Below is copy of the GCHQ and Government guidelines for businesses in the UK to protect themselves in Cyber Space. Its useful information and covers a wide range of threats. It is about Cyber so don’t expect chapter and verse on backup or file archiving and, if you are dealing with people and processing personal details, how long you should keep data for or how you should destroy it.

The link below does point to some useful and thoughtful information so please take the time to review it.

Why?

If you sold pig food do you think you would be the target of a cyber attack? Well we know of one business that was cleaned out of a substantial sum of money last week. It could be YOU next.

Further details can be found here https://www.gov.uk/government/publications/cyber-risk-management-a-board-level-responsibility

Introduction

This guidance is for businesses looking to protect themselves in cyberspace. The 10 Cyber Security Steps – originally published in 2012 and now used by around two-thirds of the FTSE350 – remain the same and are outlined below. But alongside this second version of the 10 Steps we are also publishing a new paper, “Common Cyber Attacks: Reducing The Impact”. The paper sets out what a common cyber attack looks like and how attackers typically execute them. We believe understanding the cyber environment and adopting the 10 Steps are effective means in protecting your organisation from these attacks

1. Information Risk Management Regime Secure Configuration

  • Establish a governance framework. Enable and support risk management across the organisation.
  • Determine your risk appetite. Decide on the level of risk the organisation is prepared to tolerate and communicate it.
  • Maintain the Board’s engagement with cyber risk. Make cyber risk a regular agenda item. Record cyber risks in the corporate risk register to ensure senior ownership.
  • Produce supporting risk management policies. An overarching corporate security policy should be produced together with an information risk management policy.
  • Adopt a life-cycle approach. Risk management is a whole life process and the organisation’s policies and processes should support and enable this.
  • 2. Secure Configuration

  • Develop corporate polices to update and patch systems.
  • Establish and maintain policies that set out the priority and timescales for applying updates and patches.
  • Create and maintain hardware and software inventories Use automated tools to create and maintain inventories of every device and application used by the organisation.
  • Lockdown operating systems and software. Create a baseline security build for workstations, servers, firewalls and routers.
  • Conduct regular vulnerability scans. Run automated vulnerability scanning tools against all networked devices at least weekly and remedy any vulnerability within an agreed time frame.
  • 3. Network Security

  • Police the network perimeter. Establish multi-layered boundary defences with firewalls and proxies deployed between the untrusted external network and the trusted internal network.
  • Protect the internal network. Prevent any direct connections to external services and protect internal IP addresses.
  • Monitor. Use intrusion monitoring tools and regularly audit activity logs.
  • Test the security controls. Conduct regular penetration tests and undertake simulated cyber-attack exercises.
  • 4. Managing User Privileges

  • Establish effective account management processes. Manage and review user accounts from creation and modification to eventual deletion.
  • Limit the number and use of privileged accounts. Minimise privileges for all users. Provide administrators with normal accounts for business use. Review the requirement for a privileged account more frequently than standard accounts.
  • Monitor all users. Monitor user activity, particularly access to sensitive information and the use of privileged accounts.
  • 5. User Education and Awareness

  • Produce a user security policy. Produce policies covering the acceptable and secure use of the organisation’s systems.
  • Establish a staff induction process. New users should receive training on their personal security responsibilities.
  • Maintain user awareness of the threats. All users should receive regular refresher training on the cyber risks to the organisation.
  • Support the formal assessment of IA skills. Encourage relevant staff to develop and formally validate their IA Skills.
  • 6. Incident Management

  • Obtain senior management approval and backing The Board should lead on the delivery of the incident management plans.
  • Establish an incident response and disaster recovery capability. Develop and maintain incident management plans with clear roles and responsibilities. Regularly test your plans.
  • Provide specialist training. The incident response team should receive specialist training to ensure they have the skills and expertise to address the range of incidents that may occur.
  • 7. Malware Protection

  • Develop and publish corporate policies. Produce policies to manage the risks to the business processes from malware.
  • Establish anti-malware defences across the organisation. Agree a corporate approach to managing the risks from malware for each business area.
  • Scan for malware across the organisation. Protect all host and client machines with antivirus solutions that will automatically scan for malware.
  • 8. Monitoring

  • Establish a monitoring strategy and supporting policies. Implement an organisational monitoring strategy and policy based on an assessment of the risks.
  • Monitor all ICT systems Ensure that the solution monitors all networks and host systems (eg clients and servers).
  • Monitor network traffic Network traffic should be continuously monitored to identify unusual activity or trends that could indicate an attack.
  • 9. Removeable Media Controls

  • Produce a corporate policy. Implement policy to control the use of removable media for the import and export of information.
  • Limit the use of removable media. Limit the media types that can be used together with user and system access and the information types that can be stored on removable media.
  • Scan all removable media for malware. All clients and hosts should automatically scan removable media. Any media brought into the organisation should be scanned for malware by a stand-alone scanner before any data transfer takes place.
  • 10. Home and Mobile Working

  • Assess the risks and create a mobile working policy. The policy should cover aspects such as information types, user credentials, devices, encryption and incident reporting.
  • Educate users and maintain their awareness. Educate users about the risks and train them to use their mobile device securely by following the security procedures.
  • Apply the secure baseline build. All mobile devices should be configured to an agreed secure baseline build. Data should be protected in transit and at rest.