Cyber Essentials is a simple, low cost, but effective, Government-backed scheme that will help you to protect your organisation, whatever the size, against a whole range of the most common internet-based cyber attacks. Cyber attacks come in many shapes and sizes, but the vast majority are very basic in nature, carried out by relatively unskilled individuals. They’re the digital equivalent of a thief trying your front door to see if it’s unlocked. Our advice, and the advice given as part of the Cyber Essentials scheme, is designed to prevent these attacks.
The checks performed in Cyber Essentials take the form of five technical controls which are easy to implement and designed to guard against these threats. These controls are:
- Boundary firewalls and internet gateways
- Secure configuration
- Access control
- Malware protection
- Patch management
Boundary Firewalls and Internet Gateways
Boundary firewalls and internet gateways are your first line of defence; they protect the devices on your network, such as your computer, phone, printer and anything else connected. By examining the incoming traffic, firewalls decide whether or not to give external bodies access to your network. Most ISPs provide a router with a firewall built in, this is suitable for homes and smaller organisations. You’ll need to make some configuration changes to your router, such as configuring the firewall to meet your needs and changing any default passwords.
Secure Configuration
When you buy a new computer, smartphone or other such device, the settings of that device will vary from manufacturer to manufacturer. Computer manufacturers often have agreements with software vendors to preload devices with software. In the past this preloaded software has come with its own security flaws. That’s why it’s always important to securely configure your devices.
Secure configuration can be achieved by:
- Removing unused software
- Removing and disabling unnecessary user accounts
- Removing any default passwords and setting strong, unique passwords which are not easily guessable
- Disabling auto-run or auto-play features that allow execution of files on removal devices without user interaction
Access Control
Access control is the practice of ensuring users can access only the data they need to be able to do their jobs. For larger organisations, this can be achieved through role-based access control (RBAC) software, but for smaller organisations this is perfectly achievable on a user-by-user basis.
For each user accessing an organisation’s IT data, the organisation is responsible for determining what data that user should be able to access and ensuring that the user cannot access anything else. In the case of privileged users (such as IT administrators) this is particularly important. This usually means IT admins are given two accounts: a user account, used for reading emails and accessing the internet; and an administrator account, used for admin tasks only.
Further access controls may include:
- Enabling two-factor authentication (2FA) where possible
- Tracking and auditing user privileges
- Disabling and deleting accounts which are no longer used
Malware Protection
Malware is any kind of malicious software, including viruses, adware, ransomware and more. Organisations hoping to achieve Cyber Essentials certification should be protecting themselves against a variety of malware.
There are a number of things your organisation can do to protect itself against malware:
- Install anti-malware software – in the case of Windows, Windows Defender, which usually comes pre-enabled, is a perfectly acceptable solution. You must ensure that automatic updates are enabled. There are many alternatives to defender which support Windows and other operating systems.
- Limit installation of applications to an approved set – in the case of tablets and smartphones, Google Play Store or the App Store both serve as an application whitelist, although you could go further and implement controls to select only the specific applications you want users to install. For desktops and laptops, you can restrict non-administrators from installing applications, or you can even deploy an application catalogue to allow users to install approved applications themselves.
- Application sandboxing – application sandboxing restricts applications from accessing or controlling other applications or data on your device. Many smart phones come with some form of application sandboxing built in.
Security Update Management
Security Update Management is all about keeping your software and operating systems up to date. Most devices include automatic updating, especially smartphones and tablets, organisations should ensure that automatic updating is enabled where possible. In the case of desktops and laptops, you can usually switch automatic updating on. Larger organisations may implement more formal patch management solutions.
Organisations should ensure that updates are performed within 14 days of release.
Where do I begin?
You can find out all about the process of getting Cyber Essentials certified here, we offer a variety of packages with varying levels of support for both Cyber Essentials and Cyber Essentials Plus. You can read more about the Cyber Essentials scheme in our blog. Feel free to contact us if you have any questions.