10 steps cyber security feature optimised.jpg

Cyber Security

10 steps to cyber security with staff working from home

Originally published in 2012, the National Cyber Security Centre’s (NCSC) 10-steps-to-cyber-security framework has been widely adopted by organisations throughout the UK. These highly influential guidelines were, however, last updated in 2018. With so many organisational processes and practices having fundamentally changed in recent months, these guidelines are in need of revision.  

According to a report compiled by the Office for National Statistics (ONS), approximately 1.7 million employed individuals in the UK regularly worked from home in 2019.1 At the time the survey was undertaken, the total number of people employed throughout the UK stood at 32.6 million. This means that a total of 5% of the UK’s workforce regularly worked from home in 2019.

In 2020, the ONS conducted further surveys concerning homeworking. Publishing their findings in July, they revealed that 46.6% of the UK workforce performed some work from home in April of this year.2 This unprecedented increase means that cyber security strategies built using this framework are unlikely to have remained fit for purpose. Likewise, any organisation looking to develop a robust strategy will find the ten steps do not provide all of the information needed to remain secure post-pandemic

Share On:

Author:

Creating or revising a cyber security strategy

Ideally, you will have already assessed the cyber risks most likely to affect your organisation and then followed the remaining nine steps set out by the NCSC. You should, as a result, be in a position where you need to adapt your cyber-security strategy to changing circumstances rather than develop one entirely.

If you are researching the ten steps or are yet to finalise your strategy, however, then this article will help you to complete this vital task. Additionally, it will enable you to develop a strategy that addresses the cyber security threats attributable to remote working and more typical organisational setups simultaneously.

This article has been compiled to assist both stakeholders that need to create and those that need to amend their cyber security strategies. In order to do this, each of the ten steps to cyber security and the means of achieving them will be outlined below. Additionally, each step will contain supplementary information where I will outline how these steps have changed in ‘the new normal’. Here, we review the ten steps, discuss how they’ve changed and what now needs to be considered.

The ten steps are as follows:

1.       Create cyber risk assessment systems

2.       Secure networks

3.       Educate and drive awareness amongst users

4.       Determine means of preventing and combatting malware

5.       Create and implement policies and procedures for removable media

6.       Create uniform configuration policies

7.       Audit and amend user privileges

8.       Determine incident response processes

9.       Develop system and network monitoring procedures

10.   Create home and remote working policies

Create cyber risk assessment systems

To start, it’s important to note that the steps outlined by the NCSC do not need to be undertaken in sequential order. Step six, for example, can be undertaken before step four and so on. The need to assess digital risk and create a framework that allows for the frequent analysis of the digital landscape and new threats that may emerge from it, though, is an obvious starting point.

The methodology set out by the NCSC recommends that organisations firstly establish that cyber criminals pose a significant risk and that this understanding permeates their entire board. Organisations should, the NCSC quite rightly states, treat cyber risk no differently to their legal, regulatory, financial or operational equivalents. Something that is lacking in an alarmingly large number of organisations in spite of the growing body of evidence demonstrating the devastating effects of cyber crime.

Once risks have been identified and the importance of addressing them enshrined within senior leadership, organisations should develop policies to manage them. Doing so will require the in-depth consideration of the nine steps outlined below.

How has remote working changed this?

The process of identifying, prioritising and creating policies to manage risk should be viewed as cyclical. The switch to remote working has had little impact on this step as a result. Instead, it should serve to catalyse the identification of new threats and the development of policies that counter them.

Network security

All digital networks need to be protected from cyber attacks. They are subjected to a multitude of threats including various viruses and hacking attempts. Managing these threats typically involves the utilisation of multiple defences including firewalls, multi-factor authentication, anti-virus software, and encryption methodologies.

How has remote working changed this?

The practise of remote working results in multiple devices from varied locations joining an organisation’s network. Each of these devices therefore becomes an endpoint that exists outside of the borders of your organisation, meaning that network administrators are likely to have less control over their setups. It is less likely that endpoints will be effectively patched or have effective anti-virus installed. Under such circumstances, the likelihood of an organisation becoming the victim of a successful cyber attack increases exponentially.

How can this be addressed?

Any device that connects to an organisation’s network needs to be managed. It would be beneficial to issue employees with company-owned devices, fully patched and updated. This will not always be possible, however, and policies must be put in place that secure employees’ devices.

The trend of employees working from home is unlikely to end soon. It’s unclear how long current government guidelines will last, but many have suggested that the pandemic has produced a tipping point regarding this practice. Whether voluntary or regimented, it is highly likely that working from home will be the norm for some time.

