10 Steps to Cybersecurity

10 Steps to Cybersecurity, As Defined By GCHQ

Reading Time: 4 minutes

GCHQ, the Government Communications Headquarters is an intelligence and security agency responsible for keeping the U.K. safe. The team of GCHQ uses cutting-edge technology, technical ingenuity, and wide-ranging partnerships to identify, analyze, and disrupt threats. [1]

GCHQ deals with real threats that are faced by the U.K. on a day-to-day basis and realizes that the rate of these attacks is difficult to curtail. The BIS 2014 Information Security Breaches Survey reported that 81% of large organizations had experienced a security breach of some sort. This costs each organization, on average, between £600,000 and £1.5 million. [2]

GCHQ, therefore, has designed the ten steps to cybersecurity as a guide to help organizations protect themselves from cyberattacks. It breaks down the task of defending your networks, systems, and information into its essential components, providing advice on how to achieve the best possible security in each of these areas. [2]

The 10 steps to cybersecurity were initially published in 2012 and are now used by a majority of the FTSE350.

GCHQ believes that by following the security measures tailored as per the situation but are in alignment to the ten steps would protect your organization from uncertain attacks.

The Ten Steps to Cybersecurity as Defined by GCHQ

1. Information Risk Management Regime

It is important to assess the risks associated with your organization’s information assets on par with other crucial risks like operations, financial, regulatory, etc. An information risk management regime should be implemented with the approval of the board of directors and other senior management who forms the information assurance structure. The regime should be communicated at all levels in the organization to ensure overall risk coverage.

2. Secure Configuration

There should be defined policies and procedures explaining the use and configuration of ICT systems, and that develops secure baseline builds. At the same time, unimportant functionalities shall be removed or disabled and patched for known vulnerabilities. A failure in securing configuration would expose your organization’s vulnerabilities and would increase the threat to your business’s integrity and confidentiality.

3. Network Security

Network security is crucial as any threat when not identified in the network would spread throughout the organization. Network, when connected to the internet, would pose a higher security risk and therefore, recognized network design principles and configuration of internal network segments ensures security up to baseline build. Process the traffic that is required to support your business and monitor traffic for malicious activity which can indicate an attack.

4. Managing User Privileges

The users of ICT systems should be assigned with respective privileges and impose control on the number of privileged accounts for roles referred to as database administrators. The use of accounts of database administrators should be avoided in daily activities and during high-risk activities. Monitor the privileged accounts for exchange of sensitive data, access to user passwords, deletion of accounts, access to audit logs, and new user accounts.

5. User Education and Awareness

Define user security policies which shall elaborate the secure use of information systems of your organization. The policy should be officially acknowledged in the employment manual and should bind all the employees. The users should be trained regularly on cyber awareness and the risks involved when cyber policies are ignored. The cybersecurity team should be trained regularly with new and updated methodologies.

6. Incident Management

Plan and develop incident response and disaster recovery capabilities to attend all the incidents, big or small. The incident response, disaster recovery and business continuity plans should be tested and reviewed regularly. The team of incident response should be trained in technical and non-technical areas. They should able to report the cyber incidents to the relevant law enforcement agency so as to help the nation in preparing policies at higher levels to deliver an appropriate response.

7. Malware Prevention

The security policies should be in accordance with the business processes that are highly vulnerable to malware attacks. The processes and devices like web browsing, email, media installation, connected personal devices, etc. should be scanned for malware across the organization. An antivirus that actively scans malware should be installed to protect all host and client machines. All information exchanged within and outside the organization should be scanned for malicious content.

8. Monitoring

Considering previous security incidents and attacks and your organization’s incident response plan, develop a monitoring strategy and supporting policies too. Monitor inbound and outbound network traffic for unauthorized or malicious trends which could be a sign of a cyberattack. Monitor all information systems using Network Intrusion Detection Systems (NIDS), Host Intrusion Detection Systems (HIDS) and Prevention Systems.

9. Removable Media Controls

Define control policies for all types of removable media which are used for import and export of information. If the removable media at the endpoints is unavoidable, scan them for malware using a standalone media scanner. Also, restrict their access when used together with systems, or network points that hosts crucial information.

10. Home and Mobile Working

Employees working remotely should be trained in securing their devices in accordance with the policies defined. Assess the risks that the mobile devices when connects with the corporate network, would create and train the mobile users on the secure use of their devices. Apply the secure baseline build to all types of mobile device used. The data-in-transit, as well as data-at-rest, should be protected using appropriate configured Virtual Private Network (VPN).

EC-Council Cybersecurity Training Is NSCS Certified

EC-Council offers specialized cybersecurity certifications that are accredited by ANSI (American National Standards Institute), Department of Defense (DoD), NCSC and other globally recognized bodies. Our three leading programs in the field of vulnerability assessment, penetration testing, and information security leadership, viz., Certified Ethical Hacker (CEH), Certified Security Analyst (ECSA) and Chief Information Security Officer (CCISO), to meet the NCSC Certified Training standard. This affirms EC-Council’s commitment to offering high-quality certification programs that are developed to help arm information security professionals with the right skills to safeguard the cyber world and achieve successful professional roles.

*The National Cyber Security Centre (NCSC) is an organization of the United Kingdom Government that provides advice and support for the public and private sector in how to avoid computer security threats. Based in London, it became operational in October 2016, and its parent organization is GCHQ.


  1. https://www.gchq.gov.uk/section/mission/overview
  2. https://www.gov.uk/government/publications/cyber-risk-management-a-board-level-responsibility/10-steps-summary
get certified from ec-council
Write for Us