Cyber security for your organisation starts here
Five technical controls that you can put in place today, explained without jargon
1Use a firewall to secure your Internet connection
You should protect your Internet connection with a firewall. This effectively creates a ‘buffer zone’ between your IT network and other, external networks. In the simplest case, this means between your computer (or computers) and ‘the Internet’. Within this buffer zone, incoming traffic can be analysed to find out whether or not it should be allowed onto your network.
Two types of firewall
You could use a personal firewall on your internet connected laptop (normally included within your Operating System at no extra charge). Or, if you have a more complicated set up with many different types of devices, you might require a dedicated boundary firewall, which places a protective buffer around your network as a whole. Some routers will contain a firewall which could be used in this boundary protection role. But, this can’t be guaranteed - ask your internet service provider about your specific model.
Cyber Essentials Certification requires that you use and configure a firewall to protect all your devices, particularly those that connect to public or other untrusted Wi-Fi networks.
2Choose the most secure settings for your devices and software
Manufacturers often set the default configurations of new software and devices to be as open and multi-functional as possible. They come with ‘everything on’ to make them easily connectable and usable. Unfortunately, these settings can also provide cyber attackers with opportunities to gain unauthorised access to your data, often with ease.
Check the settings
So, you should always check the settings of new software and devices and where possible, make changes which raise your level of security. For example, by disabling or removing any functions, accounts or services which you do not require.
Your laptops, desktop computers, tablets and smartphones contain your data, but they also store the details of the online accounts that you access, so both your devices and your accounts should always be password-protected. Passwords - when implemented correctly - are an easy and effective way to prevent unauthorised users accessing your devices. Passwords should be easy to remember and hard for somebody else to guess. The default passwords which come with new devices such as ‘admin’ and ‘password’ are the easiest of all for attackers to guess. So you must change all default passwords before devices are distributed and used. The use of PINs or touch-ID can also help secure your device. If you would like more information on choosing passwords, look at the NCSC’s password guidance.
For ‘important’ accounts, such as banking and IT administration, you should use two-factor authentication, also known as 2FA. A common and effective example of this involves a code sent to your smartphone which you must enter in addition to your password.
Cyber Essentials Certification requires that only necessary software, accounts and apps are used.
3Control who has access to your data and services
To minimise the potential damage that could be done if an account is misused or stolen, staff accounts should have just enough access to software, settings, online services and device connectivity functions for them to perform their role. Extra permissions should only be given to those who need them.
Check what privileges your accounts have - accounts with administrative privileges should only be used to perform administrative tasks. Standard accounts should be used for general work. By ensuring that your staff don’t browse the web or check emails from an account with administrative privileges you cut down on the chance that an admin account will be compromised. This is important because an attacker with unauthorised access to an administrative account can be far more damaging than one accessing a standard user account.
Cyber Essentials Certification requires that you control access to your data through user accounts, that administration privileges are only given to those that need them, and that what an administrator can do with those accounts is controlled.
4Protect yourself from viruses and other malware
Malware is software or web content that has been designed to cause harm. For example, the recent WannaCryattack used a form of malware which makes data or systems unusable until the victim makes a payment. Viruses are the most well-known form of malware. These programs infect legitimate software, make copies of themselves and send these duplicates to any computers which connect to their victim.
How malware works
There are various ways in which malware can find its way onto a computer. A user may open an infected email, browse a compromised website or open an unknown file from removable storage media, such as a USB memory stick.
Three ways to defend against malware
Antivirus software is often included for free within popular operating systems, it should be used on all computers and laptops. For your office equipment, you can pretty much click ‘enable’, and you’re instantly safer. Smartphones and tablets might require a different approach and, if configured in accordance with the NCSC’s guidance, separate antivirus software might not be necessary.
You should only download apps for mobile phones and tablets from manufacturer-approved stores (like Google Play or Apple App Store). These apps are checked to provide a certain level of protection from malware. You should prevent staff from downloading apps from unknown vendors/sources, as these will not have been checked.
For those unable to install antivirus or limit users to approved stores, there is another, more technical, solution. Apps and programs can be run in a ‘sandbox’. This prevents them from interacting with, and harming, other parts of your devices or network.
If you would like more information, have a look at the ‘10 steps to Malware Prevention’
Cyber Essentials Certification requires that you implement one of the three approaches listed above, to protect your devices against malware.
5Keep your devices and software up to date
No matter which phones, tablets, laptops or computers your organisation is using, it’s important they are kept up to date at all times. This is true for both Operating Systems and installed apps or software. Happily, doing so is quick, easy, and free.
Also known as ‘Patching’
Manufacturers and developers release regular updates which not only add new features, but also fix any security vulnerabilities that have been discovered.
Applying these updates (a process known as patching) is one of the most important things you can do to improve security. Operating systems, software, devices and apps should all be set to ‘automatically update’ wherever this is an option. This way, you will be protected as soon as the update is released.
However, all IT has a limited lifespan. When new updates cease to appear for your hardware or software, you should consider a modern replacement.
Cyber Essentials Certification requires that you keep your devices, software and apps up to date.
Conclusion and Checklists
Once you have taken the time to investigate and put them in place, these five basic controls will put you and your organisation on the path to better cyber security. Cyber Essentials Certification should be your next target, but you can progress at a pace which suits you towards that goal. In the mean time why not check how much progress you've already made by completing the handy checklists laid out below.
Use a firewall to secure your internet connection
- Understand what a firewall is
- Understand the difference between a personal and a boundary firewall
- Locate the firewall which comes with your operating system and turn it on
- Find out if your router has a boundary firewall function. Turn it on if it does
Choose the most secure settings for your devices and software
- Know what 'configuration' means
- Find the Settings of your device and try to find a function that you don't need. Turn it off.
- Find the Settings of a piece of software you regularly use
- In the settings, try to find a a function that you don't need. Turn it off.
- Read the NCSC guidance on passwords
- Make sure you're still happy with your passwords
- Read up about two-factor authentication
Control who has access to your data and services
- Read up on accounts and permissions
- Understand the concept of 'least privilege'
- Know who has administrative privileges on your machine
- Know what counts as an administrative task
- Set up a minimal user account on one of your devices
Protect yourself from viruses and other malware
- Know what malware is and how it can get onto your devices
- Identify three ways to protect against malware
- Read up about anti-virus applications
- Install an anti-virus application on one of your devices and test for viruses
- Research secure places to buy apps, such as Google Play and Apple App Store
- Understand what a 'sandbox' is
Keep your devices and software up to date
- Know what 'patching' is
- Verify that the operating systems on all of your devices are set to ‘Automatic Update’
- Try to set a piece of software that you regularly use to 'Automatic update'
- List all the software you have which is no longer supported
- Use a firewall to secure your internet connection
Want to be listed on our directory?
See how we can help you get your organisation certified