We use cookies to provide you with a responsive service to make your experience of our website(s) better. Please confirm that you agree to our use cookies
in accordance with our cookies policy.

By continuing to use our website we will assume that you are happy to receive non-privacy intrusive cookies.
Please be aware that if you disable cookies some functionality on the site will not work.

Alternatively, read our cookie policy to find out more about our cookie use and how to disable cookies.

Accept and continue

A step-by-step guide to cyber security

At a glance

  • Many organisations collect, store and process large quantities of personal data
  • It is important they put in place appropriate safeguards to protect this data and reduce the risk of it falling into the wrong hands
  • Our step-by-step guide to cyber security sets out some of the key questions organisations should be asking themselves

Cyber security has become a critical issue for organisations across a vast array of sectors.

While any type and size of organisation could be vulnerable to a cyber attack, there are a number of ways to minimise the risks. We have produced a simple checklist that covers the essential elements of an effective cyber security programme.


  • Does the board/leadership actively support the cyber security programme ensuring sufficient resources are committed to security?
  • Is cyber security, and the potential consequences of a cyber attack, covered in your business continuity plan?
  • Do you actively manage all hardware devices on the network so that only authorised devices are given access and any unmanaged devices are found and prevented from gaining access?
  • Has a secure configuration baseline for both hardware and software been determined, including security controls to prevent users from changing important settings?
  • Are processes in place to ensure new vulnerabilities are identified and existing ones are patched as soon as possible?
  • Are administrative privileges only granted when necessary and is access secured through deployment of multi-factor authentication?

Understanding and prioritising data

  • Do you maintain a current understanding of the location, quantity and quality of data important to the delivery of services?
  • Do you have a clear system for categorising different types of data – e.g. public, internal, sensitive, confidential?
  • Do you take steps to ensure data is removed in accordance with retention schedules?
  • Does everybody in your organisation who handles data understand how to properly store, transfer, archive and destroy sensitive information?

Physical and digital security

  • Is access controlled in areas of your premises where sensitive data may be held?
  • Do you ensure that all mobile devices including memory sticks are encrypted?
  • Have you created a separate wireless network for personal and untrusted devices?
  • Do you configure devices – workstations, laptops and other mobile devices – to automatically lock sessions after a standard period of inactivity?
  • Do you ensure that all data is removed from devices, such as multi-function printers, before disposal?
  • Do you regularly update your antivirus software?
  • Do you deploy tools on network perimeters that monitor for unauthorised transfer of data?
  • Do you ensure backups are properly protected via physical security or encryption when they are stored as well as when they are moved across the network?
  • Do you conduct regular penetration testing of systems in order to understand vulnerabilities and discover how easy it is to access the system?

Managing third-party risk

  • Do you understand what access your suppliers and partners have to your systems, premises and information, and how you will control it?
  • Have you considered building assurance requirements, such as Cyber Essentials Plus, penetration tests, external audit or formal security certifications as part of supplier/partner security requirements?
  • Do you build the “right to audit” into contracts and do you exercise this?
  • Does everybody in your organisation who processes data have a clear understanding of when data may be legally shared with third parties, including instances when the express approval of the data subject must first be obtained?
  • If using cloud services, have you risk assessed your needs and potential providers using a framework such as the NCSC’s 14 Cloud Security Principles?


  • Does your organisation encourage reporting security incidents and data breaches, giving staff the tools to do so and the confidence that they will not face repercussions for doing so?
  • Are you aware of the penalties your organisation could face for data breaches under GDPR?
  • Does your DPO report directly into the highest level of management?


  • Do you provide staff with regular and relevant security awareness training including recognising social engineering attacks, causes of unintentional data exposures and incident reporting?
  • If requested, could you demonstrate evidence of the training you provide?
  • Do you plan and conduct incident response exercises to maintain awareness and comfort in responding to real world threats?
  • Do you have procedures in place to learn from cyber incidents and near misses – including incidents that occur outside of your organisation?

For more information on the issues discussed in this article, please get in touch with your local Zurich contact.

Image © Getty

Leave a comment