hacking attempts. Managing these threats typically involves the use of multiple defences including firewalls, multi-factor authentication, anti-virus software, and encryption methodologies.
How has remote working changed this?
The practice of remote working results in multiple devices from varied locations joining an organisation’s network. Each of these devices, therefore, becomes an endpoint that exists outside of the borders of your organisation, meaning that network administrators are likely to have less control over their setups. It is less likely that endpoints will be effectively patched or have effective anti-virus installed. Under such circumstances, the likelihood of an organisation becoming the victim of a successful cyberattack increases considerably.
How can this be addressed?
Any device that connects to an organisation’s network needs to be managed. It would be beneficial to issue employees with company-owned devices, fully patched and updated. This will not always be possible, however, and policies must be put in place that secure employees’ devices.
The trend of employees working from home is unlikely to end soon. It’s unclear how long current government guidelines will last, but many have suggested that the pandemic has produced a tipping point regarding this practice. Whether voluntary or regimented, it is highly likely that working from home will be the norm for some time.
All devices that connect to an organisation’s network must therefore be subject to remote management processes. If the affected devices are owned by the company, then the solution can be implemented with ease. When the devices are owned by employees, they will need to consent to changes being made to them remotely.
A device management policy should therefore be drafted and distributed amongst employees. Digital signatures should then be sought and records retained for posterity.
3. User education and awareness
Studies have shown that more than 80% of data breaches are traceable to human error. However advanced technological responses to cybercrime will count for nothing if teamed with an untaught workforce, unaware of how their actions can compromise digital security. Employees must receive cyber security training. Vitally, this training should empower employees, leaving them fully able to contribute to their employer’s cyber security posture.
How has remote working changed this?
Organisations with employees working from home will find themselves with multiple endpoints operating outside of the usual confines of the office. Endpoint security is crucial to maintaining security services, and as we’ve stated in the ‘network security’ section, endpoints are vulnerable to attack if they’re not kept up to date, and therefore endpoint security
Many of the common attack vectors leveraged by cybercriminals utilise social engineering. Emails claiming to be from trusted institutions that contain viruses or malicious links, as well as other forms of false communication, are common examples. If employees are not trained, their devices can be attacked and breached with relative ease, leaving any network they are attached to vulnerable by proxy.
How can this be addressed?
If your employees have not received any cyber security training, this needs to be addressed post-haste. This training will, of course, need to be delivered remotely and should be supplemented with simulated phishing attacks wherein an organisation’s administrator sends emails and similar communications to all employees, the purpose of which is to mislead recipients into providing sensitive information. The results of these tests should be analysed and further training to address pain points developed accordingly.
On the other hand, if employees have received training, now is the time to reiterate how vital it is that they remain vigilant whilst working from home. Simulated communications should be sent to users as soon as is practicable, also.
4. Malware prevention
Malware is short for malicious software. These applications find their way onto systems via subterfuge. Common examples of malware include ransomware, Trojan horse viruses and worms. Malware is designed to either damage or glean sensitive information from devices, computer networks or servers.
How has remote working changed this?
Essentially, if devices are not patched and kept up to date, and employees are unable to identify attempts to place malware on their devices, the risk of infection increases. In turn, as the risk of a user’s device becoming infected grows, the potential threat to associated networks increases also.
How can this be addressed?
Remote management procedures should ensure that systems are frequently updated. Employee training should also explicitly note the common ways in which devices are compromised and infected with malware. If not already in place, we’d also strongly recommend that anti-malware software be installed across all attached devices.
5. Removable media controls
USB drives and other types of removable data storage pose a dual cyber security threat. They can pass infections to devices and networks or, if lost, lead to leaks of sensitive information. For this reason, the majority of organisations prohibit removable media from interacting with the devices they own.
How has remote working changed this?
Essentially, an organisation’s administrators may not have had any influence over a portion of the devices that are attached to their network. Devices may be able to interact with removable media meaning that they can receive a virus from one, before passing it on to associated networks.
Additionally, employees may be able to transfer unencrypted data to media that they then take out of their homes. The latter not only means that sensitive data can be leaked if an item is misplaced but also represents a breach of GDPR and can lead to substantial fines.
How can this be addressed?
If employees have had the opportunity to both review and consent to a remote device management policy that includes remote management of personal devices used for work purposes, relevant security controls can be updated remotely. Any data that employees can access from home should be encrypted to ensure compliance with GDPR.
