Ten steps to cyber security

Defining and communicating your Board’s Information Risk Regime is central to your organisation’s overall cyber security strategy. The National Cyber Security Centre recommends you review this regime – together with the ten associated security areas described below, in order to protect your business against the majority of cyber attacks.

Set up your Risk Management Regime

Assess the risks to your organisation’s information and systems with the same vigour you would for legal, regulatory, financial or operational risks. To achieve this, embed a Risk Management Regime across your organisation, supported by the Board and senior managers.

Network Security

Protect your networks from attack. Defend the network perimeter; filter out unauthorised access and malicious content. Monitor and test security controls.

Removable Media Controls

Produce a policy to control all access to removable media. Limit media types and use. Scan all media for malware before importing onto the corporate system.

User Education and Awareness

Produce user security policies covering acceptable and secure use of your systems and include in staff training. Maintain awareness of cyber risks.

Secure Configuration

Apply security patches and ensure the secure configuration of all systems is maintained. Create a system inventory and define a baseline build for all devices.

Malware Prevention

Produce relevant policies and establish anti-malware defences across your organisation.

Home & Mobile Working

Develop a mobile working policy and train staff to adhere to it. Apply the secure baseline and build to all devices, and protect data both in transit and at rest.

Managing User Privileges

Establish effective management processes and limit the number of privileged accounts. Limit user privileges and monitor user activity. Control access to activity and audit logs.

Incident Management

Establish an incident response and disaster recovery capability. Test your incident management plans, provide specialist training and report criminal incidents to law enforcement.


Establish a monitoring strategy and produce supporting policies. Continuously monitor all systems and networks. Analyse logs for unusual activity that could indicate an attack.


Download our ten steps to cyber security guide.