Insight Code Top
Insight Code Bottom
Programmers and cyber security technologies design websites and

How can the 10 steps to cyber security help to protect your organisation?

29th April 2021

6 min read

Protecting your organisation from cyber threats can be a complex task. Cyber security filters into your organisation at all levels becoming a shared responsibility between all of your team.

At Sentrium, we believe that cyber security should be straightforward and provide value where it matters the most. We use widely accepted methodologies to achieve industry best practices and make sure we can support your organisation and provide valuable assurance.

The NCSC’s 10 steps of cyber security are just one of the best practice methodologies that we use to help you protect your technology, information and people. We draw on government guidance to create a framework that helps you understand the most effective ways to protect your organisation and improve your cyber security.


10 steps to cyber security:

1. Risk management regime

Understanding and managing the risks to your technology, systems and information will help you take control of your business opportunities. A risk management regime will help you identify, assess and respond to risks that can impact your business.

To achieve this, you should determine your risk appetite which includes the risks you’re willing to tolerate and which are unacceptable. The regime should reside at the board level and be driven organisation-wide. This will help you maintain engagement from all senior management and build a risk management culture at other levels.You should produce supporting policies for technology and security risks that can be communicated across the organisation. These policies should be treated as ongoing and open to changes to remain effective and up to date.


2. Secure configuration

Unconfigured or misconfigured systems can put you at risk of exploitation from malicious actors and unauthorised users. Through vulnerabilities, malicious actors can make changes to systems, exploit unpatched systems, or exploit poorly configured systems which can leave your resources and data at risk.You should apply security patches and use supported software at all times. Establish a baseline build and put together a strategy to remove or disable unnecessary system functionalities. An inventory of your hardware and software can help you manage your systems and their patch status.


3. Home and mobile working

Remote working has great benefits to your organisation and employees. It also brings with it risks that should be managed to keep your information secure. Credentials can be stolen, devices may be lost, and information can be overlooked by passers-by.

You should create a mobile and remote working policy that your staff is trained to follow. Apply the baseline build that you established in the configuration stage to all of your devices. You should encrypt your data to protect it in transit and at rest.


4. Incident management

Security incidents are bound to happen at some point for an organisation. Having an effective incident management policy will help to protect against harm. It’s recommended that you identify the funding and resources you have available to deliver incident response and disaster recovery.

You should develop and test your incident management policy and processes to make sure they’re effective. Provide specialist training to your incident response team, and remember to log the actions taken during the incident to learn and improve your responses.


5. Malware prevention

When information is transferred online there is the risk that malicious software, or malware, can be imported, for example via email, web browsing, web services, or removable media. Malware can cause harm to your organisation by leaking or disrupting sensitive data.

You should design and implement anti-malware policies that your employees are educated in. Make sure you scan data coming in and out of your network to identify malicious content. You should implement malware defences including firewalls, device protection and antivirus software.


6. Managing user privileges

Giving users unnecessary permissions to certain systems and data can lead to misuse and compromise. Based on the principle of least privilege, users should only have access to systems and information needed to fulfil their role and responsibilities.

You should establish effective account management processes and make sure that you limit the number of privileged accounts. Monitor user activity and limit access to system activity logs and other sensitive resources.


7.  Monitoring

Good system monitoring helps you detect attacks on your systems and respond effectively. You can assess how your systems are being used and whether they’re being attacked.

You should establish a monitoring strategy to monitor all of your systems, inbound and outbound network traffic, and user activity. Analyse activity to identify when malicious activity occurs and align your incident management policy so you can respond effectively.


8. Network security

Your organisation’s network connections to the internet and other partner networks can expose your systems to attack. Threats can lead to malicious actors exploiting your systems, compromising information, or damaging resources.Manage your network perimeter using firewalls to monitor traffic and prevent malicious content from entering your network. Secure wireless access and enable secure administration. Penetration testing can help provide assurance in your security controls.


9. Removable media controls

Removable media is a common way for malware to be injected into systems that can damage or expose sensitive data. You should limit the use of removable media in your organisation as much as possible, and make sure it’s scanned for malware where it cannot be blocked.

Where removable media is permitted, it should be issued by your organisation and not the user’s own media. Encrypt data on the removable media and actively manage when and how removable media is securely disposed of.


10. User education and awareness

User education and awareness is the overarching security measure that will help to protect your organisation. The cyber security processes and policies that you design and implement should be shared with your team to make sure they’re aware of the risks and how to manage them.

Include these policies and processes in staff training and make sure your team is aware of how to report incidents in a safe and confidential way. Clearly communicate the risks and benefits that security can present to the organisation. The better your staff understand and embrace a positive security culture, the more effective it will be.

At Sentrium, we use this information to help you understand how best to protect your organisation from cyber attacks. Get in touch with us to find out how we can support your organisation’s cyber security requirements.


  • Insights
  • Labs
ISO 9001 and ISO 27001

Sentrium Achieves ISO 9001 and ISO 27001 Certifications

In an increasingly digital world, the importance of quality and security cannot be overstated. Sentrium Security Ltd is excited to share our recent achievement –…

What are the different types of penetration testing?

What are the different types of penetration testing?

As digital business becomes more widespread, the need to ensure data security increases. One way to test its effectiveness is through penetration testing. Penetration tests…

OWASP Global Image

OWASP Top 10 2021 Released

The Open Web Application Security Project (OWASP) is a not-for-profit organisation that aims, through community-led open-source projects, to improve the security of web-based software. OWASP…

Using a CREST-Approved penetration testing provider

What is CREST penetration testing and why is it important to use a CREST-approved provider?

Trusting the effectiveness of your IT security controls is crucial to mitigate risks and malicious access to your systems and the information they store. Penetration…

cloud computing technology concept transfer database to cloud. T

How secure use of the cloud can digitally transform your business

Companies that move towards digital transformation can innovate more quickly, scale efficiently and reduce risk by implementing cloud security best practices. Businesses must keep up…

How to prepare your business for secure cloud migration

How to prepare your business for secure cloud migration

The cloud holds a lot of potential for organisations. Moving your IT environment to a secure cloud provides flexibility and agility. It allows your team…

Application Security 101 – HTTP headers

Application Security 101 – HTTP Headers Information Disclosure

Server Header Information Disclosure The most common HTTP header that is enabled by default in most web servers is the ‘Server’ header, which can lead…

SPF, DKIM, DMARC and BIMI for Email Security

SPF, DKIM, DMARC and BIMI for Email Security

Sender Policy Framework Sender Policy Framework (SPF) is a DNS TXT record that is added to a domain that tells email recipients which IP addresses…

Terraform security best practices

Terraform security best practices (2022)

The following sections discuss our most important Terraform security best practices: The importance of Terraform State Terraform must keep track of the resources created. When…

Security vulnerability in Follina exploit

Preventing exploitation of the Follina vulnerability in MSDT

The Follina Exploit A zero-click Remote Code Execution (RCE) vulnerability has started making the rounds which is leveraging functionality within applications such as Microsoft Word.…

Application Security 101 – HTTP headers

Application Security 101 – HTTP headers

1. Strict-Transport-Security The HTTP Strict Transport Security (HSTS) header forces browsers and other agents to interact with web servers over the encrypted HTTPS protocol, which…

Code, HTML, php web programming source code. Abstract code background - 3d rendering

New Exchange RCE vulnerability actively exploited

Exchange admins now have another exploit to deal with despite still reeling from a number of high profile attacks this year including ProxyLogon and ProxyShell.…

Get in touch with our experts to discuss your needs

Phone +44(0)1242 388634 or email [email protected]

Get in touch