A Cyber Essentials Guide: The Five Controls
Cyber Essentials is a government-backed program that empowers businesses to protect themselves from online threats that threaten their survival, as well as to demonstrate a cyber security-focused attitude to clients. Many businesses around the country have achieved accreditation since it was introduced in 2014.
The Five Controls of Cyber Essentials
In order to achieve Cyber Essentials certification, your organisation must have five technical controls in place. They are as follows:
- Secure Configuration
- Applying Access Controls
- Anti-Malware Measures
- System Maintenance
Let’s take a closer look at these.
Network firewalls monitor and control the various forms of network traffic that travel through your system each day, all based on predefined security rules. Your network is separated from the internet by firewalls. It serves as a gatekeeper, allowing or disallowing access.
Firewalls prevent unauthorised access to your network, while allowing secure access to those outside your network who you want to have access.
Firewall protection is a MUST for all devices in your network. Following the installation of your firewall software, you should take these additional considerations to ensure the best possible level of protection:
Firewalls alone aren’t enough – you must prove you are blocking high-risk traffic as well.
Make sure your Firewall configuration is protected with strong passwords. The more complex the password, the harder it will be to guess. Administrators are advised to use long, complex passwords with numbers, letters, and punctuation.
Software firewalls should be installed on devices used outside of the business network. Remote working devices (laptops, phones, and tablets) should not be used on public Wi-Fi networks. We recommend avoiding public Wi-Fi in general.
Security Configuration is the second of the five controls. Device and software settings should be as secure as possible. The key to achieving this goal is proactive IT management.
Windows’ default security settings are never adequate for system security.
Factory settings are designed to be as unrestrictive as possible to let users experience the device as fluidly as possible. The settings can also be customised to meet the user’s needs.
Cyber Essentials certification requires reconfiguring settings to enforce higher levels of security.
Applying Access Controls
There must be a control over access to data. It is essential to control access to administrative accounts, and privileges should only be granted when absolutely necessary.
Users in your business have access to all applications, devices, and sensitive client information. Data theft and damage can be greatly reduced if only authorised personnel have access to accounts reflecting their roles within the organisation.
The compromise of an account with privileged access to devices, applications, and information could have devastating effects. In addition, they could facilitate a large-scale attack at a later date, resulting in even more damage – financially, operationally, and reputationally.
- Cyber Essentials certification requires the following:
- You have full control over all user accounts and the access privileges of each of them
- You must have user account creation and approval processes in place
- Users must be authenticated before granting access to application devices, and all credentials for each must be entirely unique
- Special access privileges to individual accounts must be removed when no longer required
- User accounts must be disabled when no longer required
You should take all necessary precautions to prevent Malware from entering your system. You will not be able to gain Cyber Essentials accreditation if you fail to do so.
Make sure you only install software from trusted sources. Experts constantly monitor apps in Apple’s App Store and Google’s Play store for malware, for example. A cheap app from an unknown source could open the floodgates to malware.
You should install anti-virus software on every computer and device you use, both at home and at work. Due to their basic nature, free anti-virus software on most operating systems does not provide adequate protection from modern, sophisticated cyber attacks.
The importance of updating devices and software cannot be overstated, since not updating devices and software leaves them exposed to security risks and prevents you from achieving Cyber Essentials certification.
In this regard, Cyber Essentials takes a slightly lenient approach. If the vendor describes the patch as fixing ‘high’ or ‘critical’ flaws, you must install it within two weeks of it being released – at least that gives you time to prepare for it, so you don’t have to stop production immediately. You should always ensure that your software is licensed, supported, and up-to-date. Also, it is necessary to remove all software from non-supported devices.
You should use a ‘Sandbox’ if your business uses legacy software that is no longer updated. Using the Sandbox, your apps are prevented from communicating with other parts of your network.
Ensure you are secure with Genmar
Almost 50% of businesses reported an attack or breach during 2020. Therefore it is critical that organisations take cyber security seriously and invest in advanced measures that extend well beyond traditional perimeter defences.
We can guide you through the process from start to finish, reviewing your current IT security environment, recommending any changes, assisting with completion of Cyber Essentials documentation, and implement any changes required. Contact us today to find out more.