Cyber Essentials Checklist - Risk Management

By bluQube Sean

Due to the explosion of cyber attacks in the modern world The NCSC has updated its guidance on how to protect UK businesses from cyber attacks.


Due to the explosion of cyber attacks in the modern world The NCSC has updated its guidance on how to protect UK businesses from cyber attacks.

Broken out into 10 steps, Risk Management is No 1. It’s the first and most important step in making your business secure from cyber criminals.

The UK government is doing everything it can to enable businesses to secure their data from very real threats in cyberspace. There’s tonnes of useful content worth reading on the website and we highly recommend diving into it…once you have read this article; obviously.


NCSC 10 Steps Infographic

PDF link:


At the top of the usefulness chart for getting an entry level understanding of risk management is the (remarkably engaging) article on “Risk Management Guidance”. Read on for details on this ever important first cyber security step below…


Focus on your business decisions


The National Cyber Security Centre gives focus to the decisions a company makes as part of day to day operations and in striving for growth. With the recent economic turmoil, decisions business leaders need to make are thick and fast, with no sign of slowing down through the rest of 2022 and into 2023.

Logistics, finance, operations, inter-team communication, external comms and operations; realistically the list is as long as the company is big…

The NCSC want UK businesses to show evidence of how they have “informed” and “improved” security as decisions move forward and how risk and any potential risk are managed as a company grows.


The fundamentals of cyber risk


The NCSC reference the “Fundamentals of Risk”. They are clear in saying risk can’t ever be completely abolished. The NCSC know a business is runs on risk. If opportunity is hanging around in the market, risk is guaranteed to be sat at the same table, and usually leaning over Opportunity’s shoulder and eating all the pigs-in-blankets.


"The purpose of risk management is not to chase the unattainable goal of perfectly secure systems and a risk-free business; it is to make sure that you have thought about what can go wrong, and that this thinking has influenced your organisation's decisions."




What do they look for in a cyber essentials audit


What is important in the eyes of a Cyber Essentials Audit is to show awareness of the risk your business carries in its operations. Risk to the business, risk to your customers, risk to your employees and risk to other businesses and the general public.

But making your business digitally secure isn’t about shutting everything down, disconnecting anything that holds sensitive data, and setting the old filing cabinets on fire. That’s just silly.

It’s not about enforcing procedures like a drill sergeant on all your staff either. That’s just cruel.

It’s about consideration. Weighing up internal business risk, making informed decisions and being able to give evidence to prove it.

For example: Just by documenting existing procedures and mapping out your system, you can be in a clear-cut position to evidence due diligence.

It’s far from everything you need but usually the best place to start is to get an overview of your systems and processes.

If a cyber-attack were to occur, you’ve looked at your digital assets. You’ve considered what might happen. You know the what and the where of your sensitive data. You’re aware of the cracks and know how the business manages them (and why they’re often necessary!) and therefore you know what types of cyber-attack you’re vulnerable to.

You’re in a position to know what could go wrong and can plan the next step to minimise damages. That’s due diligence. That’s risk management.


We're not saying that you should just shrug your shoulders and ignore cyber risks, rather you need to focus on those risks which you can practically do something about.”



How to stop cyber criminals from hacking your business


No one wants cyber criminals to succeed! But for some; “cyber criminals” is an ethereal concept. You can’t see them. They don’t exist in a physical space. If you’ve never been attacked, how can you realistically comprehend who or what they might be?

A great video to watch is the NCSC’s “Who might attack your organisation”. It gives you an idea of the kind of organisations that might take a shot at breaking through your security:





Map your systems using the NCSC example


Point is, we’re all part of the UK’s internet security puzzle. So we should take a more “open-source” approach and if we get attacked, share how to beat them with other businesses.

This doesn’t tell the hackers how your system works, that's "old world thinking", it shows them that your system is secure, and they should move on. The NCSC even give a full description of their own IT architecture online for organisations to use as a starting point.


NCSC System Architecture


How do you manage your business’ cyber security risk?

Step one. Don’t go in all guns blazing and demand everything with an internet connection should be immediately locked down.

Take a step back and get broader view of what is connected to your business and what is not and ask yourself “Do I really need the library printer to have full access to anything that has been printed in the building?” If the answer is no…best to correct that little blip immediately.

Plus, document how you correct any “blips”. That’s what The NCSC and Cyber Essentials want to see in an audit: What was considered when the decision was made. In this case it was to let the CEO do some last-minute printing. Necessary at the time but no longer needed.


How do I get my business cyber essentials certified?

There is a wealth of resource available to businesses who are looking to get Cyber Essentials Certified. We’ve just done it. We know. We’ve pored over the documents ourselves.

Thankfully we think we are pretty hot on the security side of things. Our cloud servers are located in the most secure data centre in the UK. So getting certified wasn’t too much hassle.

Want to find out more? ask the team - we are more than happy to point you in the right direction. Just click on the button below to talk to us direct.



talk to us button




We use cookies to improve website performance.

Click here to view our privacy policy