Cyber Essentials is a UK Government-backed scheme overseen by the National Cyber Security Centre and GCHQ. The scheme is designed for businesses of all sizes to provide “base level” controls for security. In order to secure supply chains effectively, it is recommended that Cyber Essentials accredited organisations work only with other Cyber Essentials accredited bodies. As such this accreditation is a pre-requisite for all government and public body tenders.
What are the main points and how does it help your business?
Cyber Essentials accounts for five primary technical controls which organisations should put in place as soon as possible:
Securing Internet Connection
The most common and effective way of protecting and securing your devices is by reinforcing the “gateway” to the internet using a “Firewall”. Firewalls create a sandbox area, which analyses internet traffic, filtering out malicious content and requests. Most computers include a software firewall which it is recommended to enable on all devices which access the internet.
A boundary firewall should be enforced as well, protecting the corporate network as a whole from malicious requests, traffic and content. This can be achieved through most business grade routers’ internal settings or through a standalone security appliance.
Boundary firewalls do not account for devices that are used outside of the network however and cannot be the only protection for devices.
When setting up a new device for the first time, most will not have security controls enabled, to allow the user to configure the device as required. This also leads to vulnerabilities as all remote access controls and channels are open for communication.
Your IT team should be responsible for this, and for ensuring that the appropriate versions of software are deployed.
Note that “Home” versions of operating systems should not be used for business purposes for licensing and security reasons, as access control cannot be implemented fully and securely on these devices.
Password protection is essential for ALL devices to restrict access to authorised users and services. Each password should be unique and memorable whilst being difficult to guess for an attacker.
Mobile devices and touch-enabled devices should deploy PIN and touch-ID where possible, as this is an extra layer of protection and access control.
Device access can be minimised through password and credential management, software updates and additional access controls, but ensuring that user and account privileges are restricted is essential as well.
Compromised user accounts can cause untold damage within an organisation if their privileges are not curtailed and controlled. Users should be given permission to access and change data at a level necessary to perform their job function only, and if that function changes there should be an administrative log of these changes.
Administrative accounts should be used sparingly, and only to perform administrative tasks. They should not be used for web browsing, email access or day-to-day activity. This minimises the risk of an attacker gaining access to these accounts and damaging the organisation.
Software download, installation, and access should be limited, controlled, monitored and managed as well. Ensuring that applications used by the organisation have been approved for internal use through testing and/or coming from approved sources.
Protection against viruses and malware
Malicious software such as viruses and ransomware can be problematic for organisations, preventing them from functioning effectively if at all. Preventing infection can be done by one of three recommended ways in Cyber Essentials.
Anti-Malware- software can be used to prevent the installation or propagation of malicious software throughout devices and the network.
Windows Defender and MacOS XProtect are two built-in software packages which protect devices. Texaport recommends using more comprehensive software throughout the organisation which has been designed and built by Cyber Security professionals.
Whitelisting software which can be installed on devices prevents unknown or potentially damaging software from gaining access to devices.
Sandboxing of applications by running them in an isolated environment within a device and while an effective way of limiting the spread of infection, cannot be relied on as the sole method of defence.
Updating and Patching
The longer that software is available online, the more time that a criminal has to find vulnerabilities and flaws in the security. As such, manufacturers and software developers release updates to their software regularly which addresses vulnerabilities or prevents exploitation from these.
Organisations should employ a regular patching schedule which allows for internal verification of the updates to ensure it will not introduce additional complications to the IT estate, whilst also keeping devices as up to date as possible.
When a device or application is no longer supported by the manufacturer or developer the organisation should seek to replace it as soon as possible. This will prevent outdated software or hardware becoming a vulnerable access point into the organisation for a criminal.
These five key points should be addressed by all organisations to ensure their own protection, but certification against the Cyber Essentials standards helps demonstrate the company’s commitment to security.
Holding a Cyber Essentials accreditation highlights to your customers that you are working to address vulnerabilities and improve the security of your organisation and data. This can lead to additional business opportunities as more businesses seek to strengthen and secure their supply chain with accredited organisations, including government contracts.
For more information about Cyber Essentials, or for accreditation, get in touch