NCSC 10 Steps to Cyber Security

The UK government's National Cyber Security Centre provides this framework to help organizations protect against cyber threats. This is your complete implementation guide with specific actions, upgrade paths, and protocols.

Official NCSC guidance for UK businesses Practical implementation steps Updated January 2026

Understanding the NCSC 10 Steps Framework

The National Cyber Security Centre (NCSC) is the UK government's authority on cyber security. Their "10 Steps to Cyber Security" provides organizations with actionable guidance to protect against the most common cyber threats.

Unlike some frameworks that focus on achieving certification, the NCSC 10 Steps is designed to be implemented piece by piece. You don't need to complete all 10 steps before seeing value - each step independently strengthens your security posture.

How This Guide Works

For each of the 10 steps, we provide three implementation layers: Implementations (practical actions to put in place), Upgrades (enhancements to existing systems), and Protocols (ongoing processes and policies). This structure lets you progress from basic compliance to sophisticated security as your business matures.

Why Follow NCSC Guidance?

  • Government-backed: Developed by the UK's national authority, aligned with Cyber Essentials requirements
  • Insurance-friendly: Insurers recognize NCSC frameworks when assessing cyber policies
  • Scalable: Works for businesses of any size, from startups to enterprises
  • Practical: Focuses on controls that actually prevent real-world attacks
  • Continuously updated: Reflects current threat landscape and technology changes
1

Risk Management Foundation

Take a risk-based approach to securing your data and systems. Understand what you're protecting, from what threats, and prioritize accordingly.

Implementations

  • Conduct comprehensive risk assessments identifying threats to systems and data
  • Create inventory of critical assets mapped to potential vulnerabilities
  • Integrate cyber risk into business decision-making processes
  • Establish risk register documenting identified risks and mitigations

Upgrades

  • Adopt automated risk management tools for continuous monitoring
  • Implement threat intelligence platforms for real-time analysis
  • Transition to integrated GRC systems aligned with ISO 27001
  • Deploy risk visualization dashboards for leadership

Protocols

  • Establish formal risk management framework with quarterly reviews
  • Embed risk considerations into supplier contracts and cloud agreements
  • Document and communicate risk tolerance levels across organization
  • Review risk appetite annually with board involvement

InfiniTech Approach

We conduct free risk assessments for Cornwall businesses, identifying your highest-priority vulnerabilities and creating a roadmap aligned with your budget. No jargon, just practical recommendations.

2

Engagement and Training Critical

Build security that works for people in your organization. Most breaches involve human error - your team is either your strongest defense or your weakest link.

Implementations

  • Develop tailored security awareness programs with role-specific modules
  • Launch interactive workshops on phishing recognition and safe data handling
  • Create incident reporting procedures everyone understands
  • Implement simulated phishing campaigns to test awareness

Upgrades

  • Shift to online platforms with gamified elements and mobile apps
  • Integrate training metrics into performance reviews
  • Deploy automated training assignment based on role changes
  • Use AI-driven personalized learning paths

Protocols

  • Foster positive security culture emphasizing benefits over punishments
  • Mandate training for new hires and contractors
  • Conduct annual refresher courses adapting to emerging threats
  • Maintain feedback loops for employees to suggest improvements

Training That Actually Works

Avoid boring PowerPoint lectures. Effective training is short (15-20 minutes), relevant to daily work, and repeated quarterly. Focus on practical scenarios: "This is what a phishing email looks like. This is what to do when you receive one."

3

Asset Management Foundation

Know what data and systems you have and what business need they support. You can't protect what you don't know exists.

Implementations

  • Build centralized asset register cataloging hardware, software, data
  • Classify assets by sensitivity and business criticality
  • Map data flows showing where information moves
  • Document asset ownership and lifecycle stages

Upgrades

  • Deploy automated asset discovery tools and network scanners
  • Implement IT asset management software with auto-updating
  • Use agent-based monitoring to detect shadow IT
  • Integrate with procurement systems for automatic registration

Protocols

  • Perform bi-annual audits to verify asset accuracy
  • Remove obsolete items and decommission properly
  • Integrate asset management with change control processes
  • Ensure GDPR compliance through data inventory

InfiniTech Endpoint Management

Our platform automatically discovers and catalogs every device on your network. You get real-time asset inventory showing hardware specs, installed software, last update, and security status - all in one dashboard.

