Essential security – Cyber Essentials and its 5 controls

Most criminal hackers aren’t state-sponsored agencies or activists looking for high-profile targets, and they don’t spend countless hours staking out and researching their targets.

Instead, they’re more opportunistic, looking for poorly-protected targets. Just like an organised house burglar might send out scouts looking for signs of poorly-safeguarded properties, the modern cyber criminal will send out phishing emails or network scans looking for vulnerable systems.

In a single day they can assess millions of potential targets. Attacks often target as many devices, services or users as possible using the ‘openness’ of the Internet.

Back to basics: security controls to help prevent around 80% of cyber attacks

The Cyber Essentials scheme is a world-leading, cost-effective assurance mechanism for companies of all sizes to help demonstrate to customers and other stakeholders that the most important cyber security controls have been implemented. The scheme provides five security controls that, according to the UK government, could prevent “around 80% of cyber attacks”.

The Assurance Framework, leading to the awarding of Cyber Essentials and Cyber Essentials Plus certificates for organisations, has been designed in consultation with SMEs (small and medium-sized enterprises) to be light-touch and achievable at low cost.

Whether or not you achieve certification to the scheme, these controls provide the basic level of protection that you need to implement in your organisation to protect it from the vast majority of cyber attacks, allowing you to focus on your core business objectives.

What are the five controls?

If a cyber criminal is explicitly targeting your organisation using bespoke tools they have created to gain access, then Cyber Essentials will perhaps not be adequate to protect your systems. But for the more common and freely available hacking tools, it is an excellent starting point to help keep your head below the parapet. It covers the following key areas:

1. Choose the most secure settings for your devices and software

Web server and application server configurations play a key role in cyber security. Failure to manage the proper configuration of your servers can lead to a wide variety of security problems. Computers and network devices should be configured to minimise the number of inherent vulnerabilities and provide only the services required to fulfil their intended function. This will help prevent unauthorised actions being carried out and will also ensure that each device discloses only the minimum information about itself to the Internet. A scan can reveal opportunities for exploitation through insecure configuration.

2. Use a firewall to secure your Internet connection

These are designed to prevent unauthorised access to or from private networks, but good setup of these devices either in hardware or software is important for them to be fully effective. Boundary firewalls and Internet gateways determine who has permission to access your system from the Internet and allow you to control where your users can go. Although antivirus software helps to protect the system against unwanted programs, a firewall helps to keep attackers or external threats from getting access to your system in the first place. The security provided by the firewall can be adjusted like any other control function (in other words, the firewall ‘rules’).

3. Control who has access to your data and services

It is important to keep access to your data and services to a minimum. This should prevent a criminal hacker being presented with open access to your information. Obtaining administrator rights is a key objective for criminal hackers, allowing them to gain unauthorised access to applications and other sensitive data. Convenience sometimes results in many users having administrator rights, which can create opportunities for exploitation. User accounts, particularly those with special access privileges, should be assigned only to authorised individuals, managed effectively, and provide the minimum level of access to applications, computers and networks.

4. Keep your devices and software up to date

Cyber criminals often exploit widely known vulnerabilities. Any software is prone to technical vulnerabilities. Once discovered and shared publicly, vulnerabilities can rapidly be exploited by cyber criminals. Criminal hackers take advantage of known vulnerabilities in operating systems and third-party applications if they are not properly patched or updated. Updating software and operating systems will help to fix these known weaknesses. It is crucial to do this as quickly as possible to close any opportunities that could be used to gain access.

5. Protect yourself from viruses and other malware

It is important to protect your business from malicious software, which will seek to access files on your system. Software can wreak havoc by gaining access and stealing confidential information, damaging files and even locking them and preventing access unless you pay a ransom. Protecting against a broad range of malware (including computer viruses, worms, spyware, botnet software and ransomware) and including options for virus removal will protect your computer, your privacy and your important documents from attack.

Free download: ‘Cyber Essentials: A guide to the scheme’  

The Cyber Essentials scheme offers the right balance between providing additional assurance of an organisation’s commitment to implementing cyber security to third parties, and retaining a simple and low-cost mechanism for doing so.

For further information about the Cyber Essentials scheme and how it can help you guard against the most common cyber threats, download our free guide.

Download now >>

Get #BreachReady

Preventative measures and taking action are a part of the data breach reporting process. Protect your organisation from the financial penalties and losses associated with data breaches and save up to 20% on our solutions, including Cyber Essentials certification.

Find out more >>