What are the 10 Steps and Principles of Cyber Security?

Whether you are an established business, a small startup, or any other organization that needs cyber security, exploring the ten steps and principles to cyber security will be the best place to begin. These ten steps to cyber security were released in 2012 by the National Cyber Security Center (NCSC) in an attempt to alleviate security issues, which remain to be a constant threat to businesses and the world economy today.

So, what are the ten steps and principles of cyber security? They include:

  1. Risk management regime
  2. Secure configuration
  3. Network security
  4. Malware prevention
  5. Managing user privileges
  6. User education and awareness
  7. Incident management
  8. Home and mobile working
  9. Removable media controls
  10. Monitoring

Instead of regurgitating what the NCSC states, we chose to outline and expound the steps involved to prepare system security professionals for what to expect and the best way to partake in each measure. Read on to find out everything you need to know about cyber security.

1. Risk Management Regime

This step involves setting up and communicating policies on how you are going to approach risk management. That means first exploring the risks that may be involved, prioritizing the most significant risks, and setting up action plans on how to respond.

The risk management regime should first be communicated to the governing structure (board members and other senior experts in the organization) and get its approval. This is important since they’ll also be involved in setting up new or additional policies in case the threat paradigm changes.

The final approach to risk management then needs to be communicated to all the people who are concerned, such as employees, suppliers, and contractors.

But why do you need a risk management regime?

  • To avoid the ineffective implementation of policies. If there’s no particular governance where risk is concerned, there’ll be confusion of what can be done and what can’t be done so various departments can choose risky ventures, which may lead to business failure.
  • To reduce exposure to risk for the whole organization. The board of management might not know entirely what’s risky and what isn’t lacking a risk management regime. This might lead to many common risk management mistakes that can cost you lots of money or the whole organization.
  • Not to miss growth opportunities. If the board doesn’t have an outline of risks and a rigid security system is put in place, there’ll be no growth since it’ll be hard to adjust the threat development landscape and grab the required growth opportunities.

How to Ensure an Effective Risk Management Regime

Any business needs to take risks, but it’s also essential to have an elaborate picture of what risks you’ll be willing to take and those which you won’t.

Here are some tips for effective risk management:

  • Establish a governing body for risk management. A consistent expert approach to risk management is crucial for more in-depth insights, adaptation, and expansion of security models. The board of management will be the head, of course.
  • Decide the risks you will tolerate and those you will not. This helps everyone involved to make the necessary decisions to achieve company objectives but with established risk boundaries.
  • Use recognized standards. The cyber security standards available are precise but broad so that they can be inclusive of evolving cyber security.
  • Be informed on emerging threats and create adapting policies. A report on threat intelligence shows that perils predicted today would likely happen within a span of the next two years. You can check out how to stay up to date with security trends to modify your risk management regime early each time.
  • Engage the board of management with each development. Develop a consistent timeline where you can review and amend policies for awareness and possible generation of other progressive ideas.
  • Use assurance schemes. These provide basic strategies to manage cyber-attack risks and offer certification that confirms your dedication to cyber security. You can use the Cyber Essentials Scheme, which provides different levels of certification.
  • Promote a threat management culture. From employees to users, each has a responsibility to ensure cyber security. Educate and create awareness through effective content that can be shared among peers. Also, refresh and maintain strategies as long as your organization exists.

2. Secure Configuration

Configure your security system by eliminating any unnecessary functions and ensure the perimeter has no loopholes that may facilitate breaches. The system configuration is like the foundation of a building, and if it isn’t secure, everything else is in danger.

How to Achieve Secure Configuration

Security configuration is too vital to ignore. To be successful with this principle, you must:

  • Establish a particular installation and configuration model. Policies and procedures have to be kept so that the created model is carried out throughout the entire organization. Such consistency enables security measures effortlessly and makes it easy to manage the systems.
  • Patch any vulnerabilities the moment you identify them since they are the most known causes of security breaches.
  • Eliminate any functionality that’s unnecessary because of developed systems. This should be immediately followed up with the securing of any loopholes that might have been facilitated by the change.
  • Create new access keys for any equipment purchased. You need to avoid using default passwords since some hackers start with that underlying weakness.
  • Keep access permissions for everything limited to the most necessary users.
  • Review and refresh all components of your system regularly and on a consistent time frame.
  • Disable auto-run features and observe user authorization.
  • Observe the best password management practices and maintain user awareness.

