From protection against some of the most common and pernicious cyber threats to proving your cyber security savvy to stakeholders and customers alike, Cyber Essentials certification provides a range of business benefits. Once certified, you’ll gain the right to display the coveted Cyber Essentials checkmark, a widely recognised symbol of commitment to cyber security best practice.
If the scheme has piqued you’re interest, by this point you may be thinking: what exactly is required of my business in order to achieve certification?
Previously, we briefly referenced the 5 Key Controls of Cyber Essentials. These are the technical measures all organisations seeking accreditation are required to implement, and they apply to both base-level Cyber Essentials and Cyber Essentials Plus. These include:
- Secure Configurations
- Access Controls
- Malware Protection
- Patch Management
Let’s now examine what each of these controls means for your business’s IT, and the preparations you should make in advance of the assessment phase of accreditation.
Cyber Essentials stipulates that all internet-ready devices must feature firewall protections. Firewalls are security devices that apply pre-defined ‘rules’ to govern both inbound and outbound network traffic. From a security perspective, firewalls exist to limit or prohibit access to high-risk corners of the web which aren’t required for work purposes. By limiting access solely to essential sites and services, a firewall prevents users straying into unknown terrain where criminals are more likely to be carrying out their nefarious web activities, thus reducing the chance of malware transmission.
The scheme requires the application of firewall protections on ALL devices which employees use for work purposes. Firewalls can come in the form of physical devices or as software. A ‘boundary’ firewall is a device positioned between your trusted network and the untrusted network (the internet). In a complex network consisting of many internet-connected devices, a boundary firewall can be the most effective and easily governable way to introduce protection, and can sometimes be configured through your router.
Software firewalls are recommended for any device likely to leave the protection of your boundary firewall. Laptops often feature firewall protections built into their operating systems, and applications are available to extend such protections to mobile phones and tablets.
This control requires the application of the most secure settings across all hardware and software systems in your environment. Requiring fastidious attention to detail, make a list of all the devices and software systems your team interact with, and methodically visit each to ensure consistent application of the most secure settings.
Issues stem from the fact that new software systems and devices tend not to be configured for maximum security by default, with manufacturers and developers tending to favour maximum accessibility so as not to frustrate new users. The downside is that security features such as authentication are not necessarily activated from the outset, and when they are basic default passwords tend to be used.
New devices also often come bloated with unnecessary and unwanted applications. These not only eat away at limited internal storage, but can also present numerous vulnerabilities for cyber criminals to exploit, especially if they aren’t regularly updated.
To achieve certification, minimise the attack surface available to hackers by removing any programmes on your devices which you don’t want or need. Also, consider disconnecting unused peripherals (printers, scanners, mice etc) by uninstalling the corresponding device drivers, as these can also present entry portals for malware. ‘Autorun’ should be disabled in order to prevent removable media inadvertently introducing malware to your network, and user accounts that are no longer required should be swiftly removed.
Establish a ‘password policy’ designed to guide and inform users on password best practice. Encourage the use of passwords that are easy to remember but hard to guess, and urge users to change passwords periodically to further reduce account takeover risks.
This control involves governing access to the services, devices and privileges your end users can access, and implementing rigorous authentication procedures to verify the identities of those accessing your environment.
Firstly, review accounts featuring ‘admin’ privileges, and restrict such permissions to as few accounts as possible. Admin accounts are highly prized by hackers, as they offer maximum lateral movement across a network and the broadest access to sensitive data. If such an account were hijacked, a hacker could use it to reconfigure security settings to their advantage and carry out a destructive, network-wide rampage with relative impunity. Reducing the number of such accounts reduces the chances of a hacker gaining such a foothold in your environment.
After applying account privileges on a need-only basis, establish rigorous authentication procedures across all devices and accounts by activating MFA (multi factor authentication) where available. This is particularly important when verifying the identities of remote workers.
This control demands the application of technical controls designed to counter the threat posed by various forms of malware, including viruses, worms, spyware and ransomware. Cyber Essentials sets out 3 options for mitigating the threat posed by malware, at least one of which must be implemented by your organisation:
Install software designed to detect and remove malware across your network and devices. Configure file-scanning capabilities to ensure downloaded files and email attachments are screened for malware, and configure software to preclude access to sites deemed untrustworthy. Ensure anti-virus programmes are subject to regular updates and refresh threat signature libraries on a frequent basis.
Create an application whitelist
Create a list of applications approved for work purposes and prohibit the download and execution of applications not featured on this list. Use device management software to enforce this list, and audit devices to ensure compliance.
Sandboxing involves executing unfamiliar programmes in an isolated environment in order to prevent the possibility of malicious code spreading unchecked across network resources. Sandboxing is a useful practice that allows programmes to be run without compromising the security and integrity of your wider network.
Over time, software programme vulnerabilities become known to their manufacturers, and fixes (known as ‘patches’) are made available to end users to correct them. Cyber criminals are quick to exploit these vulnerabilities, often launching attacks soon after the patches are made available in order to take advantage of poorly maintained software. By applying patches quickly after they’re made available, you’ll help secure your environment by keeping the period of vulnerability to the absolute minimum.
To make the job of patch management as easy as possible, remove software you no longer use, and be sure to discontinue the use of programmes no longer supported by their manufacturer.
Let us help you maintain the privacy of your customer data
We are living in a world where cyber threats are real, and they are affecting every organisation. Almost half of British organisations are expected to suffer an attack in 2023, so it’s up to them to protect their stakeholders with essential and fundamental investments, like Cyber Essentials. By implementing Cyber Essentials, your organisation will be protected from 80% of cyber attacks, reassure customers, and avoid heavy fines from the ICO. To find out how we can help you achieve accreditation and identify gaps with your cyber security, please get in touch to arrange a free Cyber Essentials Gap Analysis.
SolCo IT Support Reading
Based in Reading, Solution Consultants provides IT Support, Telecoms, and Cloud solutions for SMEs across the Thames Valley. We get to know your business, challenges, and goals and deploy scalable and agile technology solutions that make a real difference.
We specialise in simplifying IT, making valuable technology more accessible than ever before. We believe technology has the power to transform your business and open access to new markets. Check out our site here.