The UK’s Ten Steps to Cyber Resilience framework, developed by the National Cyber Security Centre (NCSC), provides organisations with a set of foundational cybersecurity measures. However, as cyber threats become more sophisticated, we believe that strategic expansions in line with global best practice could enhance the UK’s national cyber resilience.
Find out more below:
- Overview of the NCSC’s Ten Steps to Cyber Resilience
- International comparisons of cybersecurity frameworks
- Weaknesses in the NCSC framework
- Proposed expansions to the NCSC framework
Protecht's cyber risk management eBook is a comprehensive guide to cyber risk management. Download now and spearhead a proactive approach against ever-evolving digital threats:
Overview of the NCSC Ten Steps to Cyber Resilience
The NCSC’s Ten Steps to Cyber Resilience[i] is a set of policies holistic designed to bolster the defences of entities across sectors, from governmental bodies to financial institutions:
- Risk management regime: Establish a risk management policy that ensures everyone from the boardroom to the IT department understands their responsibilities in mitigating cyber threats.
- Secure configuration: Keep systems streamlined and secure by maintaining minimal operating systems and applications, removing unnecessary software, services, and user accounts.
- Network security: Shield your network from potential attackers by creating controlled boundaries and monitoring traffic for unusual activities.
- Managing user privileges: Grant data access based on user necessity, minimising the risk of insider threats and limiting the damage that could arise from user errors or malicious actions.
- User education and awareness: Continuously train staff and stakeholders on the importance of cybersecurity, updating them on the latest threats and safe practices.
- Incident management: Develop a robust incident response and disaster recovery capability that not only addresses significant security incidents but also improves underlying resilience.
- Malware prevention: Implement appropriate malware defences that can anticipate and counteract the installation and spread of malicious software.
- Monitoring: Keep a vigilant eye on systems and networks, ensuring all user activities and anomalies are logged and scrutinised.
- Removable media controls: Control access to removable media and monitor its usage within the organisation, mitigating the risks posed by both physical and electronic threats.
- Home and mobile working: Develop secure mobile working policies and practices that cover all aspects of home and mobile working, from devices to internet connections.
Each sector faces unique challenges, but the flexibility of the NCSC's Ten Steps allows for tailored application that addresses specific vulnerabilities. For instance, financial institutions focus on aspects of user privilege management and incident response due to the sensitive nature of financial data. In contrast, educational sectors may emphasise user education and awareness, fortifying their first line of defence against cyber threats.
The NCSC encourages organisations to not just implement these steps but to evolve with them. The framework includes a maturity model that guides organisations from basic to advanced levels of implementation, seeking to integrate of cybersecurity into the organisational fabric.
International comparisons of cybersecurity frameworks
To place the UK's NCSC Ten Steps to Cyber Resilience in a global context, it's helpful to compare it against other cybersecurity frameworks around the world. This comparison not only highlights similarities and differences but also sheds light on where the UK might enhance its approach by learning from the practices of others.
Table: Comparison of cybersecurity frameworks based on NIST CSF[ii]
NIST CSF Category |
Subcategory |
UK |
AU[iii] |
NZ[iv] |
EU[v] |
USA[vi] |
Identify |
Asset Management |
Y |
Y |
Y |
||
Business Environment |
|
|||||
Governance |
|
Y |
Y |
|||
Risk Assessment |
Y |
|||||
Risk Management Strategy |
|
|||||
Supply Chain Risk |
Y |
|||||
Protect |
Identity and Access Control |
Y |
Y |
Y |
Y |
Y |
Awareness and Training |
Y |
Y |
Y |
Y |
||
Data Security |
Y |
Y |
Y |
Y |
Y |
|
Information Protection |
|
Y |
||||
System Maintenance |
Y |
Y |
Y |
Y |
Y |
|
Protective Technology |
Y |
Y |
Y |
Y |
Y |
|
Detect |
Anomalies and Events |
|
Y |
|||
Security Continuous Monitoring |
Y |
Y |
||||
Detection Processes |
|
|||||
Respond |
Response Planning |
|
||||
Communications |
|
|||||
Analysis |
|
|||||
Mitigation |
|
|||||
Continuous Improvement |
|
|||||
Recover |
Recovery Planning |
|
Y |
Y |
Y |
|
Recovery Testing |
Y |
Y |
Y |
Y |
Y |
|
Improvements |
|
|||||
Communications |
|
Y |
Note: The highlighted subcategories in the table represent the Protecht priority areas that we will discuss below.
Some key comparisons between the international frameworks include:
- Australia's Essential 8: Focuses significantly on the Protect layer, particularly around patching applications and systems, application controls, and user privilege restrictions. However, it does not explicitly cover governance or anomaly detection as comprehensively as other frameworks.
- CERT NZ's Critical Controls: New Zealand's approach places a strong emphasis on detection, particularly in monitoring security continuously and identifying anomalies and events. This proactive detection framework complements the UK's more reactive stance but lacks the structured response planning that the NCSC promotes.
