Complying with Cyber Essentials 2

In this the second of our three-part blog series, we will go into detail about the first three of the five Cyber Essential controls. We will also look at how to implement and maintain them to ensure compliance with Cyber Essentials.

We briefly mentioned the five controls in our last piece, but here they are again in a nutshell:

The five controls

1. Anti-Malware measures

2. Patch management

3. Firewalls

4. Applying Access Controls

5. Secure Configuration

The Cyber Essentials objective

Cyber Essentials was created with this aim in mind: ‘To prevent harmful code from causing damage or accessing sensitive data’. This is achieved by restricting the execution of known Malware and untrusted software.

Malware

Malware is any software that is designed to intentionally cause damage to a computer, server, client, or computer network.

Malware is one of the most common forms of computer virus on the planet. It attacks software and makes copies of itself, and then sends those copies to any computer or device that has any association with the original target, eventually causing irreparable damage and issues. The infection can cause many problems – varying from malfunctioning systems to data loss – all of which are capable of destroying a business from the inside out.

How does it work?

Cyber criminals use a variety of methods to get Malware onto your system. An example is when a user is browsing a website that has been compromised and download a file from it, or it could be something as simple as opening an email and clicking a malicious link.

You can fight back

It can be very difficult to fight back against cyber attackers, but there are actions you can take to make things harder for them.

Only use manufacturer–approved shops for all downloads to mobiles and tablets. Apps purchased from an unknown source will not have been checked for Malware! Make it company policy that your staff do not download apps from unknown sources.

Install Anti-Virus software on all computers, both at work and at home. Most popular operating systems include a free type of Anti-Virus software, but these tools are not sufficient to make you secure! You need to purchase effective Anti-Virus software, all of which are very easy to use and are as simple as clicking ‘enable’ once downloaded. Smartphones and tablets can require different methods, but all contain end-user device (EUD) security guidance which is quick to find online.

You can run your apps in a ‘Sandbox’ – this will stop them from being able to communicate with other parts of your network or device, meaning that they can’t be harmed.

How do you stay compliant to Cyber Essentials requirements regarding Malware?

In principle, its simple; Cyber Essentials Certification requires that you implement one of the three approaches listed above to protect your devices against malware. Next, we explore patch management.

Patch Management

Cyber Essentials – The objective

‘To ensure that devices and software are not vulnerable to known security issues for which fixes are available.’

Keeping your devices and software up-to-date is more important than you think. If your devices aren’t equipped with the latest protection then you are leaving yourself vulnerable to problems and potentially incapacitating damage to your computer systems.

One of the reasons that manufacturers release updates, is to remedy any security vulnerabilities that have been discovered or to respond to new kinds of cyber threats. Set updates to be automatic wherever possible.

All IT has a limited lifespan and technology is always improving; its capabilities are gradually becoming endless. Manufacturers are constantly innovating and finding new ways to get the absolute best out of tech in the most secure way possible. However, on the darker side, this is also true of cyber criminals and the tools they use for cyber attacks! This is why keeping devices and software updated is so important.

As soon as your device or software is due to become unsupported by the provider, you should start considering a modern replacement that is backed up and therefore cyber secure. If this is not actioned, then the business increasingly jeopardises the safety of their systems over time.

Cyber Essentials Accreditation – The requirements

Cyber Essentials requires you to install updates within two weeks of their release if the vendor describes the patch as fixing flaws labelled ‘high’ or ‘critical’. Your software must be licensed, supported, and up to date wherever possible. You must also remove all software from devices that are no longer supported. If you comply with these requirements, it will help you to become certified. We now turn to firewalls.

Firewalls

Let’s examine how Firewalls work, the different types, and the various ways to configure them to satisfy the requirements of Cyber Essentials.

What is a Firewall and what is its purpose?

A Firewall is a security system that monitors and regulates your incoming and outgoing network traffic. The Firewall in your system creates a protective barrier between your trusted network and the wider internet.

Firewalls work like the doors to your home, it allows and denies in and out-flows, based on whether it is open or closed, which in turn, depends on the type of visitor at the door for example. Taking it a step further, the Access Controls that you choose, act as ‘keys’ to your system.

How do I go about configuring a Firewall?

Small to medium businesses with only a handful of end-point devices can implement Firewall software at a device-level. A Firewall combined with other measures, such as Anti-malware software and being diligent with your patch management, should ensure your network’s security.

How does this help with qualification for Cyber Essentials?

To achieve compliance, you should protect every device in your network with Firewall protection. By managing those Firewall controls effectively, you are minimising risk.

Once having installed your Firewall software, consider the following to ensure enhanced protection:

Apply ‘rules’ to block activity that is untrusted. You will need to prove that the Firewall can handle high risk traffic.

Firewall configuration must be safeguarded by strong password protection. Administrators should use long, complex passwords (with numbers, letters, and punctuation) to ensure that
their digital environment is the safest it can be.

Use software Firewalls if a device is going to be used outside of the protected business network. With remote working tools like laptops, tablets, and mobile phones being used on high-risk networks (such as public WI-FI), it is essential to use technical measures to ensure safety.

Allow permissions to employees based on who NEEDS to access that account or area. If several individuals require permissions, you should introduce additional access controls wherever possible.

A Firewall is your network and its devices’ first line of defence. They are essential regardless of the Cyber Essentials accreditation, because your digital landscape can be easily attacked without one.

In the following and last blog in the series we will explore the last two controls; Access Controls and Secure Configuration. By the end of the series, you’ll have an overview of everything you need for accreditation and compliance with Cyber Essentials!

Unlock value from your technology tools: Contact BCNS Today

BCNS make business easier and more cost-effective by guaranteeing that you and your team are always connected to each other and your clients. We can also guarantee that your team are using the latest version of every application you need to ensure that your systems are secure, and that you are getting the best possible benefits from your tech. Our team of experts will assist you throughout the transition and beyond to be sure you achieve exactly what you desire. At the same time, we can reduce your expenses and improve your security and performance! Contact us now and find out how we can help you with your IT and move into a more productive and secure future.