05 Oct The 5 key controls of Cyber Essentials – Setting your business up for success
From defending your business against the most prolific cyber threats to demonstrating your cyber security vigilance to partners and clients alike, there are many benefits to achieving Cyber Essentials accreditation. Once certified you’ll be able to display the Cyber Essentials checkmark with pride, and proclaim to the world that your business is security-savvy.
But hang on, let’s not get ahead of ourselves. By now you may be asking: “what is exactly am I required to do to obtain certification?”
As we mentioned in the previous article, the accreditation process will assess your business’s security posture in relation to the application of 5 key security controls. These include:
• Secure configurations
• Access Controls
• Malware protection
• Patch Management
Let’s examine what’s required in respect of each control area, and how to go about ensuring your IT environment meets the required standard.
1) Applying Firewall protection
Cyber Essentials plus accreditation demands that you apply firewall protections to all internet-connected devices. A firewall is a security instrument which moderates both outgoing and incoming network traffic according to a pre-defined set of rules, established to restrict access to potentially malicious sites. These “rules” could be configured to restrict web access strictly to sites, resources and services required by employees to carry out their roles. This limits risk, by preventing employees straying into unknown websites where malware could be lurking.
Firewalls can be applied both at the network’s edge and at device level. By applying firewall protections on the periphery of your local area network, you can protect all your office-based devices in one fell swoop. Be mindful though of any devices used for remote working, as these will have to be protected by device-level firewalls for operation outside of your trusted network.
2) Configure all hardware and software for maximum security
This control is easy in concept, but surprisingly difficult in execution. You or your IT team will have to work round all of your network-connected devices, as well as all the software systems you use, and apply settings which make everything as secure as possible.
Whenever you buy new hardware, the default operating settings tend to be optimised for maximum accessibility and devices often come with a plethora of pre-loaded applications which you neither want or need. Unnecessary programmes expand the attack surface available to cyber criminals, so deleting these should be a priority. Then, apply strong password protection to the programmes you do use. Password management tools can be useful here, as they generate strong, random passwords and allow you to enforce multi factor authentication to further improve security.
In addition to removing unused programmes, you should also consider uninstalling device drivers for unused or underused peripherals, as these just act as unnecessary gateways for cyber criminals to compromise your network.
3) Apply access controls to safeguard your data and the services your use
This control involves applying access restrictions to the data, services and tools your team use on an as-needed basis. Administrative privileges should be reserved for as few user accounts as possible, and the most sensitive data should be protected by file or folder level permissions.
It may seem counterintuitive to limit the access of your trusted employees, after all, cyber threats originate from outside organisations, don’t they? Unfortunately, the majority of data breaches stem from user-initiated actions. Applying access restrictions limits, or at least slows the damage that a compromised account can inflict, as the bad actor involved will have limited ability to reconfigure network settings and may be prevented from accessing the most sensitive information.
Accounts with administrative privileges are extremely sought after by hackers. They allow them to carry out a destructive rampage, affording unfettered access to the most sensitive data and allowing them to propagate malware across a network with ease. As a result, such accounts should feature the most stringent security protocols, with internet access severely restricted and email access blocked to close potential malware entry points.
4) Use software and take measures to counter the threat of Malware
“Malware” is an umbrella term for any type of software with malicious intent. Hackers deploy a wide variety of malware types – such as viruses, ransomware, trojans and worms – to corrupt data, steal compromising information and sometimes even to hold organisations to ransom. Cyber essentials requires that you install and regularly update anti-malware software across your estate, ensuring all endpoint devices are protected. Such software is designed to identify and eliminate malware that finds its way onto your system.
Sandboxing is another technical measure that can be taken. This is the practice of operating software in an isolated environment that mimics an operating system, whilst restricting access to wider network data and resources. This limits the ability of malware to propagate across your network, keeping vital data and systems out of reach.
Create a “white list” of administrator-approved applications, and prohibit the installation of all programmes not on this list. Similarly, disable “autorun” and “autoplay” across your devices to prevent the installation of software from removable media. This will prevent corrupted USB devices and the like from transferring malware onto your network upon being connected to a computer.
5) Keep your devices and systems patched and maintained, installing all updates in a timely manner.
Over time, software developers become aware of vulnerabilities in their programmes. These often present opportunities for criminals, offering weak points through which they can launch cyber-attacks. To close up these security loopholes developers make ‘patches’ available – software fixes designed to sure-up code vulnerabilities. These should be applied regularly, and as soon after becoming available as possible in order to minimise the window of opportunity available to hackers.
You should also discontinue the use of unsupported software programmes. Over time these present a significant security risk, as any security deficiencies will go unchecked leading to increased likelihood of a damaging cyber attack.
Complete your Cyber Essentials journey with Vostron
With so much to consider and the unwieldy nature of modern IT systems, working towards a cyber essentials accreditation can be a daunting task. Preparing a robust cyber security framework requires the support of an experienced and knowledgeable partner.
That’s where Vostron comes in.
Since the launch of the scheme in 2014, we’ve been helping businesses of all sizes achieve Cyber Essentials accreditation. We’ll ensure your estate is properly configured, and help you deploy a range of technical measures to guard your data and achieve a widely respected accreditation that will bolster your organization’s standing.