NCSC 10 Steps to Cyber Security

The NCSC provides guidance on how organisations can protect themselves in cyberspace with their 10 steps to cyber security.

NCSC 10 Steps to Cyber Security

The NCSC's 10 steps to cyber security, first published in 2012 and most recently updated in May 2021, offers guidance on the top 10 security measures all firms should look to put in place to build their cyber resilience. The NCSC emphasise that cyber resilience is a board level responsibility. Protecting key information assets is of critical and strategic importance to the sustainability and competitiveness of businesses and that firms need to be suitably prepared.

Key questions for CEOs and boardsProtection of key information assets is critical

How confident are we that our company’s most important information is being properly managed and is safe from cyber threats?

Are we clear that the Board are likely to be key targets?

Do we have a full and accurate picture of:

the impact on our company’s reputation, share price or existence if sensitive internal or customer information held by the company were to be lost or stolen?
the impact on the business if our online services were disrupted for a short or sustained period?

Exploring who might compromise our information and why

Do we receive regular intelligence from the Chief Information Officer/Head of Security on who may be targeting our company, their methods and their motivations?

Do we encourage our technical staff to enter into information-sharing exchanges with other companies in our sector and/or across the economy in order to benchmark, learn from others and help identify emerging threats?

Pro-active management of the cyber risk at Board level is criticalThe cyber security risk impacts share value, mergers, pricing, reputation, culture, staff, information, process control, brand, technology, and finance. Are we confident that:

we have identified our key information assets and thoroughly assessed their vulnerability to an attack?

responsibility for the cyber risk has been allocated appropriately? Is it on the risk register?

we have a written information security policy in place, which is championed by us and supported through regular staff training?

Are we confident the entire workforce understands/follows it?

10 steps to cyber security

Risk management
Engagement and training
Asset management
Architecture and configuration
Vulnerability management
Identity and access management
Data security
Logging and monitoring
Incident management
Supply chain security

Common Cyber Attacks

Firms may also wish to refer to the NCSC's white paper Common Cyber Attacks: Reducing The Impact intended to help organisations understand what a common cyber attack looks like and explains why all organisations should establish basic security controls and processes, to protect themselves from such attacks.