3. Network Security

Since your networks are connected to partner networks and the internet, network security is a crucial step in cyber security. You have to create a secure network with appropriate responses that shield it from attacks.

From the basis of the architecture of your network to active monitoring, you can filter threats and enable access in the most secure manner. This should be reflected in the policies you draw, making it clear the boundaries that your organization can operate in.

You can define network security in three subsets:

  • Physical: This type of network security ensures access to the physical components of the network to only authorized personnel. Breaches can happen physically; therefore, measures must be taken to avoid that.
  • Technical: Network security can be carried out while in transit, as well. It involves protection of the data as it flows in the network so that it’s efficient, and no breaches or attacks can happen.
  • Administrative: Any user of the network (even the security officials) has to operate within specific policies that don’t threaten the network. So, administrative and network security ensures proper implementation of policies and processes.

How to Ensure Network Security

After the division of network security departments, you have to take various steps to ensure the security of your network. This could be on an administrative level or the lowest level of your organization model.

To protect your network, the NCSC advises you to:

  • Utilize firewalls. Establish protocols that control the communication between your network and unauthorized networks. This provides control and monitoring of traffic and other layers of defense created for specific reasons.
  • Protect the internal network. Ensure that you utilize the necessary measures that help protect the private network. There shouldn’t be a loophole to the internal network whatsoever, and reviewing your system set up regularly will help with that.
  • Ensure malware detection and prevention. Whether internally or externally, build your system with malware detection and prevent access to avoid attacks.
  • Divide network security systems. Instead of dealing with one broad network security control, create subsets with the particular protocols tailored for them.
  • Ensure secure administration. Involve levels of identity confirmation that are hard to override.
  • Test your system. Regularly subject your system to penetration tests that show its vulnerability and fix any issues immediately.
  • Keep a reliable monitoring system. Use the necessary equipment and qualified experts to help you detect any internal or external threats to the system. Together with the firewall, Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS) can save your organization much time and money.
  • Ensure data encryption. Shield your data from thieves by promoting encryption of any critical company data.

4. Malware Prevention

Any malicious component of data should be detected and prevented from reaching the systems since it puts your systems at considerable risk. And this malware could be easily injected through emails, web pages, system vulnerability, and even through a removable computer device.

That’s why you have to set up anti-malware software at every front and put up policies that ensure routinely reviewing.

Your organization should avoid the following types of malware:


Although most people refer to any malicious content as a virus, this kind of malware is injected into system files such that if they execute the standard files, the virus is executed too, hence infecting other related files as well. Some viruses are tough to clean up, but most that are available today have in-depth fixes that can counteract them.


Worms are malware that is commonly deployed in email attachments. An example is the famous I Love You worm that troubled technology across the entire world in the year 2000. In contrast to the viruses that allow the user to avoid or purge them early enough, worms can contaminate the entire organization in a matter of seconds since they don’t require end-user action.


This name came from the ancient Trojan horse and is used today more than worms. This type of malware is created through malicious code that’s concealed in useful instructions of a particular program. So, as you use the program, the trojans keep spying on your systems and disrupting them depending on the intent of the malware actor.


This type of malware is deployed to system data and encrypts it, shutting out the user who then has to pay a ransom to get their files back. Some will monitor your system activity for some time so they can understand the level of leverage they are dealing with before asking for a price.

Ransomware has brought down many large organizations and even big cities. Therefore, you need to have tight malware prevention programs and reliable offline backups for any critical data. Also, discuss possible risks and mitigation strategies to be prepared for such threats of ransomware.


These are the worst kind of malware and are very common today. They combine various malware, commonly trojans and worms, to facilitate actions that are hard to reverse once the systems are hit.

For instance, malware can appear like trojans to the user, but in reality, it’s spreading the malicious code to the network using the worms. Botnets bear trojan and worm qualities and pose severe risks to systems.

Hybrids do a great job of concealing their workings from anti-malware programs. However, the first action to take when you suspect a hybrid infection is to scan the system with anti-malware.

Fileless Malware

This form of malware executes attacks without the deployment of malicious code that can be detected when one performs vulnerability scans. It makes changes to legitimate files and only attacks usable memory, so no evidence is left. Astaroth is an example of fileless malware.


