Many companies across a number of industry sectors have experienced some form of cyber attack – attacks which can destroy a company’s financial standing, reputation and potentially its competitive advantage, through the loss of commercially sensitive data. In response, and with the need to access and share information related to cyber attacks more widely amongst businesses, as well as with the technical level of cyber attacks growing exponentially, the information security arm of the UK Government Communication Headquarters (GCHQ) has published an article proposing 10 steps to reduce cyber risk.
The cyber controls recommended to help try and prevent cyber attacks are:
- Developing a mobile working policy to protect data in both transit and at rest
- Producing user security policies covering acceptable and secure use of the organisation’s systems and incident reporting. Additionally, ensuring user compliance with the policies and awareness of the cyber risks faced by the organisation.
- Establishing an incident response and data recovery capability, including training, which should be tested regularly
- Establishing an effective governance structure, and analysing and quantifying risk levels associated with all data
- Establishing account management processes to monitor user activity, limit the number of privileged accounts, and delete accounts of outgoing staff
- Producing a policy to control all access to removable media, limit media types, and implement the scanning of media prior to importing
- Establishing a continuous monitoring strategy of all information, communication and technology (ICT) systems, and producing supporting policies
- Applying security patches and ensuring that ICT is securely configured and maintained
- Establishing anti-malware defences, implementing scans, and producing and continually updating policy on malware
- Protecting networks against internal and external attacks through security controls such as firewalls, and managing the network perimeter, including filtering out unauthorised access and malicious content
Ultimately, the responsibility and implementation of such cyber security controls rests at board level of any business. GCHQ advise that in order to prevent the loss of company data, which could include personal and sensitive data, management must ensure that the company engages with peers across their sector, the wider business community, and law enforcement authorities to help maintain an awareness and understanding of current and emerging cyber threats.