The Cyber Essentials scheme is a world-leading assurance mechanism for organisations of all sizes to help demonstrate that the most critical cyber security controls have been implemented.
To highlight the importance and usefulness of the Cyber Essentials scheme, we’ve produced a series of blog posts summarising each of the five security controls that, according to the UK government, could prevent “around 80% of cyber attacks”.
This blog covers access controls. Most organisations have some form of authentication, but inconsistent or weak authorisation procedures can create vulnerabilities that need to be identified and fixed.
Deficient access controls result in security breaches
Any organisation whose employees connect to the Internet needs some level of access control in place. Access controls authenticate and authorise individuals to obtain information that they are permitted to see and use. Without appropriate access control there is no data security, as the following examples highlight:
- Deloitte: one of the big four accountancy firms suffered a serious hack when its global email server was compromised through an “administrator’s account” that provided privileged, unrestricted “access to all areas”.
- eBay: the names, addresses, dates of birth, phone numbers and encrypted passwords of 145 million users were compromised when cyber criminals got into the organisation’s network using employee credentials.
- Sony Pictures Entertainment: suffered a huge data breach, which Fortune called “the hack of the century”. A simple social engineering scam tricked Sony executives into giving their usernames and passwords.
Secure your access controls
Put simply, access control is a selective restriction of access to data. It consists of two elements:
- Authentication – a technique used to verify the identity of a user.
- Authorisation – determines whether a user should be given access to data.
To be effective, access control requires the enforcement of robust policies. This can be difficult when most organisations operate in hybrid environments where data is mobile and moves between on-premises servers to the Cloud, offices and beyond.
Organisations must determine the most appropriate access control model to adopt based on the type and sensitivity of the data they’re processing. There are four main models:
- Discretionary access control: a user has control over the programs the organisation owns and executes, and also determines the permissions other users have to those files and programs. It is commonly referred to as a ‘need-to-know’ access model.
- Mandatory access control: only the administrator defines the usage and access policy, which cannot be modified by users, and the policy indicates who has access to which programs and files.
- Role-based access control: provides access based on a user’s role and applies principles such as ‘least privilege’ and ‘separation of privilege’. This means the user can only access information that is required for their role.
- Attribute-based access control: based on different attribute types: user attributes, attributes associated with the application, and current conditions. This provides dynamic, fine-grained access control but is also the most complex to operate.
Whichever model you adopt, it’s important to keep access to your data to a minimum. This will help limit the opportunities for a criminal hacker to access your information.
Poor management of privileged accounts results in severe security breaches
Accounts with privileged access are a prime target for cyber criminals. This is because they offer more access compared to normal users, enabling unrestricted access to sensitive information as well as administrative rights to gain control of the network.
Convenience sometimes results in many users having administrative rights, which can create opportunities for exploitation. User accounts with special access privileges should only be assigned to authorised individuals and managed effectively.
How to protect yourself
Cyber Essentials can help your organisation confirm that user accounts are assigned to authorised individuals only, and that they provide access only to those applications, computers and networks required for the user to perform their role.
For secure access control, your organisation should routinely:
- Authenticate users before granting access to applications or devices, using unique credentials;
- Remove or disable user accounts when no longer required;
- Implement two-factor authentication, where available;
- Use administrative accounts to perform administrative activities only; and
- Remove or disable special access privileges when no longer required.
Secure your organisation with Cyber Essentials
Being Cyber Essentials certified demonstrates your commitment to cyber security. The details of any organisation that has Cyber Essentials certification can be found at:
By implementing the scheme, you can:
- Benefit from security controls to help prevent 80% of attacks;
- Demonstrate security to increase your chance of securing business;
- Work with the UK government and MoD; and
- Reduce cyber insurance premiums.
With IT Governance, you can complete the entire certification process quickly and easily using our online portal for as little as £300.