This form of malware mostly shows that there’s some kind of vulnerability in your system, which provided access to the organization’s data. While spyware isn’t as malicious as other malware types, it can be used by a hacker to access passwords and critical organization data that can be used in attacks.


This type of malware is also relatively innocent, like spyware, since it uses advertisements to view which information you’re viewing. However, it gets malicious when it prompts actions that lead to malware injection from the user. Anti-viruses and user awareness can keep adware in control.

How You Can Ensure Malware Control

So, how can you manage malware risks?

  • Create anti-malware policies that are relevant to each sector and ensure that they are being implemented through monitoring.
  • Watch import and export of data. It should only be carried out when necessary and by a limited number of security professionals.
  • Get a dedicated anti-malware scanner that must be used before import and export of data is carried out.
  • Ensure in-depth defensive approaches when securing your systems. Involve layers of defenses against malware to increase the chances of concealed malware detection.
  • Educate users routinely on malware detection and prevention with incident reporting as a priority in case of suspicious activity.

5. Managing User Privileges

Create policies that limit the most necessary access to security systems depending on the employee’s job. Giving passwords to everyone, even when the company is a small startup, is always a bad idea.

Managing user privileges is vital because:

  • It prevents the misuse of privileges. If a low-level employee has access to high-security controls, it’s easier to use and even give access to third parties with no thought of the security impacts.
  • Attackers can’t easily access security systems. Since there are no careless “loose ends,” attackers would rarely encounter compromised accounts or employees who wish to sell organization information. Subsequently, they won’t be able to change security controls that they can use in the future.

How to Manage User Privileges

Here are ways you can manage user privileges:

  • Put up consistent account management processes. From access privileges to deactivation of unused accounts to deletion of testing accounts, you need to have clear policies that make it easy to follow up on any vulnerabilities.
  • Establish authentication features. Even if you have a small organization, ensure that your employees go through tight checkpoints before accessing critical information.
  • Minimize user privileges. Provide only the most relevant access that enables the fulfillment of the assigned role to every individual.
  • Limit the number of high privileged accounts and their uses. Limit the number of high-security accounts to the most necessary minimum and prohibit usage when inessential.
  • Educate the users on their role in system security and keep the conversation going.
  • Monitor the user privileges and set up policies that address abnormal actions for fast and efficient fixing of any damages or vulnerabilities.
  • Establish disciplinary actions that are involved in the mishandling of user privileges.

6. User Education and Awareness

This principle works around enforcing a security culture in a security-conscious organization. Training and awareness programs need to be carried out regularly so that employees and users can have hands-on knowledge of how they can protect data and systems on their end.

According to research, 95 percent of successful security attacks arise from human error. Commonly, this comes from a lack of knowledge of the risks involved or inadequate communication after identifying the errors. However, if this step is implemented, less careless security breaches can occur.

How to Promote a Security Culture Using Education and Awareness

To use education and awareness to promote a security culture, you can:

  • Create security training and awareness programs and assess their effectiveness regularly.
  • Establish a staff role familiarization program. Everyone who interacts with the systems should go through this process where they learn about big picture security measures and their role in it.
  • Promote incident reporting. Encourage system users and employees to talk about the times they “mess up” immediately to security professionals. Regularly reinforce an incident reporting culture to avoid poor communication that commonly causes significant damages.
  • Inform them of emerging threats and how they can avoid risks on their part. A knowledgeable organization is progressive since the users will be aware if any attackers try to do social engineering to get their code into the systems.
  • Reduce insider threats. Educate your employees on “the enemy within” so they can report anyone who shows suspicious activity.

7. Incident Management

In this world of technology, many organizations encounter incidents at some point. However, the setting up of policies and processes that can be implemented through such times will help to handle the incidents for fast and long term recovery effectively.

How to Carry Out Incident Management

As you install and configure your systems, it’s crucial to think about managing high-risk events as well. Here’s how you can perform this step:

  • Create an event management monitoring plan. Have a System Information and Event Management solution (SIEM) that can monitor and inform any incidents that can compromise your security.
  • Establish incident response resources. Don’t wait for the event, but create security strategies and the financial plans of potentially high-risk events. You can do this with your in-house team or establish a relationship with an outsourcing professional incident response team.
  • Create roles and responsibilities for incidents. This involves information sharing policies. You have to state clearly who will be involved and how to avoid leaking critical information to the wrong people.
  • Prepare a reliable backup since data loss may be one of the incident consequences. This should be offsite, plus data recovery tests should be done routinely to confirm the viability of the process.
  • Promote user awareness in incident management processes. Make users aware of the role they can play in incident management. Promote freedom of expression in case they identify something that can bring or is in itself a potential security incident.
  • As you perform tests and real incident responses, record any relevant information. Write reports on any observations worth reviewing for future incident management reference. These reports help improve and modify the strategies as the incident models change.

