One of the five major controls for the Cyber Essentials Scheme is to configure and deploy a network firewall. A firewall is a network security system that creates a buffer zone between your company’s network and external networks. In simple terms, a secure zone is created between devices in an organisation and the internet.

Cyber Essentials requires that all devices that are connected to the internet should be protected with a firewall. We will explain this requirement and how to comply with it from a non-technical perspective.

Types of firewall 

Before we proceed forward, it is first important to understand the two types of firewalls that can be used. A personal firewall can be installed on internet-connected desktops or laptops. Typically, most operating systems come with a built-in personal firewall.

A boundary firewall or network firewall can be used if you have a mix of different devices in your organisation. This provides a protective buffer around your entire network. In most cases, you need to set up a hardware firewall i.e. dedicated firewall machine to deploy a boundary firewall.

Understanding how firewalls work

A point-of-entry for attackers is when devices communicate with other devices and services across networks. If you can restrict access to this communication, the risks of attacks are reduced. Firewalls can help you achieve this by ensuring that only safe and necessary network services can be accessed via external networks such as the internet.

A network firewall is a dedicated network device that restricts the inbound and outbound network traffic to external devices and services. It prevents desktops, laptops, and mobile devices within a network from accessing malicious or harmful traffic.

Firewalls achieve this accomplish this by implementing restrictions that are known as firewall rules. These rules allow or block incoming traffic into a network depending on its source, destination, and communication protocol.

Firewall requirements of Cyber Essentials

The Cyber Essentials certification requires businesses to use and configure a firewall to protect all devices, particularly the ones that are connected to public or untrusted Wi-Fi networks. Every device in this scope must be protected by a properly configured firewall.

To comply with Cyber Essentials, organisations must:

• Disable permissive firewall rules once they become obsolete.
• Make use of personal firewalls on devices that are on untrusted networks such as a public Wi-Fi hotspot.
• Block unauthenticated and untrusted inbound connections by default.
• Ensure that manufacturer passwords and default settings are reviewed and updated according to the organisation’s security requirements.
• Make use of strong administrative passwords for firewalls. This means that the passwords should contain a mix of upper and lower-case characters, numbers, and symbols. Alternatively, remote administrative access should be disabled altogether.
• Use firewall rules that are approved and documented by an authorised individual such as the security administrator.
• Restrict access to the administrative interface. The interface is used to manage and configure firewalls from the internet. If there is a business need to provide the access then the interface should be protected with:
  • Two-factor authentication.
  • An IP whitelist that limits access to the interface from a small number of devices only.

Conclusion

A firewall is used for securing devices within a network and mitigating the risks of outsider attacks.  Setting up a properly configured firewall is one of the first steps towards a Cyber Essentials certification.

If you would like to learn more about network firewalls and how to configure them for Cyber Essentials, contact us right away. CyberSmart partners with you to make your journey towards becoming a secure and compliant organisation simpler and easier.

A major challenge for startups is figuring out how to invest in cybersecurity.

Despite the financial constraints, it is essential for startups to keep their online security in check, because the consequences are frightening. Statistics show that about 50% of all cyber attacks target small businesses and startups. Often, this is because of a lack of written internal policies.

Without a security policy, there is no reference for what needs to be done when a security threat arises within your startup. An information security policy can be complicated and often expensive to develop, but it is a fundamental component of cybersecurity.

In this article, we present a free information security policy guide for startups.

What should the information security policy cover?

There is no single approach to developing an information security policy that fits all organisations. Despite this, there are certain aspects that every security policy for startups should cover:

• The security requirements that are going to be met, compulsory ones like GDPR and then either Cyber Essentials, ISO 27001, or the IASME Governance framework.
• Who is responsible for information security tasks? It can be an internal security expert or a third-party supplier..
• The startup’s long-term commitment to cybersecurity including what they aim to achieve through the introduction of the policy.

What should be included in the information security policy?

Even though there is no fixed format for an information security policy, given below are some key questions that you should consider when framing your security policy.

• Who is responsible for your startup’s security?
• What are your security objectives?
• How are security incidents reported and managed? How can you learn from them?
• What type of information do you handle? Does it involve customer information?
• What ways can you use to protect different types of information?
• How do you measure risks?
• How should internet, email, and other communication channels be managed to minimise risks?
• What training and awareness do the employees need?
• What responsibilities should be given to employees for securing information?