6. Secure configurations
Ensuring that all devices are configured to an exact and uniform standard is of the utmost importance. Standard device configurations are optimised for convenience, rather than security and cybercriminals can exploit out-of-the-box setups. Altering these settings before a device joins a network is highly advisable as a result.
How has remote working changed this?
As devices will no longer be company-owned, it may not be possible to configure them before they join networks. Whilst devices with standard configurations remain connected to networks, they generate weaknesses.
How can this be addressed?
Again, a remote management policy is key. It is important to make sure that employees have consented to the terms of a policy before allowing their devices to join a network. To minimise risk, a staggered approach should be utilised and employees should add their devices to networks at predetermined times. This will allow administrators to map out the configuration of devices, minimising the risk of cybercriminals taking advantage of any temporary weaknesses.
It would also be advisable to compile guidance on how to secure common household devices such as consumer routers and disseminate this amongst employees.
7. Manage user privileges
The less people who can access an organization's most sensitive data, the less likely it is to be exposed. In short, if only three sets of credentials have administrator privileges, then cybercriminals will need to obtain one of these sets before they have complete access.
Administrators should carefully review all user rights and remove any privileges that users do not require. This process should be undertaken regularly in order to identify and address potential security breaches.
How has remote working changed this?
With it having been established that cyber security risks increase when users work remotely, the likelihood of credentials being stolen or illegally obtained grows concurrently.
How can this be addressed?
Administrators should itemise the task of reviewing existing user privileges. By considering what rights each user needs and pruning them accordingly, they minimise the likelihood of a data breach.
It is highly advisable that a collaborative approach be leveraged when reviewing user privileges. Assumptions regarding roles can result in users being denied access to the resources they need to work effectively. In turn, this will adversely impact their and their employer’s productivity.
8. Incident management
A 2018 study conducted by insurance provider Hiscox revealed that 65,000 cyber-attacks are attempted each day.4 This means that more than 45 attacks take place every minute, and it is not always possible to stop each one. Organisational contingency plans need to be implemented in the event of a disaster.
Essentially a specified disaster recovery strategy, an organisation’s incident management plan should determine how key computer systems and data will be restored in the event of a cyber attack rendering them unusable.
How has remote working changed this?
Data is now being created in more diverse locations. Restoration processes also need to apply to resources based outside of standard perimeters. This complicates matters and, following a successful attack, can bring about extended periods of downtime.
How can this be addressed?
Administrators should regularly conduct a cyber security audit and thoroughly review all backup and restoration procedures, adjusting them to ensure that they remain holistic, robust and efficient. Particular attention should be paid to the improvement of restoration processes that will return remote devices to working order as quickly as possible. Studies have suggested that just one minute of downtime typically costs an organisation $5,600.5 Longer recovery processes directly impact an organisation’s profits and every effort should be made to make them as efficient as possible.
9. Monitoring
Network and system monitoring is an integral component of an organisation’s cyber security posture. By establishing an activity baseline and associated processes, unusual activity can be rapidly identified and isolated.
How has remote working changed this?
Ultimately, any behaviour that was considered typical when users operated within the confines of a standard working environment can now be atypical and vice versa. Remote working practices will alter logs and administrators will need to climatise to this.
How can this be addressed?
Activity will need to be observed and baselines renewed. Here, employing AI-assisted anti-virus software can expedite this process. For organisations that are concerned with how remote working will impact their approach to cyber monitoring processes, the assistance of a security operations centre can be sought. It is also advisable that administrators instruct users to inform them of any changes to their working locations in advance so that they can add relevant IP addresses to a white list.
10. Home and mobile working
The best way for staff to use networked devices should be documented by the organisation, in order to keep user behaviour and device configurations consistent.
How has remote working changed this?
With remote working having previously been an exceptional practice, many organisations neglected this step. It is vital that this is addressed and that relevant policies be compiled, distributed, and consent sought and documented.
How can this be addressed?
The existence of a remote management policy concerning devices and remote working policies should both secure devices and prevent reckless behaviour. The latter will be made all the more effective if teamed with cyber security training.
If these policies do not exist, it is of the utmost importance that this is addressed. The same is true of cyber security training. It's a good idea to remind users of various caveats and to assess their recollection of training materials if policies and training are in place.
References:
- Office for National Statistics (2020) Coronavirus and home working in the UK labour market: 2019
- Office for National Statistics (2020) Coronavirus and home working in the UK: April 2020
- Kaspersky (2020) Kaspersky Security Awareness
- Hiscox (2018) UK small businesses targeted with 65,000 attempted cyber attacks per day
- Gartner (2014) The Cost of Downtime