All devices that connect to an organisation’s network must therefore be subject to remote management processes. If the affected devices are owned by the company, then the solution can be implemented with ease. When the devices are owned by employees, they will need to consent to changes being made to them remotely. A device management policy should therefore be drafted and distributed amongst employees. Digital signatures should then be sought and records retained for posterity.

User education and awareness

Studies have shown that more than 80% of data breaches are attributable to human error.3 However advanced technological responses to cyber crime may be, they will count for nothing if teamed with an uneducated workforce, unaware of how their actions can compromise digital security. Employees must receive cyber security training. Vitally, this training should empower employees, leaving them fully able to contribute to their employer’s cyber security posture.

How has remote working changed this?

Organisations with employees working from home will find themselves with multiple endpoints operating outside of the usual confines of the office. As we’ve stated in the ‘network security’ section, endpoints are vulnerable to attack if they’re not kept up to date. The same is true of their users.

Many of the common attack vectors leveraged by cyber criminals utilise social engineering. Emails claiming to be from trusted institutions that contain viruses or malicious links, as well as other forms of false communication, are common examples. If employees are not trained, their devices can be attacked and breached with relative ease, leaving any network they are attached to vulnerable by proxy.

How can this be addressed?

If your employees have not received any cyber security training, this needs to be addressed post-haste. This training will, of course, need to be delivered remotely and should be supplemented with simulated phishing attacks wherein an organisation’s administrator sends emails and similar communications to all employees, the purpose of which is to mislead recipients into providing sensitive information. The results of these tests should be analysed and further training to address pain points developed accordingly.

On the other hand, if employees have received training, now is the time to reiterate how vital it is that they remain vigilant whilst working from home. Simulated communications should be sent to users as soon as is practicable, also. 

Malware prevention

Malware is short for malicious software. These applications find their way onto systems via subterfuge. Common examples of malware include ransomware, Trojan horse viruses and worms. Malware is designed to either damage or glean sensitive information from devices, computer networks or servers.

How has remote working changed this?

Essentially, if devices are not patched and kept up to date, and employees are unable to identify attempts to place malware on their device, the risk of infection increases. In turn, as the risk of a user’s device becoming infected grows, the potential threat to associated networks increases also.

How can this be addressed?

Remote management procedures should ensure that systems are continuously updated. Employee training should also explicitly note the common ways in which devices are compromised and infected with malware. If not already in place, we’d also strongly recommend that anti-malware software be installed across all attached devices.

Removable media controls

USB drives and other types of removable data storage pose a dual cyber security threat. They can pass infections to devices and networks or, if lost, lead to leaks of sensitive information. For this reason, the majority of organisations prohibit removable media from interacting with the devices they own.

How has remote working changed this?

Essentially, an organisation’s administrators may not have had any influence over a portion of the devices that are attached to their network. Devices may be able to interact with removable media meaning that they can receive a virus from one, before passing it on to to associated networks. Additionally, employees may be able to transfer unencrypted data to media that they then take out of their homes. The latter not only means that sensitive data can be leaked if an item is misplaced but also represents a breach of GDPR and can lead to substantial fines.

How can this be addressed?

If employees have had the opportunity to both review and consent to a remote device management policy that includes remote management of personal devices used for work purposes, relevant settings can be updated remotely. It is also highly advisable that any data employees can access from home be encrypted in order to ensure compliance with GDPR.

Secure configurations

Ensuring that all devices are configured to an exact and uniform standard is of the utmost importance. Standard device configurations are optimised for accessibility rather than security and cyber criminals can exploit out-of-the-box setups. Altering these settings before a device joins a network is highly advisable as a result.

How has remote working changed this?

As devices will no longer be company owned, it may not be possible to configure them before they join networks. Whilst devices with standard configurations remain connected to networks, they generate vulnerabilities.

How can this be addressed?

Again, a remote management policy is key. Ensuring that employees have consented to the terms set out in a policy before their device joins the network is equally important. To minimise risk, a staggered approach should be utilised and employees should add their devices to networks at predetermined times. This will allow administrators to prioritise the configuration of devices, minimising the risk of cyber criminals taking advantage of any temporary vulnerabilities.

It would also be advisable to compile guidance on how to secure common household devices such as consumer routers and disseminate this amongst employees.

Manage user privileges

The fewer the number of users that are able to access an organisation’s most sensitive data, the less exposed this data is. In short, if only three sets of credentials have administrator privileges, then cyber criminals will need to obtain one of these sets before they have complete access.

Administrators should carefully review all user rights and remove any privileges that users do not require. This process should be undertaken regularly in order to identify and address potential security breaches.

How has remote working changed this?

With it having been established that cyber security risks increase when users work remotely, the likelihood of credentials being stolen or illegally obtained grows concurrently.