Areas to cover in an information security policy

There are five general subject areas that should be addressed in an information security policy for startups:

1. Security measures: Guidelines for virus protection, passwords, confidentiality of data, and levels of access to information.
2. Disaster recovery: Instructions on how to recover from a disaster such as a data breach. Methods of data backup, including how often they should be made, should also be included.
3. Standards for technology: Details about the types of hardware, software, and other digital systems that can be purchased by the startup. This area will also cover a list of trusted partners or vendors from where systems are to be bought.
4. Acceptable use of technology: How should technology such as smartphones, desktop computers, email, and the Internet be used. What are the results of misuse and how can security be improved by limiting access to such technology.
5. IT services: Information about who will be responsible for providing technical support to employees. Often, this is a member of the IT team, but can be an external partner as well. Guidelines regarding planning, installation, and maintenance of computer systems should also be covered in this area.

Conclusion

Startups are at a constant risk of cyber threats, particularly because of a lack of an effective information security policy. It is important to not only have a security policy in place, but to make sure that it addresses the specific needs of your startup and employees. If you have not developed an information security policy yet, you should consider doing so right away to minimise loss.

CyberSmart recognises the budget and time constraints that most startups have when developing their information security policy. By subscribing to one of our plans you will get access to our free policy packs, sign up today for access. We look forward to assisting you in designing a cost-effective information security policy for fortifying your startup’s security.

An information security policy is a set of rules and guidelines that an organisation issues for securing its confidential data. Employees of the organisation should understand and follow the information security policy.

In this article, we list effective ways that you can use to develop a information security policy, or beef up your organisation’s existing information security policy.

1.     Address the problem of password management

Many organisations, despite knowing about the existence of their security issues, are often confused on how to address them. It might sound obvious, but this is where most of a company’s security failings can be resolved.

For instance security policies must pay much attention to password management. Employees choose their own passwords and are then responsible to manage and control them. However they should be provided with the tools to create, store and access the range of passwords they may need to use.

According to a report by Verizon published in 2017 on data breach investigations, is where things take a turn for the worst. It says that more than 4 out of 5 data breaches are happening due to compromised or weak passwords. In addition, a survey has reported that almost 80% of employees find password management a hassle. An issue that can be easily solved with a password manager.

The scale of the problem here demands that organisations address the clear problem of password management in their information security policy.

2.     Use a holistic approach

As a modern business you should understand the barrier between work life and personal life is becoming more and more indistinct. This idea extends to information security as well. Technology departments must tailor security guidelines around the modern employees work behavior.

Concepts such as BYOD (Bring Your Own Device) are gaining traction nowadays. Organisations need to take a more holistic approach to their information security policies, which involves looking beyond employee work logs and company related passwords.

A single employee, whether in-office or remote, can put the entire organisation’s information security at risk. This makes every employee a possible point of failure for the entire network. The information security policy should take this into consideration and adequately address the risks associated with BYOD. Doing so will allow them to protect the company’s information against attackers.

3.     Educate the employees

Educating employees about information security is an important process when it comes to protecting your organisation’s data.

Regular training sessions that stress the basic concepts of security such as the risks of public networks and password management should be conducted. These sessions can be delivered by internal security experts or third-party security services, depending on the resources available to your organisation.

The most common types of data breaches are caused by the lack of education of employees. Therefore, you should incorporate training and awareness in the organisation’s information security policy. For instance, a security training program can be introduced that requires employees to attend monthly security sessions held within your organisation.

4.     Automate and simplify

Simplify what you can, and automate what you cannot. This simple rule can help you improve your organisation’s information security policy significantly.

A simple information security policy will go a lot further than a binder filled with complex security procedures. This is because employees are more likely to circumvent a complex security measure than a simple one.

You should first attempt to simplify anything that you can within the security policy. For instance, make it clear what the minimum length for passwords should be, rather than just suggesting the use of strong passwords.

For things that cannot be simplified, such as the process of validating online websites, you can make use of tools such as firewalls to prevent employees from violating the policy.

Conclusion

For businesses, information security in today’s world is more of a necessity than a luxury. It is important for an organisation to make a holistic yet simple changes in their approach to information security policies, to address concerns related to cybersecurity.

CyberSmart understands that managing your information security policy can be an excruciating task. If you would like to learn more about how to improve your information security policy, get in touch with us right away. We would love to help you polish your security policy for mitigating risks of cyber attacks.

Cybersecurity and data protection can seem overwhelming. There’s a glut of advice on the internet, but it’s difficult to know where to start. At CyberSmart, we believe cybersecurity should be accessible and easy for everyone. So we’ve compiled a series of useful policies and procedures to help you find your way through the cyber-compliance jungle. This time, we’re looking at how to set up an information security policy.

(more…)