In this, the last blog in the three-part series, we will explore the final two of the five Cyber Essentials areas you are required to have, implement, and maintain in order to achieve the accreditation. Let’s start with Access Controls.

The Cyber Essentials objective

The objective of Cyber Essentials is to ensure user accounts only provide access to applications, networks, and computers that the user NEEDS to perform their role (notice the word ‘needs’).

Access control should be a considerable part of your business security. The increase in remote working that has been experienced across the globe, due to technological advances making it possible, have only elevated its importance.

Cyber Essentials requirements for Access Controls

Cyber Essentials Certification requires you utilise user accounts to control access to your data. There are controls regarding the various restrictions possible when setting access to administrative accounts and the privileges to those accounts are only given to those who need them to complete their job role. Under no other circumstances should access be authorised.

User accounts in your business facilitate access, allowing the use of applications, devices, and sensitive information. By only allowing access to those that are authorised, mirrored with user accounts that are matched by their position in the organisation, you massively increase the safety of your business, purely because access restrictions reduce the risk of theft or damage to your invaluable data.

If accounts with special access privileges to devices, applications and information are compromised severely enough the ramifications to your business could be dire. In extreme circumstances they can be exploited and cause long term effects on your organisation, potentially stopping it from running all together.

For example:

Lucy is logged into an administrative account and unknowingly opens a malicious email attachment. All associated Malware is likely to need administrative privileges.

Using Lucy’s administrative privileges, a type of Malware known as Ransomware encrypts all of the data on the network and then demands a ransom.

Requirements for Secure Configuration

To apply for Cyber Essentials, you must have control over the user accounts and the privileges granted to each one. You must have a user account creation and approval process in place within the organisation.

You must authenticate users before granting access to application devices using unique credentials for each.

An important – and easily forgotten – practice is that you must be sure to disable or entirely remove user accounts when they are no longer in use. You must also remove or disable special access privileges to an individual’s account when no longer required, implement two-factor authentication and only use administrative accounts to perform administrative activities.

Having the Cyber Essentials accreditation shows potential customers that you intend on keeping their information as secure as possible.

We will now move on to the last of the five controls, Secure Configuration.

The Cyber Essentials objective

Cyber Essentials objective is that you make devices and software settings as secure as possible to enable fluid and safe use of your systems.

The things to remember

The default security settings ARE NEVER the most secure! Programmes and hardware in their default settings are always fairly insecure due to the factory settings being designed in such a way as to enable you as much fluidity with the product as possible,   which allows you to configure settings from a clean slate.

To become Cyber Essentials certified you will have to reconfigure settings to ensure you enforce higher standards of security.

The problems of a poorly configured system

It is essential that – as services fall in and out of use and as new hardware is acquired or repurposed – you stay proactive in your approach to ensuring that devices and systems are always kept as safe and protected as possible. Hackers and cyber criminals are always on the lookout for poorly configured systems to attack, so vigilance is key.

Some of the risks include:

• Cybercriminals thrive off systems which are not properly defended. Any attacker will be met with minimal resistance when coming across a poorly configured system, which can lead to untold damage being caused to your system by:

• Pre – configuring a route for future attacks
• Taking advantage of unnecessary functionality
• Gaining access to extremely sensitive data.

These are just a few of the different problems that can be caused by not presenting a good resistance.

• Vulnerable Software. Seal-up those security weak points. It’s important to install ‘patches’ and updates regularly. Failing to do so leaves gaping holes in your security – holes that can be used by cyber criminals to cause havoc.

• Individuals within or out of your company can make unauthorised changes if you have a poor standard of access management in place. Such changes could inadvertently present the opportunities we mentioned earlier for hackers to utilise. It is essential that you make life as difficult as possible for cyber criminals.

Next in the blog are some ways you can use to make life tough for Cybercriminals.

Ways to configure your system securely

• Carry out vulnerability scans. Review your network capabilities to defend itself by regularly performing vulnerability scans to flag potential security concerns. Rectify any issue highlighted by these scans promptly.

• Establish policies relating to the installation of important, security-critical software updates. Create clear guidelines for how quickly updates should be installed to ensure they are fixed quickly, and be sure your team are clear and up-to-date on what is happening.

• Unsupported software is no longer updated and patched by the vendor. Unsupported software will – for the most part – continue to work, but there is no longer a team dedicated to creating and launching updates to patch security faults. This inevitably leaves security loopholes for hackers to exploit.

To achieve Cyber Essentials accreditation and ensure that you remain compliant to their requirements, you will need to be certain that you have done everything in your power to adhere to the advice we have outlined in this blog series. With our help, you put yourself in good stead to pass and achieve the certification, whilst, in the process, projecting a professional, secure organisation that prides itself in doing its best for its customers.

We’re Netplatforms.

Implementing the correct security measures for the technical landscape of your organisation has the power to revolutionise the way your organisation works. We can implement and maintain your security measures and look for better ways to defend your system. Our success can be attributed to one thing: TRUST. Ever since our very first year in business, our clients have been happy to recommend us to other businesses, and we have grown steadily as a result of these recommendations. We can help you to truly get the most from your IT in the most secure way possible. Don’t hesitate – contact us now!

0207 993 9035 or hello@netplatforms.wmtemp.com.

________________________________________________________________________________________________________________

Book a no-obligation discovery call with a member of our team today by calling 0207 993 9035 or hello@netplatforms.wmtemp.com