Cyber Essentials: The Five Controls

Five key controls cyber essentials

Cyber Essentials is a government-backed scheme designed to empower businesses to protect themselves from online threats that threaten their very survival, as well as to demonstrate a cyber security-focused mindset to their clients. Since it was introduced in 2014 many businesses across the country have achieved accreditation.

The Five Controls of Cyber Essentials

There are five technical controls your organisation must have in place to attain Cyber Essentials certification. These are:

  1. Firewalls
  2. Secure Configuration
  3. Applying Access Controls
  4. Anti-Malware Measures
  5. System Maintenance

Let’s explore these in further detail.

Firewalls

The Firewall is a network security system that monitors and controls the various forms of network traffic that travel through your system daily – all based on predefined security rules. Firewalls are the barriers that separate your network from the internet. As the gatekeeper, it allows and disallows access.

By blocking unauthorised access to your network, firewalls prevent others from controlling your data or accessing your systems, while allowing secure access to those outside your network whom you do wish to allow access.

It is a MUST that all devices in your network have Firewall protection. To ensure that you are protected to the best possible standard, you should make some further considerations after you install your firewall software:

The presence of a firewall alone is not enough – you need to prove that you are blocking high-risk traffic as well.

Protect your Firewall configuration with strong passwords. It is recommended that administrators use long, complex passwords with numbers, letters, and punctuation – the more complex the password, the harder it will be to guess.

Devices used outside of the business network must be protected with a software firewall. Using remote working devices (your laptops, phones, and tablets) on high-risk networks (e.g., public Wi-Fi) requires technical security measures. In general, we recommend avoiding public Wi-Fi.

Secure Configuration

Secure Configuration is the second of the five controls. The goal is to make device and software settings as secure as possible. Proactive IT management is the key to achieving this goal.

As far as security is concerned, the default security settings on Windows are never adequate to protect your system.

To allow users to experience the new device as fluidly as possible, the factory settings are designed to be as unrestrictive as possible. Users can also customise the settings to suit their own needs.

For Cyber Essentials certification, settings must be reconfigured to ensure that higher levels of security are enforced.

Applying Access Controls

Access to data must be controlled. Access to administrative accounts needs to be controlled, and privileges should be granted only when absolutely necessary.

The user accounts in your business allow you to access all applications and devices, as well as sensitive information about your clients. Allowing only authorised personnel to have access to accounts that reflect their roles in the organisation greatly reduces the risk of damaging or stealing your data.

A breach of an account with privileged access to devices, applications, and information could have devastating consequences. Even worse, they could facilitate a large-scale attack at a later date, causing even more damage – financially, operationally, and reputationally.

Cyber Essentials certification requires the following:

  1. You have full control over all user accounts and the access privileges of each of them
  2. You must have user account creation and approval processes in place
  3. Users must be authenticated before granting access to application devices, and all credentials for each must be entirely unique
  4. Special access privileges to individual accounts must be removed when no longer required
  5. User accounts must be disabled when no longer required

Anti-Malware Measures

Make sure you take all necessary steps to prevent Malware from penetrating your systems. If you fail to do so, you will fall short of the standards required for Cyber Essentials accreditation.

Install software only from trusted sources. In the Apple App store and Google Play, for instance, whole teams of experts constantly monitor the apps for malware. Even though an unknown source may offer a cheap app, it could open the floodgates to malware.

It is essential that you protect every computer and device you use, both at home and at work, with anti-virus software. However, free anti-virus software on most operating systems is typically unable to protect your systems adequately since they are basic and offer little protection against modern, sophisticated cyber attacks.

System Maintenance

Updating devices and software is essential, since using devices and software that have updates available but not installed leaves them vulnerable to security risks and prevents you from achieving Cyber Essentials certification.

Cyber Essentials takes a slightly lenient approach in this area. They require that you install updates within two weeks of their release if the vendor describes the patch as fixing ‘high’ or ‘critical’ flaws – at least that gives you time to prepare for the update, so you don’t have to stop production immediately. In every case, you should ensure that your software is licensed, supported, and up-to-date. It is also necessary to remove all software from devices that are no longer supported.

If your business runs a piece of legacy software that is no longer being updated, but is still required, use a ‘Sandbox’. The Sandbox stops your apps from communicating with other parts of your network, so they cannot be harmed.

Your Success is Our Success

We’re a young, fun, and enthusiastic bunch of down-to-earth people that strive to relieve our clients’ IT headaches. We do love to engage and create enjoyable relationships with our clients, but, ultimately, we’re here to help your business to run smoothly and securely. Our team has many years of experience in IT Consultancy, Website Development, Email/Web Hosting, Server Builds/Installations/Maintenance, Network Issues, and IT Security… and more! Contact us now to find out how we can help you.

Five key controls cyber essentials  CTA

About Provident

From ad-hoc technical support through to fully managed IT support, the Provident IT team can be your own internal IT department – but with more resources and lower costs. We work with businesses of all sizes and in all kinds of different capacities, with a proven track record for improving productivity, increasing security and reducing IT spend for our clients.

Recent Posts