4

Architecture and Configuration Important

Design, build, maintain, and manage systems securely. Security should be built in, not bolted on afterward.

Implementations

  • Incorporate security-by-design principles in system development
  • Segment networks to isolate critical areas
  • Apply default secure configurations on all devices
  • Disable unnecessary services and remove default accounts

Upgrades

  • Migrate to zero-trust architecture models
  • Implement micro-segmentation for granular control
  • Use automated tools for baseline hardening
  • Deploy configuration drift detection

Protocols

  • Establish configuration management policies requiring approval
  • Conduct regular vulnerability scans on infrastructure
  • Review architecture before deploying new systems
  • Document all architectural decisions and rationale
5

Vulnerability Management Critical

Keep your systems protected throughout their lifecycle. Vulnerabilities are discovered constantly - your patching process determines your risk exposure.

Implementations

  • Set up vulnerability scanning with regular schedule
  • Conduct annual penetration testing
  • Subscribe to threat intelligence feeds for early warnings
  • Prioritize patches based on CVSS severity scores

Upgrades

  • Implement automated patching via endpoint management
  • Integrate vulnerability data with SIEM for alerts
  • Deploy virtual patching for legacy systems
  • Use predictive analytics to identify likely targets

Protocols

  • Define remediation timelines (critical within 48 hours)
  • Maintain vulnerability database with tracking
  • Conduct post-patch testing for system stability
  • Include third-party software in patch process

Why Patch Management Matters

The WannaCry ransomware attack exploited a vulnerability Microsoft had patched two months earlier. Organizations that delayed patching were compromised. The ransomware caused £6 billion in damages globally, including significant impact on the NHS.

6

Identity and Access Management Critical

Control who and what can access your systems and data. Stolen or weak credentials are the #1 attack vector.

Implementations

  • Enforce multi-factor authentication for all accounts
  • Create role-based access controls limiting permissions
  • Implement privileged access management for admin accounts
  • Deploy password manager for strong unique passwords

Upgrades

  • Upgrade to single sign-on with biometric options
  • Implement adaptive authentication based on risk factors
  • Deploy identity governance for automated access reviews
  • Use passwordless authentication where possible

Protocols

  • Review access permissions every 6 months
  • Revoke unnecessary privileges immediately
  • Log and audit all access attempts with alerts
  • Balance security with usability to prevent workarounds

MFA Implementation

Microsoft reports MFA blocks 99.9% of automated attacks. Yet only 22% of Microsoft 365 users have it enabled. InfiniTech enables and enforces MFA across all your systems as part of standard setup.

7

Data Security Critical

Protect data where it is vulnerable: in storage, in transmission, and during processing. GDPR makes this a legal requirement as well as security necessity.

Implementations

  • Classify data by sensitivity level
  • Apply encryption for data at rest and in transit
  • Implement data loss prevention (DLP) tools
  • Configure immutable backup storage (ransomware-proof)

Upgrades

  • Deploy enterprise backup with air-gapped copies
  • Integrate encryption key management systems
  • Implement automated data discovery and classification
  • Use data masking for development environments

Protocols

  • Conduct annual data inventories mapping locations
  • Establish handling procedures aligned with CIA triad
  • Test recovery processes quarterly
  • Document data retention and disposal policies

The 3-2-1 Backup Rule

Keep 3 copies of data, on 2 different media types, with 1 copy offsite. This protects against hardware failure, ransomware, and physical disasters. Modern interpretation adds: 1 copy should be immutable (cannot be deleted or encrypted).

8

Logging and Monitoring Important

Design systems to detect and investigate incidents. You need visibility to spot attacks in progress and investigate breaches afterward.

