The 5 control areas of Cyber Essentials (minus the technical jargon!)
April 11, 2018
April 11, 2018
Step 1 to CE: Boundary Firewalls and internet gateways
A firewall or gateway protects internal networks and systems against unauthorised access from the internet. They are designed to provide a basic level of protection for internet users. All business networks should have a properly configured firewall in place. The firewall monitors all network traffic, whilst identifying and blocking any traffic which can be harmful.
If firewalls are weak, not updated or are failing to detect harmful websites, it makes your business vulnerable to hackers.
Failing to properly configure firewalls is like leaving the front door to your house unlocked! It gives cyber criminals and hackers unauthorised access to your internal systems and access to sensitive information which you want to protect.
How can we reduce risk?
Most firewalls are managed by an admin user. Its important to change the default admin password for any firewall to an alternative, strong password before putting it into a live environment.
Step 2 to CE: Secure Configuration
Failure to manage the proper configuration of your servers can lead to a whole range of security problems.
It’s extremely important for businesses to choose the most secure settings for their devices. Default configurations of new software and devices are often set to be as open and multifunctional as possible. But the problem with that is that these settings can also provide cyber attackers with opportunities to gain unauthorised access to your data without much difficulty.
Check the settings:
You should therefore always check the settings of new software and devices and make changes that raise your level of security. Removing or disabling any functions, accounts or services which you do not require is a good first step.
Personal laptops, desktop computers, tablets and smartphones contain your data, but they also store the details of the online accounts that you access. Its therefore imperative that both your devices and your accounts are password-protected.
When implemented correctly, passwords are a simple and effective way to prevent unauthorised users accessing your devices. They should be easy to remember but hard for somebody to guess. Never use default passwords which come with new devices as these are the easiest for hackers to guess
Using a password manager is a great way of securing your different accounts online. A password manager is an app that keeps all your passwords secure and helps you create different, strong passwords for each one of your accounts.
For important accounts, such as banking and IT administration, you should use 2-factor authentication. This can involve a 4 digit code being sent to your smartphone which you must enter in addition to your password.
Step 3 to CE: Control who has access to your data and services.
Staff accounts should have just enough access to software, settings, online services and device connectivity functions for them to perform their own role. Handing them extra access or permissions could lead to accounts being misused or even stolen.
Check what privileges your accounts have – accounts with administrative privileges should only be used to perform administrative tasks. Standard accounts should be used for general work. By ensuring that your staff don’t browse the web or check emails from an account with administrative privileges you reduce the chance that an admin account will be compromised. This is really important because an attacker with unauthorised access to an administrative account can be far more damaging than one accessing a normal user account.
Step 4 to CE: Protect yourself from viruses and other malware
Malware is basically software or web content that’s been designed to disrupt, damage, or gain authorised access to a computer system.
For example, the recent WannaCry attack used a form of malware which makes data or systems unusable until the victim makes a payment. Viruses are the most commonly known form of malware. They infect software, make copies of themselves and send these duplicates to any computers which connect to their victim.
Malware finds its way onto your computer in a number of different ways. For example, you may accidentally open an infected email, visit a compromised website or open an unidentified file from a USB stick.
How do you defend against malware?
1). Install Anti Virus Software
Antivirus software is often included for free within popular operating systems, it should be used on all computers and laptops. For your office equipment, you can pretty much click ‘enable’, and you’re instantly safer. Smartphones and tablets might require a different approach and, if configured in accordance with the NCSC’s guidance, separate antivirus software might not be necessary.
2). Only download apps from manufacturer approved stores i.e. App Store.
All these apps are checked to provide a degree of protection against malware. You should prevent staff from downloading apps from vendors/sources, as these will not have been checked.
3). Run apps and programs in a ‘sandbox’. This is the best solution for those who can’t install antivirus. This prevents them from interacting with, and harming, other parts of your devices or network.
Step 5 to CE: Keep your devices and software up to date
Regardless of what devices your organisation uses, be them iPhones, laptops, tablets or computers, it is vitally important that they are kept updated. Thankfully, its quick and easy to do so. It’s also free!
Manufacturers and developers release regular updates which, along with adding new features, also fix security vulnerabilities.
Applying these updates (known as patching) is one of the most important parts of any cyber security strategy. Operating systems, laptops, phones and apps should all be set to ‘automatically update’ wherever this is an option. This insures you will be protected as soon as the update is released.
But eventually, when the manufacturer no longer supports your hardware or software and new updates become available, you should upgrade to a new device.