Cyber Security Guidance: The 10 Steps Set by the NCSC

Cyber Security Guidance: The 10 Steps Set by the NCSC

The 10 Steps to Cyber Security guidance provided by the National Cyber Security Centre (NCSC) was originally written in 2012. A lot has changed since then; not only in the way we use technology but also in the world of cyber crime.

With consideration given to the huge growth in our use of cloud services and the increase in home working, along with changes to the nature of the threats that businesses face today such as ransomware, the NCSC has updated this cyber security guidance to better suit our world today.

Who is the cyber security guidance for?

The 10 Steps to Cyber Security are designed to help all businesses and organisations manage security risk by breaking it down into 10 digestible categories. Some larger organisations with dedicated cyber security support may benefit more from it than a smaller business, but as experts in this field, we strongly recommend this guidance for everyone. Remember, a business is never too small to target but it can be too small to recover.


60% of small businesses that fall victim to a cyber attack close their doors for good within six months.


What are the 10 steps?

Risk management

Through identifying, analysing, evaluating, and addressing, the first step of cyber risk management is to carry out a risk assessment. This will give you an overview of the cyber threats you could be facing and enable you to prioritise the severity of the potential impact on your business.

Engagement and training

The people in your business can either be your biggest liability or your strongest defence when it comes to the threat of a cyber attack. This all depends on how much they know about and understand cyber security. Supporting your teams with training in the skills and knowledge they need to work securely will dramatically improve your cyber security and highlight to them their importance to the business.

See these 5 ways your employees could compromise your business security.

Asset management

Over time, your business systems will likely grow organically, and it can be hard to keep track. If your assets are left unaudited, this can quickly lead to a high-security risk with unpatched software, misclassified files, exposed accounts, and working with old kit.

Here’s more about patch management and the importance of IT audits.

Architecture and configuration

Technology and cyber security are constantly changing. To manage this, businesses need to ensure a strong cyber security ethos is carved into their systems and services from the get-go and maintained to that same standard as new threats emerge.

Vulnerability management

A secure network one day could be a gaping vulnerability the next. Software updates are often seen as an inconvenience but, usually containing important security updates, are essential to your cyber security.

However, some vulnerabilities may be harder to fix. Working with a Managed IT Services provider can give you peace of mind your systems are watched over 24/7.

Identity and access management

Admin rights are the key to your systems for any hacker. If a hacker can gain access to admin rights, they have the key to your business data and applications. By giving special access privileges to only those who need them can dramatically reduce the chances of a security breach.

Data security

A data protection breach can cause damage beyond repair to your business. With the rise in increasingly advanced ransomware attacks, it’s important to consider all possible protections including cloud backups.

More data security tools that will help protect your business.

Logging and monitoring

With security monitoring, you can look for signs of an attack or systems behaving unusually in the interest of prevention. With this level of analysis, businesses can meet a cyber attack at the door, responding proactively to minimise the impact.

Whether successful or not, all security incidents should be recorded – don’t be hesitant to keep it all logged. It’s essential for understanding the vulnerabilities in your systems and is a great tool for future learnings and prevention.

Incident management

Much of the time, the way you manage a cyber security incident as a business can make or break your reputation. Early detection and, ideally, a pre-planned response can minimise the damage caused and show customers and clients just how seriously you consider security.

Supply chain security

Don’t be afraid to quiz suppliers on their cyber security strategy. Your ship might be a tight one, but vulnerabilities can soon be inherited from third parties.

And remember this works both ways – by showing understanding and implementation of these 10 steps, you will give other organisations confidence in working with your business.

We’re on-hand to help!

If you are an SME and some of these steps feel a little in-depth for your business needs, the Cyber Essentials accreditation is a great place to start to make sure your cyber security is up to scratch.

The process is built around achieving 5 key controls and on completion, helps demonstrate to your clients, and potential clients, your investment and dedication to your IT and data security.

And what’s more, we can help you become certified! To find out more, just give us a call.

Hull Office

  • Jupiter House, Unit 3 Estuary Business Park, Priory Park, Hessle, HU4 7DY
  • 01482 974444

York Office

Doncaster Office

  • 4 Cavendish Court, South Parade, Doncaster, DN1 2DJ
  • 01302 248742

Scunthorpe Office

  • Sovereign House, Arkwright Way, Queensway Industrial Estate, Scunthorpe, DN16 1AL
  • 01724 706235

Leeds Office