- European Union's ENISA Guide: ENISA's framework stands out in governance within the Identify function, which is less explicitly defined in the UK's NCSC Ten Steps. ENISA provides a broader regulatory perspective that could enrich the governance aspects of the NCSC framework.
- USA's CISA Cyber Essentials: The USA framework is well-rounded with specific emphasis on response and recovery, areas where the UK's framework could use more explicit guidance and structured planning.
Weaknesses in the NCSC framework
Let’s consider how the NCSC Ten Steps framework aligns with Protecht's identified priority areas in cybersecurity. Each of these facets plays a critical role in fortifying cybersecurity measures and ensuring comprehensive coverage against potential threats.
Asset management: The NCSC framework acknowledges the importance of managing access to data based on user necessity, which indirectly relates to asset management. While the framework ensures assets are secured, there is less emphasis on maintaining a detailed inventory of all assets, which is crucial for knowing what needs protection and to what extent.
Supply chain risk: This aspect is somewhat covered under user privileges and network security within the NCSC framework, ensuring that external vendors adhere to certain security standards. However, there's no comprehensive strategy for evaluating and managing risks throughout the supply chain, which can leave vulnerabilities unchecked.
Anomalies and events detection: The framework includes monitoring for potential cybersecurity threats as part of its broader security protocols. Despite this, there is a lack of specific focus on the proactive detection of anomalies and events that could indicate early stages of a cybersecurity incident.
Security continuous monitoring: Continuous monitoring is implied in several of the Ten Steps, particularly in network security and malware prevention. The approach could be expanded to include more real-time, comprehensive surveillance of IT environments to quickly identify and respond to threats.
Response planning: Incident management is a key component of the NCSC's framework, which includes planning for responses to incidents. Detailed planning on how to respond to different types of cybersecurity incidents could be more robust, ensuring faster and more effective organisational reactions.
Communications: While the NCSC framework includes recommendations that the organisation should communicate clearly during a crisis and have advance plans for doing so, it could benefit from more detail on how to communicate effectively during a crisis. This should include templates for external communications, guidelines for internal communications, and strategies for coordinating with law enforcement and regulatory bodies.
Proposed expansions to the NCSC framework
In this section, we propose expansions to the NCSC Ten Steps framework to align with international best practices and address evolving threats. We’ve broken these down below:
- Refining asset management: Integrate tools and practices that provide continuous visibility into asset status and location, ensuring that every piece of hardware and software is accounted for and appropriately secured.
- Bolstering supply chain security: Develop a set of standards and checks for suppliers to adhere to before they can enter the supply chain. Regular audits and assessments should be mandatory, with clear criteria for addressing non-compliance.
- Advanced anomaly detection: Employ machine learning and artificial intelligence technologies to predict and detect unusual activities across networks and systems. This proactive approach allows organisations to stay ahead of potential threats.
- Comprehensive continuous monitoring: Implement a system-wide monitoring framework that not only tracks network traffic but also keeps tabs on user behaviours and endpoint security. This will enable quicker identification and mitigation of potential threats.
- Structured response planning: Create detailed response plans for a variety of potential security incidents. Each plan should outline specific steps to be taken by various parts of the organisation, ensuring everyone knows their role during an incident.
Conclusions and next steps for your organisation
We believe expanding the Ten Steps framework is a much-needed strategic enhancement of the UK’s cybersecurity positioning. It represents a commitment to maintaining and enhancing the trust and safety of digital infrastructures that support the UK’s economy, government, and society.
In the meantime, here are our recommendations for stakeholders:
- Government and regulators: Consider revising cybersecurity policies to include these expanded areas.
- Organisations and enterprises: Adopt these broader measures pre-emptively, reinforcing their cybersecurity practices in anticipation of regulatory changes.
- Cybersecurity professionals: Stay ahead of these changes, integrating new strategies and technologies into their practices to stay ahead of threats.
To find out more about cyber risk management, Protecht’s Cyber risk management: The art of prevention, detection and correction is a comprehensive guide that addresses the complex and ever-present challenges of cyber risk in today's digital age. Equip yourself with an understanding of cyber risk management, enabling you to spearhead a proactive approach against ever-evolving digital threats:
References
[i] United Kingdom Government - National Cyber Security Centre (NCSC) Cyber Essentials: https://www.ncsc.gov.uk/cyberessentials/overview
[ii] National Institute of Standards and Technology (NIST) - NIST Cybersecurity Framework: https://www.nist.gov/cyberframework
[iii] Australian Cyber Security Centre (ACSC) - Essential 8 Explainer and Maturity Model: https://www.cyber.gov.au/acsc/view-all-content/publications/essential-eight-explainer
[iv] New Zealand Government - CERT NZ’s Critical Controls for Cyber Security: https://www.cert.govt.nz/it-specialists/critical-controls/
[v] European Union Agency for Cybersecurity (ENISA) Cybersecurity Guide: https://www.enisa.europa.eu/
[vi] United States - Cybersecurity and Infrastructure Security Agency (CISA) Cyber Essentials Toolkit: https://www.cisa.gov/cyber-essentials