In the last edition we wrote about Cyber Essentials, a government endorsed scheme to help businesses prevent themselves from cyber-attacks. We are proud to announce that we have received Cyber Essentials Plus accreditation. We would encourage you to consider this too.
Cyber Essentials is a simple but effective, government-backed scheme that will help you to protect your organisation, whatever its size, against a whole range of the most common cyber-attacks.
Cyber-attacks come in many shapes and sizes, but the vast majority are very basic in nature, carried out by relatively unskilled individuals. They are the digital equivalent of a thief trying your front door to see if it is unlocked. Our advice is designed to prevent these attacks.
Why should you consider becoming accredited?
- Certified cyber security
- Reassure your customers that you are working to secure your IT against cyber-attack.
- Attract new business with the promise you have cyber security measures in place.
- You have a clear picture of your organisation’s cyber security level.
- Some government contracts require Cyber Essentials certification.
There are two levels of certification:
Our self-assessment option gives you protection against a wide variety of the most common cyber-attacks. This is important because vulnerability to simple attacks can mark you out as target for more in-depth unwanted attention from cyber criminals and others.
Certification gives you peace of mind that your defences will protect against the vast majority of common cyber-attacks, simply because these attacks are looking for targets which do not have the Cyber Essentials technical controls in place.
Cyber Essentials shows you how to address those basics and prevent the most common attacks. EBS can help you with this.
Cyber Essentials Plus
Cyber Essentials Plus still has the Cyber Essentials trademark simplicity of approach, and the protections you need to put in place are the same, but for Cyber Essentials Plus a hands-on technical verification is carried out.
You will likely need to work with a Cyber Essentials consultant to ensure that all details and documentation are completed.
What are the Security Controls of the Cyber Essentials Scheme?
There are 5 main security controls:
Firewalls & Internet Gateways
To achieve Cyber Essentials certification, you need to ensure that all your internet-connected devices are protected by a firewall, a virtual boundary that protects your system and devices from incoming threats. Firewalls police incoming web traffic and decide whether to allow it through to your network. This is even more critical with many of us working from home.
A firewall can be set up to surround just your device or your entire network, depending on the complexity of your business needs.
It is important to make sure that it is not only computers are protected, but all devices, such as tablets, smartphones, etc. And if you are using these devices to connect to the Internet away from your office, especially using public Wi-Fi – where security levels are unknown, the firewall should be configured accordingly.
A secure configuration just means making sure you have opted for the best security settings on your devices and software. However, there may be numerous applications on any device that are not used and may never be used. Largely, these applications will be ignored and may be a source of attack as they will have potentially standard logins and passwords – fodder for cyber criminals. These applications should be deleted if not needed. For those applications that you need and use, you should always use strong, unique password (you can easily remember) – and make sure they are secure passwords, not ‘admin’, ‘password’, or anything that can be easily guessed. Of course, this equally applies to existing devices – and will need to be achieved prior to applying for certification.
The government recommends the additional use of PINs and/or touch-ID to increase security, and two-factor authentication (2FA) for the utmost security. 2FA is when, for example, you log in to a website and it sends a code as an email or text message for additional ID verification.
User Access Control
It is vital to make sure that only authorised individuals are granted access to those applications required to perform their tasks. In the event of a cyber security threat, you want to minimise what the attacker could access.
This will need some tailoring from one user to the next. Administrators will need greater access than regular staff, but it is worth checking how many users have administrative privileges – you may find the number has crept up over the years, or that security has lapsed to the point that the admin login details are widely known.
Permissions and passwords should be reset, and a security protocol introduced to ensure all users are aware of the importance of maintaining best practice.
Administrators’ activities should also be restricted since Internet browsing/shopping/chatting could leave an account vulnerable to intrusion. Effectively, attackers would have access to everything the administrator does, giving them a great deal more opportunities for exploitation.
Finally, all software should only be downloaded from approved sites, which will ensure it meets the required security standards – and does not come with malware attached.
Most of you will have reputable anti-virus software, including EBS’ managed anti-virus solutions. This is only one element of what is required to achieve Cyber Essentials. In addition to software, there is an element of self and staff education on how viruses and malware get onto your systems. For instance:
- Don’t download email attachments from senders you do not know, or if you do know the sender but the email looks suspicious.
- Don’t use removable storage devices (e.g., thumb drives) when you don’t know their origin.
Cyber Essentials certification requires that you keep your devices, software, and apps up to date – also known as ‘patching’ or ‘patch management’, since the manufacturers are effectively patching holes in their software. If you are running with outdated and unsupported operating systems on your PCs or servers, you will not gain Cyber Essentials accreditation (i.e. Windows XP or Windows 7).
How many times do you ignore an application warning that an update is pending? Updates not only generally add new features, but they also update security holes that could be exploited.
Whether you wish to go down the path of Cyber Essentials or Cyber Essentials Plus accreditation, the fact remains that the above five security protocols need to be in place to ensure that you are protected against cyber-attack, in whatever form that may take. It really is no longer enough to think that you can rely on anti-virus software alone.
EBS can provide consultancy to help you achieve Cyber Essentials:
- Fixed price for consultant to visit to complete the readiness assessment.
- Security and patch management: We will assess how security and patch management are configured within your environment.
- Firewalls: We will assess the configuration of your firewalls and deliver a report outlining areas of concern and actions that needs to take place to address any issues found.
- Malware Protection: We will assess your current anti-virus approach to assess its level to meet certification for Cyber Essentials.
- User Access Control: We will assess user access controls currently in place including items such as user permissions and security policies.
- Backups: We will review your current backup approach to ensure that it meets the requirements and is the most effective approach for your environment.
- Assist you in the filling out of the forms for Cyber Essentials accreditation (Cyber Essentials Plus a third-party consultant will be required).
- Do you have a next-gen Firewall such as a SonicWall?
- Do you have good password and security protocols in place?
- Who has admin passwords for your systems and software?
- What anti-virus and mail filtering do you have in place e.g. EBS managed AV and Mimecast?
- Is all your software and operating systems up to date?
If your answer to any of the above is “No” or “Don’t know”, speak to your account manager for further advice.