Information Security, Policies and Procedures

IT Security in UK Business

IT Security Controls

IT Security is increasingly more important in the workplace. Indeed, every organisation is currently using internet-connected devices to some degree.

Who is the UK Authority on Cyber Incidents?

The National Cyber Security Centre (NCSC) is the technical authority on cyber incidents in the UK. The organisation is part of GCHQ (the Government Communications Headquarters) and provides advice and support for how to avoid cyber-crime in both the public and private sectors. Therefore, the NCSC helps to provide information that allows businesses to enact IT security controls for the workplace. These controls come in the form of a collection of safeguarding procedures, frameworks and countermeasures that can be initiated by businesses to minimise security risks. These risks are when dealing specifically with computer/IT systems. Therefore, procedures and security controls protect the confidentiality, availability of information to unnecessary parties and keep integrity intact.

What Types of IT Security Controls Are There?

The three types of security controls are:

  • Preventative: Measures put in place to restrict an event happening beforehand.
  • Detective: Identifying an incident whilst it is occurring and dealing with it.
  • Corrective: Measures that allow for damage inflicted by/after an event to be limited and fixed where possible.

Whose Responsibility Is It to Manage IT Security?

It is the management’s duty to remain responsible and be made accountable for any failings of their systems in regard to security.

How Many UK Businesses Are Affected by Cyber Crime?

Almost half of all businesses fall victim to some type of cyber-related crime at 46% according to Gov.UK. Among this 46% of businesses that identify breaches or attacks, more are experiencing these issues at least once a week in 2020 alone.

What Controls can We Put Into Place?

Multiple IT security controls can be implemented when looking at cybersecurity in the workplace to avoid becoming a victim, some a lot simpler than others. For the most part, these security measures fall into the preventative category of technical or logical controls. It is stated by the NCSC that ‘Ransomware’ is the biggest threat to business in the UK. This is a type of malicious software designed to block access to a computer system until a sum of money is paid by the affected IT system/business.


A business can use an internet connection with a firewall to ensure a secured connection. This can include either:

  • Boundary firewalls; which protects the entire network/system
  • Personal firewalls; which can protect personal IT services/devices such as laptops, tablets and smartphones

Often operating systems and routers come with their own firewalls (both boundary and/or personal) pre-installed. These should be turned on and updated regularly as the first line of defence in IT security control measures for the workplace.

Password Controls and Two Factor Authentication

A specific control that can be implemented when handling IT security within the workplace is understanding the rules and regulations of the NCSC. This deals with implementing password strategies and password policies in the workplace to protect important files and data. In 2019 it was reported by NCSC that 23.2 million hacking victims had “123456” as their password. Also, using measures like two-factor authentication for areas that need extra security like banking and IT administration and turning off any functions in a piece of software that is not needed regularly can help to protect such systems.

Promoting Least Privilege Controls

Businesses can also promote IT security controls effectively by limiting who has access to data and services within the workplace in cybersecurity. This is called ‘least privilege:’

  • ‘Least privilege’ recommends that users, systems, and processes only have access to resources (networks, systems, and files) that are necessary to perform their assigned function.

This limits exposure of sensitive information and enables easy accountability should something happen. This can minimise potential threats to security if an account is misused or stolen. Staff accounts should be limited to only necessary access to software, settings and other services.

What Other Ways Can We Implement IT Security Controls?

Other ways in which IT security controls may be implemented is through malware defence including anti-malware measures like Windows Defender and sandbox protection. It is also incredibly important to keep devices up to date or patching devices with manufacturers software updates. Businesses can do this by setting their devices to ‘Automatic Update’. Updating and patching allow for software to run at optimal performance and as such allows for maximum protection. Organisations should also have robust policies and procedures in place for lost devices, acceptable use of devices, the internet and email, joiners mover leavers procedures and working remotely. If you are looking for assistance in writing your IT Security policies and procedures, please contact us using the form below.


Office: 01244 342 618

Mobile Numbers

Joanne: 07764 258 001
Shaun:   07908 688 170