The ‘sixth control’ of Cyber Essentials

Anyone looking for guidance on the basic steps they should take to keep their organisation secure should follow Cyber Essentials.

This UK government scheme sets out five controls that can protect organisations from the most common types of cyber attack.

It doesn’t have the same in-depth focus as ISO 27001, the international standard for information security, but it’s a perfect solution for those who want to ensure that the fundamentals are being covered.

That said, we believe that organisations should add staff awareness training to the list of Cyber Essentials controls to ensure that threats are being dealt with as effectively as possible.


The five controls of Cyber Essentials

  1. Firewalls

Firewalls are designed to prevent unauthorised communication to or from private networks, but both hardware and software need to be properly set up to be fully effective.

Boundary firewalls and Internet gateways determine who has permission to access your system from the Internet, and allow you to control where your users can go.

Antivirus software may help protect the system against unwanted programs, but a firewall helps keep attackers or external threats from getting access to your system in the first place.

  1. Secure configuration

Failure to properly configure your Internet-facing devices can lead to a wide variety of security problems. You must therefore ensure that all parts of your organisation are configured to minimise vulnerabilities and provide only the services that are required to fulfil their intended function.

You also need to make sure that any access to those devices is properly controlled. Default passwords should be replaced with unique, complex passwords and default admin accounts should be disabled.

Doing so helps prevent unauthorised actions being carried out, and ensures that each device publicly discloses only the minimum information about itself.

  1. User access control

Even though it’s convenient to give many users administrator rights, you must be careful about how many people have such privileges, because it creates new risks should a criminal hacker compromise an admin’s account.

Crooks generally target accounts that have administrator rights, as it gives them access to a wide range of applications and other sensitive data.

User accounts, particularly those with special access privileges, should be assigned only to authorised individuals, managed effectively and provide the minimum level of access.

  1. Malware protection

It is important to protect your organisation from malware, which can lay waste to your systems.

Malware can wreak havoc by stealing confidential information, damaging files or, in the case of ransomware  locking files and preventing access unless you pay a ransom.

Protecting against a broad range of malware and providing options for virus removal will protect your computers, your important information and your privacy.

  1. Patch management

Any software is prone to technical vulnerabilities and, once they’ve been discovered and shared publicly, cyber criminals rapidly exploit them if they aren’t properly patched or updated.

Regularly updating software and operating systems will help fix any known weaknesses. Doing this as quickly as possible is crucial to mitigating the risk of a criminal hacker exploiting it first.


The sixth control

The five controls outlined in Cyber Essentials are fundamental technical measures for security, but you must remember that technology is only as effective as the people using it.

Employees are always liable to make mistakes, and organisations must take appropriate measures to mitigate the risk. The best way to do that is with staff awareness training.

What you cover in these sessions depends on your employees’ job roles. For example, if they’re involved in data processing, you should provide training on the GDPR (General Data Protection Regulation). Likewise, if they handle payment card data, they should be taught about their responsibilities under the PCI DSS (Payment Card Industry Data Security Standard).

Meanwhile, there are topics that almost every employee should study, like information security, phishing and the security risks associated with social media.

Teaching your employees about all of these issues might sound onerous, but it’s actually quite simple if you use an e-learning provider.

This enables employees to study at a time and place that suits them, and means you don’t have to worry about finding a trainer or halting productivity to haul your workforce into a classroom.

Get started with e-learning

Our Complete Staff Awareness E-learning Suite offers a quick, affordable and comprehensive solution to your training needs.

The suite contains all eight of our e-learning courses, covering essential topics such as the GDPR, ISO 27001 and phishing. All you need to do is purchase a licence for the number of staff taking the courses.

The suite is available on a one-year, easily renewable licence, and the courses can be taken as many times as you like throughout the year.