Implementations

  • Configure centralized logging for systems and networks
  • Set up monitoring dashboards establishing baselines
  • Enable security logging on all critical systems
  • Capture authentication events and access attempts

Upgrades

  • Adopt SIEM platform for real-time correlation
  • Implement UEBA for anomaly detection
  • Deploy automated threat hunting tools
  • Use AI/ML for pattern recognition

Protocols

  • Define log retention policies (12 months minimum)
  • Review logs routinely for suspicious activity
  • Integrate monitoring with incident response
  • Customize alerts to reduce false positives

InfiniTech Monitoring

Our endpoint management platform monitors 200+ security indicators across your devices, applications, and network. We alert on suspicious behavior before it becomes a breach - and provide forensics if something does go wrong.

9

Incident Management Critical

Plan your response to cyber incidents in advance. When attack happens, having a documented plan reduces damage and recovery time by 50-70%.

Implementations

  • Create incident response plan outlining roles and procedures
  • Form cross-functional team (IT, legal, HR, leadership)
  • Document communication channels and escalation paths
  • Establish relationships with external forensics providers

Upgrades

  • Incorporate tabletop exercises testing the plan
  • Integrate with external crisis communication services
  • Deploy automated playbooks for common scenarios
  • Use simulation tools for realistic training

Protocols

  • Conduct quarterly drills to refine procedures
  • Document lessons learned from incidents and tests
  • Coordinate with logging systems for evidence collection
  • Define recovery objectives and escalation triggers

Incident Response Timeline

Average time to detect a breach in UK SMEs: 206 days. Average time to contain once detected: 73 days. Organizations with tested incident response plans detect breaches 50% faster and contain them 70% faster. The plan makes the difference.

10

Supply Chain Security Important

Collaborate with your suppliers and partners. 60% of breaches originate through third-party access. Your security is only as strong as your weakest vendor.

Implementations

  • Assess third-party vendors for cyber risks during onboarding
  • Require security questionnaires from all suppliers
  • Include security clauses in contracts mandating standards
  • Conduct vendor security audits for critical suppliers

Upgrades

  • Use supply chain risk management tools
  • Monitor vendor security postures continuously
  • Require certifications like SOC 2 or ISO 27001
  • Implement vendor security scoring systems

Protocols

  • Establish ongoing collaboration protocols
  • Conduct joint incident response planning
  • Review supply chain risks annually
  • Provide security assistance to smaller suppliers

Cornwall Supply Chain Advantage

As a local IT provider, InfiniTech understands Cornwall's business ecosystem. We work with local suppliers implementing security standards, creating a more secure regional supply chain that benefits everyone.

Your 90-Day NCSC Implementation Roadmap

Don't try implementing all 10 steps simultaneously. Follow this prioritized roadmap focusing on highest-impact controls first:

Month 1: Foundation (Steps 1, 2, 3)

  • Week 1-2: Conduct initial risk assessment and create asset inventory
  • Week 3: Launch security awareness training program
  • Week 4: Document risk register and establish governance framework

Month 2: Protection (Steps 5, 6, 7)

  • Week 5-6: Implement patch management process and enable MFA
  • Week 7: Deploy proper backup solution with offline storage
  • Week 8: Configure access controls and review permissions

Month 3: Detection & Response (Steps 4, 8, 9, 10)

  • Week 9: Review architecture and apply secure configurations
  • Week 10: Set up centralized logging and monitoring
  • Week 11: Create incident response plan and conduct first drill
  • Week 12: Assess vendor risks and update contracts

Ongoing Maintenance

After initial implementation, allocate 4-8 hours monthly for maintenance: reviewing logs, testing backups, conducting training, updating risk assessments, and refining procedures. Security is continuous, not a project with an end date.

The Reality of Implementation

The NCSC 10 Steps framework is comprehensive but not complicated. For a 10-20 person Cornwall business, implementing all 10 steps properly requires approximately:

Compare this to the average cost of a cyber breach for UK SMEs: £4,200/minute of downtime, plus ransom demands averaging £180,000-250,000, plus regulatory fines, plus reputational damage.

The NCSC 10 Steps isn't a luxury for enterprises. It's practical protection that pays for itself the first time it prevents an attack.

Implement NCSC 10 Steps Properly

InfiniTech's endpoint management platform automates steps 3, 5, 6, 7, and 8 for £10/device/month. We'll assess your current state against all 10 steps, create your implementation roadmap, and provide ongoing support.

Get Free NCSC Assessment Call 01726 76999