Implementing good cyber security measures is not only a key part of meeting your regulatory requirements but will also help reduce the likelihood of a significant incident. Implementing even very basic cyber security controls will help reduce the chance of an incident. 

Having a basic understanding of cyber security can help you to ask the right questions to seek assurance about your organization's cyber resilience  - just as you would need to have a certain level of understanding of finance to assess the financial health of your organization. A good place to begin is to discuss your existing cyber security measures with your experts, and the questions below under 'What does good look like?'  suggest a starting point for what to ask.

Attackers often use common methods to attack a network. A lot of these methods can be mitigated against by implementing basic cyber security controls. There are several frameworks that outline what good cyber security controls look like. These include the Bento Cyber Security Framework, ISO/IEC 27002 and NIST Cyber  Framework. 

The basic cyber security controls will help mitigate against the most common cyber attacks, but once you have that baseline in place, you then need to tailor your defenses to mitigate your highest priority risks. Your measures will be tailored both to your technical estate (protecting the things you care about the most) and to the threat  (protecting against methods used by specific threat actors).

As with physical and personnel security, cyber security can make use of multiple measures which (when implemented simultaneously) help reduce the chances of single point of failure. This approach is commonly referred to as 'layered defense'. Each measure provides a layer of security and deployed collectively, greatly reduce the likelihood of a cyber incident. Once you have your cyber security baseline in place you can focus on layering your defense around those things that are most important to you - or particularly valuable to someone else. 

For quick overview of what that may look like, see BCSF Layered Defense Checklist.

Defenses do not stop at the border of your network. A good defense assumes that an attacker will be able to access your system and works to minimize the harm that they can doonce they are inside it. One of the key things you can do to limit the damage they can inflict is to restrict their movement and access. Effectively managing user privileges and segregating your network are common approaches. Identifying an attacker inside your system as soon as possible will also help limit the damage they can do. Monitoring and logging are key to being able to spot any signs of malicious activity.

These measures will also help mitigate the threat from a malicious insider; somebody who has legitimate access to your systems but then uses that access to do harm. This threat ranges in capability and intent, from a disgruntled employee through to corporate espionage. 

Good cyber security is a continuous cycle of having the right information, making informed decisions and taking action to reduce the risk. You will need to be continuously assessing and adapting your defenses as the needs of your organization and the profile of the threat changes. To do this it's important to have some way to assess whether your defenses are effective. 

There are several mechanisms available to technically assess the effectiveness of your security controls. This may include things like testing the security of your networks (pen-testing) through to certification of products or services. You may want to use a combination of internal mechanisms and objective assessment provided by an external source. 

Engaging with staff will also help you gain a more accurate picture of your organization’s defenses. It will also give you the opportunity to get valuable staff input into how policies or processes could be improved. Metrics or indicators can also tell you where you need to change your approach or adapt to new circumstances. Understanding exactly what an indicator is telling you may require further investigation of the situation. An example is the trend in people reporting suspicious emails. A decline in the number of people reporting can either mean fewer malicious emails are getting through to people’s inboxes, or it could mean fewer people are reporting any concerns because they don't receive feedback when they do, and therefore believe nothing is ever done afterwards.

The following questions can be used to generate productive discussions with your technical team. The aim is to identify what constitutes 'good' cyber security in terms of assessing your organization's cyber security measures. 

You might seek this assurance through

• Penetration testing carried out by an external organization, and action taken on the back of their results.

• Automated testing of your defenses and monitoring of activity on your networks by your IT security team.

• Reviewing defensive measures against suitable frameworks, this could be an internal review or an independent consultant. Suitable frameworks include the Bento Cyber Security Framework, ISO/IEC 27002 and NIST Cyber  Framework. 

• Ensuring threat assessments and defensive priorities are regularly reviewed and defensive measures updated accordingly.

• Ensuring that the focus of your cyber security measures is aligned with the risks you have identified and prioritized.

You might consider:

• How you authenticate and grant access to users or systems. You want to ensure that these measures are not easy to bypass and that you don't afford access unless necessary.

• How you would identify an attacker's presence on your networks - normally done through monitoring.

• How you separate your network so that if an attacker gets access to one device they do not have access to the full range of your technical estate.
   

As an organization, how do we defend against phishing attacks?

• We filter or block incoming phishing emails.

• We ensure external mail is marked as external.

• We stop attackers 'spoofing' our own emails.

• We help our staff to identify and report suspicious emails.

• We limit the impact of phishing attacks that get through.

As an organization, how do we control the use of privileged IT accounts?

• We use 'least privilege' when setting up staff accounts.

• We reduce the impact of attacks by controlling privileged accounts.

• We have strong links between our HR processes and the IT account function.

As an organization, how do we ensure that our software and devices are up to date?

• We have defined processes to identify, triage, and fix any exploitable vulnerabilities within our technical estate.

• We've created an 'End of life plan' for devices and software that are no longer supported.

• Our network architecture minimizes the harm that an attack can cause.

• We make appropriate use of 3rd party or cloud services and focus on where we can have most impact.

As an organization, what authentication methods are used to control access to systems and data?

• We take measures to encourage the use of sensible passwords.

• We ensure passwords don't put a disproportionate burden on staff.

• We implement two factor authentication (2FA) where possible.