8. Home and Mobile Working

Since home and mobile working sometimes becomes necessary, it’s vital to create accompanying policies on the network sharing and other security concerns beforehand. For instance, during the coronavirus crisis, hackers had an excellent opportunity to hit companies.

The following are common security risks of working from home:

  • Loss of devices which can lead to the stealing of sensitive information.
  • Spying outside the office happens especially if the user works in a public space.
  • Loss of credentials that might give access to critical organization information.

How to Work Around the Remote Working Cyber Security Step

So, can you mitigate the security risks of home and mobile working in your organization? Yes, and here’s how you can do it:

  • Analyze the risks of remote working and create safety policies. This includes boundaries where loopholes can be created by remote working. While setting up systems, explore all the risks, and create policies around them for a clear continuation of work at all times.
  • Create a secure configuration of organization systems for any data accessed remotely.
  • Protect the data at rest and in transit.
  • Explore security incidents that might occur during remote working and establish their management plans.
  • Educate and create awareness for users on how to handle information during remote work. Ensure that they see the responsibility they hold and how that affects their work. Promote incident management as well since remote working can prop up uncertain events.

9. Removable Media Controls

As mentioned earlier, removable devices are a common source of malware introduction and the leaking of sensitive information. Therefore, clear policies have to be set, and they should be accompanied by system configurations that detect user mishandling of the removable devices.

How to Ensure Removable Media Controls

Losing information and the introduction of malware both have dire consequences to an organization. Here’s how you can mitigate the risks brought by removable devices:

  • Establish removable media policies. These should be clear about how information transfer in and out of systems can be carried out safely and with which devices.
  • Build systems with a limited need for removable media. If information can be deployed by a few security professionals, the better.
  • Provide removable work devices. Issue removable media for work use only to individuals and emphasize their accountability for each device.
  • Include robust malware scanning in systems. All removable media should be scanned before any operations take place. Even better, a dedicated malware scanner for all devices before transfers is crucial.
  • Establish disposal and reuse of removable media protocols like sanitization.
  • Educate users on the proper handling of removable media.

10. Monitoring

Setting up policies is essential but monitoring their implementation is even more vital. An organization should monitor the implementation of all the policies involved in the ten steps to cyber security. It helps in the efficient running of an organization mostly through the early detection and response to indiscipline and attacks.

How to Effectively Monitor in All Cyber Security Principles

To effectively monitor your cyber security, you should:

  • Create an elaborate monitoring strategy with backing policies. Assess your organization model and create a monitoring strategy that best serves it.
  • Monitor each system. Leaving out some supposedly low-risk systems is dangerous since hackers can follow such a vulnerability. Therefore, you have to install systems that detect everything from attacks to irregular system behavior.
  • Monitor user activity to identify and stop misuse of privileges, among other issues.
  • Declutter your monitoring system. Remove any additional functionality since too many alerts can mask attacker detection. In other words, modify your monitoring system to be in its most effective mode.
  • Review and record any lessons learned to improve the organization’s efforts around this principle.

In Conclusion

You can look around and find other steps and principles to cyber security, but they won’t provide the comprehensiveness that the NCSC-issued ones do. These provide cover for every security issue if you follow the implementation process according to your organization’s needs.

Also, the NCSC steps to cyber security cover the most critical points that the Cyber Essentials Scheme, a government-supported entity, works around. You can also rest easy knowing that you’re following system security advice that’s also followed by the robust FTSE 350 companies.

Related Questions:

What are the 3 principles of cyber defense? The three principles of cyber defense are to protect confidentiality (C), integrity (I) and availability (A). These three principles are usually denoted as CIA principles.

What is cyber security measures? Cyber security measures are steps taken to ensure an organisation is protected against cyber crime and is cyber resilient to any cyber attacks.

Recent Posts