How can this be addressed?

Administrators should prioritise the task of reviewing existing user privileges. By considering what rights each user needs and pruning them accordingly, they minimise the likelihood of a data breach.

It is highly advisable that a collaborative approach be leveraged when reviewing user privileges. Assumptions regarding roles can result in users being denied access to resources they need to work effectively. In turn, this will adversely impact their and their employer’s productivity.

Incident management

A 2018 study conducted by insurance provider Hiscox revealed that 65,000 cyber attacks are attempted each day.4 This equates to more than 45 every minute; the frequency with which attacks take place means that it is simply not always possible to negate each one. Instead, a contingency plan – a strategy designed to return an organisation to working order as soon as possible – needs to be developed.

Essentially a specified disaster recovery strategy, an organisation’s incident management plan should determine how key systems and data will be restored in the event of a cyber attack rendering them inoperable or inaccessible.

How has remote working changed this?

Data is now being created in more diverse locations. Restoration processes also need to apply to resources based outside of standard perimeters. This complicates matters and, following a successful attack, can bring about extended periods of downtime.

How can this be addressed?

Administrators should thoroughly review all backup and restoration procedures, adjusting them to ensure that they remain holistic, robust and efficient. Particular attention should be paid to the optimisation of restoration processes that will return remote devices to working order as quickly as possible. Studies have suggested that just one minute of downtime typically costs an organisation $5,600.5 Longer recovery processes directly impact an organisation’s profitability and every effort should be made to make them as efficient as possible.

Monitoring

Network and system monitoring is an integral component of an organisation’s cyber security posture. By establishing an activity baseline and associated processes, unusual activity can be rapidly identified and isolated.

How has remote working changed this?

Ultimately, any behaviour that was considered typical when users operated within the confines of a standard working environment can now be atypical and vice versa. Remote working practices will alter logs and administrators will need to acclimatise to this.

How can this be addressed?

Activity will need to be observed and baselines re-established. Here, employing AI-assisted anti-virus software can expedite this process. For organisations that are concerned with how remote working will impact their monitoring processes, the assistance of a security operations centre can be sought. It is also advisable that administrators instruct users to inform them of any changes to their working locations in advance so that they can add relevant IP addresses to a white list.

Home and mobile working

Compiling a list of best practices for staff working remotely allows organisation to maintain consistent user behaviour and configurations for networked devices.

How has remote working changed this?

With remote working having previously been exceptional practice, many organisations neglected this step. It is vital that this is addressed and that relevant policies be compiled, distributed, and consent sought and documented.

How can this be addressed?

The existence of a remote management policy concerning devices and remote working policies should both secure devices and prevent reckless behaviour. The latter will be made all the more effective if teamed with cyber security training.

If these policies do not exist, it is of the utmost importance that this is addressed. The same is true of cyber security training. If policies exist and training has been provided, it’s highly advisable that users are reminded of various caveats and that their recollection of training materials is assessed.

References:
  1. Office for National Statistics (2020) Coronavirus and home working in the UK labour market: 2019, https://www.ons.gov.uk/employmentandlabourmarket/peopleinwork/employmentandemployeetypes/articles/coronavirusandhomeworkingintheuklabourmarket/2019
  2. Office for National Statistics (2020) Coronavirus and home working in the UK: April 2020, https://www.ons.gov.uk/employmentandlabourmarket/peopleinwork/employmentandemployeetypes/bulletins/coronavirusandhomeworkingintheuk/april2020#coronavirus-and-homeworking-in-the-uk-data
  3. Kaspersky (2020) Kaspersky Security Awareness, https://www.kaspersky.co.uk/enterprise-security/security-awareness
  4. Hiscox (2018) UK small businesses targeted with 65,000 attempted cyber attacks per day, https://www.hiscoxgroup.com/news/press-releases/2018/18-10-18
  5. Gartner (2014) The Cost of Downtime, https://blogs.gartner.com/andrew-lerner/2014/07/16/the-cost-of-downtime/

More Insights

hotel of the future thumbnail.jpg
Digital Transformation

Hotels of the future: how IoT can transform the hospitality industry

06/01/2020

View more
best place to work IT thumbnail.jpg
Culture

How we built the best place to work in IT

03/12/2019

View more
Jane Onboarding Thumbnail 700x500.jpg
Performance Improvement

IT onboarding at ROCK

19/11/2019

View more
data set amal thumbnail.jpg
Digital Transformation

Why data set amalgamation is key to superior decision making

05/11/2019

View more

Hello, welcome to the ROCK live chat.

Your browser is out-of-date!

Update your browser to view this website correctly. Update my browser now

×