Cyber Essentials: Secure Configuration

Secure configuration

Secure configuration refers to security measures that are implemented when building and installing computers and network devices to reduce unnecessary cyber vulnerabilities.

Security misconfigurations are one of the most common gaps that criminal hackers look to exploit. According to a recent report by Rapid7, internal penetration tests encounter a network or service misconfiguration 96% of the time.

Both the SANS Institute and the Council on CyberSecurity recommend that, following an inventory of your hardware and software, the most important security control is to implement secure configuration.

Why is secure configuration important?

Manufacturers often set the default configurations of new software and devices to be as open and multifunctional as possible. In the case of a router, for example, this could be a predefined password, or in the case of an operating system, it could be the applications that come installed.

It’s easier and more convenient to use new devices or software with their default settings, but it’s not the most secure. Accepting the default settings without reviewing them can create serious security issues, and can allow cyber attackers to gain easyaccess to your data.

Web server and application server configurations play a crucial role in cyber security. Failure to properly configure your servers can lead to significant security problems.

Computers and network devices should also be configured to minimise the number of inherent vulnerabilities and provide only the services required to fulfil their intended function.  

How to protect yourself

The UK government’s Cyber Essentials scheme sets out five controls that organisations can implement to achieve a baseline of cyber security, against which they can achieve certification to prove their compliance.

One of the scheme’s controls is secure configuration.

Certification to the scheme provides numerous benefits, including reduced insurance premiums, improved investor and customer confidence, and the ability to tender for business where certification to Cyber Essentials is a prerequisite.

New to the Cyber Essentials scheme? Find out more

For computers and network devices, your organisation should routinely:

  • Remove and disable unnecessary user accounts;
  • Change default or guessable account passwords to something non-obvious;
  • Remove or disable unnecessary software;
  • Disable any auto-run feature that allows file execution without user authorisation; and
  • Authenticate users before enabling Internet-based access to commercially or personally sensitive data, or data critical to running the organisation.

For password-based authentication, your organisation should:

  • Protect against brute-force password guessing by limiting attempts and/or the number of guesses allowed in a certain period;
  • Set a minimum password length of at least eight characters (if supported by MFA or a deny list) or 12 characters, without any maximum password length;
  • Change passwords promptly when the user knows or suspects they have been compromised; and
  • Have a password policy that informs users of best practices.

The four Cyber Essentials controls


Firewalls control the incoming and outgoing network traffic based on predetermined security rules. A firewall typically establishes a barrier between a trusted internal network and untrusted external network, such as the Internet.

Learn more about firewalls

Patch management

Patch management is the process of identifying, acquiring, installing and verifying patches for software and hardware components.

 Learn more about patch management

Malware protection

Malware protection is a type of security software that is designed to protect your computer from malicious software, also known as ‘malware’. Malware is designed to harm your computer, steal your data or take control of your computer.

Learn more about malware protection

Access control

Access control regulates who or what can view or use resources in a computing environment. It is a security measure that can be used to regulate which users have access to certain systems, data and files.

Learn more about access control 

Secure your organisation with Cyber Essentials

With IT Governance, you can complete the entire certification process quickly and easily using our online portal for as little as £400.

Find out more

This website uses cookies. View our cookie policy
SAVE 10%