Cyber Essentials is a UK government scheme that outlines the basic steps that organisations can take to secure their systems.
Implementing its five controls effectively will help you prevent about 80% of cyber attacks.
In this blog, we take a closer look at the Cyber Essentials scheme and explain how its organisational and technical controls can keep you protected.
How does Cyber Essential work?
Most criminal hackers aren’t state-sponsored agencies or activists looking for high-profile targets, and they don’t spend countless hours staking out and researching their targets.
Instead, they tend to be opportunistic, looking for any available target. In that regard, you can think of them as a burglar; yes, they’re aware of high-value marks, but it’s more effective to go after easier targets.
And just as a burglar identifies those marks by scouting neighbourhoods and looking for poorly protected homes, so too do cyber criminals look for easily exploitable weaknesses rather than pinpointing a specific target and trying to find a way in.
Cyber Essentials addresses this, helping organisations avoid weaknesses and address vulnerabilities before criminal hackers have the chance to exploit them.
The scheme contains five controls, each one focusing on a specific aspect of information security. Once applied, they can protect you from 80% of the most common cyber attacks.
What are the five controls?
These are designed to prevent unauthorised access to or from private networks, but good setup of these devices either in hardware or software is essential for them to be fully effective.
Boundary firewalls and Internet gateways determine who has permission to access your system from the Internet and allow you to control where your users can go.
Although antivirus software helps to protect the system against viruses and malware, a firewall helps to keep attackers or external threats from getting access to your system in the first place.
The security provided by the firewall can be adjusted like any other control function (in other words, the firewall ‘rules’).
- Secure configuration
Web server and application server configurations play a crucial role in cyber security. Failure to manage the proper configuration of your servers can lead to a wide variety of security problems.
Computers and network devices should be configured to minimise the number of inherent vulnerabilities and provide only the services required to fulfil their intended function.
This will help prevent unauthorised actions being carried out and will also ensure that each device discloses only the minimum information about itself to the Internet. A scan can reveal opportunities for exploitation through insecure configuration.
- User access control
It is important to keep access to your data and services to a minimum. This should prevent a criminal hacker being presented with open access to your information.
Obtaining administrator rights is a key objective for criminal hackers, allowing them to gain unauthorised access to applications and other sensitive data. Convenience sometimes results in many users having administrator rights, which can create opportunities for exploitation.
User accounts, particularly those with special access privileges, should be assigned only to authorised individuals, managed effectively, and provide the minimum level of access to applications, computers and networks.
- Malware protection
It is essential to protect your business from malicious software, which will seek to access files on your system.
The software can wreak havoc by gaining access and stealing confidential information, damaging files, and even locking them and preventing access unless you pay a ransom.
Protecting against a broad range of malware (including computer viruses, worms, spyware, botnet software and ransomware) and including options for virus removal will protect your computer, your privacy and your important documents from attack.
- Patch management
Cyber criminals often exploit widely known vulnerabilities. All devices and software are prone to technical vulnerabilities.
Cyber criminals can rapidly exploit vulnerabilities once they’ve been discovered and shared publicly.
Criminal hackers take advantage of known vulnerabilities in operating systems and third-party applications if they are not properly patched or updated.
Updating software and operating systems will help to fix these known weaknesses. It is crucial to do this as quickly as possible to close any opportunities that could be used to gain access.
The ‘sixth control’
The five controls outlined in Cyber Essentials are fundamental technical measures for security, but you must remember that technology is only as effective as the people using it.
Employees are always liable to make mistakes, and organisations must mitigate the risk by conducting staff awareness training.
What you cover in these sessions depends on your employees’ job roles. For example, if they’re involved in data processing, you should provide training on the GDPR (General Data Protection Regulation).
Likewise, if they handle payment card data, they should be taught about their responsibilities under the PCI DSS (Payment Card Industry Data Security Standard).
Teaching your employees about all these issues might sound onerous, but it’s quite simple if you use an e-learning provider.
This enables employees to study at a time and place that suits them and means you don’t have to worry about finding a trainer or halting productivity to haul your workforce into a classroom.
Free download: ‘Cyber Essentials: A guide to the scheme’
Cyber Essentials offers the right balance between providing additional assurance of an organisation’s commitment to implementing cyber security to third parties and retaining a low-cost and straightforward mechanism for doing so.
Download our free guide for more information about Cyber Essentials and how it can help you guard against the most common cyber threats.
A version of this blog was originally published on 29 August 2018.