Most criminal hackers aren’t state-sponsored agencies or activists looking for high-profile targets, and they don’t spend countless hours staking out and researching their targets.
Instead, they tend to be opportunistic, looking for any available target. In that regard, you can think of them like a burglar; sure, they’re aware of high-value marks, but it’s more effective to go after easier targets.
And just as a burglar will look for those marks by scouting neighbourhoods and looking for empty houses and easy access, cyber criminals will look for poor security practices by sending phishing emails or conducting network scans.
In a single day, cyber criminals can assess millions of potential targets. Attacks often target as many devices, services or users as possible using the ‘openness’ of the Internet.
Basic security controls prevent about 80% of cyber attacks
Cyber Essentials is a government-backed scheme that outlines basic steps that organisations can take to secure their systems. Implementing the five controls effectively will help you prevent about 80% of cyber attacks.
The Assurance Framework, leading to the awarding of Cyber Essentials Plus certificates for organisations, has been designed in consultation with SMEs (small and medium-sized enterprises) to be light-touch and achievable at low cost.
Whether or not you achieve certification to the scheme, these controls provide the basic level of protection that you need to implement in your organisation to protect it from the vast majority of cyber attacks, allowing you to focus on your core business objectives.
What are the five controls?
These are designed to prevent unauthorised access to or from private networks, but good setup of these devices either in hardware or software is important for them to be fully effective.
Boundary firewalls and Internet gateways determine who has permission to access your system from the Internet and allow you to control where your users can go.
Although antivirus software helps to protect the system against unwanted programs, a firewall helps to keep attackers or external threats from getting access to your system in the first place.
The security provided by the firewall can be adjusted like any other control function (in other words, the firewall ‘rules’).
- Secure configuration
Web server and application server configurations play a key role in cyber security. Failure to manage the proper configuration of your servers can lead to a wide variety of security problems.
Computers and network devices should be configured to minimise the number of inherent vulnerabilities and provide only the services required to fulfil their intended function.
This will help prevent unauthorised actions being carried out and will also ensure that each device discloses only the minimum information about itself to the Internet. A scan can reveal opportunities for exploitation through insecure configuration.
- User access control
It is important to keep access to your data and services to a minimum. This should prevent a criminal hacker being presented with open access to your information.
Obtaining administrator rights is a key objective for criminal hackers, allowing them to gain unauthorised access to applications and other sensitive data. Convenience sometimes results in many users having administrator rights, which can create opportunities for exploitation.
User accounts, particularly those with special access privileges, should be assigned only to authorised individuals, managed effectively, and provide the minimum level of access to applications, computers and networks.
- Malware protection
It is important to protect your business from malicious software, which will seek to access files on your system.
Software can wreak havoc by gaining access and stealing confidential information, damaging files and even locking them and preventing access unless you pay a ransom.
Protecting against a broad range of malware (including computer viruses, worms, spyware, botnet software and ransomware) and including options for virus removal will protect your computer, your privacy and your important documents from attack.
- Patch management
Cyber criminals often exploit widely known vulnerabilities. Any software is prone to technical vulnerabilities.
Once discovered and shared publicly, vulnerabilities can rapidly be exploited by cyber criminals.
Criminal hackers take advantage of known vulnerabilities in operating systems and third-party applications if they are not properly patched or updated.
Updating software and operating systems will help to fix these known weaknesses. It is crucial to do this as quickly as possible to close any opportunities that could be used to gain access.
The ‘sixth control’
The five controls outlined in Cyber Essentials are fundamental technical measures for security, but you must remember that technology is only as effective as the people using it.
Employees are always liable to make mistakes, and organisations must mitigate the risk by conducting staff awareness training.
What you cover in these sessions depends on your employees’ job roles. For example, if they’re involved in data processing, you should provide training on the GDPR (General Data Protection Regulation). Likewise, if they handle payment card data, they should be taught about their responsibilities under the PCI DSS (Payment Card Industry Data Security Standard).
Teaching your employees about all of these issues might sound onerous, but it’s actually quite simple if you use an e-learning provider.
This enables employees to study at a time and place that suits them, and means you don’t have to worry about finding a trainer or halting productivity to haul your workforce into a classroom.
Free download: ‘Cyber Essentials: A guide to the scheme’
Cyber Essentials offers the right balance between providing additional assurance of an organisation’s commitment to implementing cyber security to third parties, and retaining a simple and low-cost mechanism for doing so.
Download our free guide for more information about Cyber Essentials and how it can help you guard against the most common cyber threats.
A version of this blog was originally published on 29 August 2018.