Security Essentials Series – 80% of Cyber Threats are Protected by Cyber Essentials

As we continue our focus on basic cyber protections, we delve into a little more detail on the CE standard.

How does Cyber Essentials protect my organisation against cyber threats? 

Cyber Essentials helps your organisation to mitigate 80% of cyber threats. Most commonly, cyber-attacks are carried out by relatively unskilled individuals, so cyber essentials is designed to give your organisation a common standard to protect against these attacks.  

Cyber Essentials was introduced by the UK government, and the National Cyber Security Centre (NCSC) encourages all organisations that are based in or trading with the UK to implement either the Cyber Essentials or Cyber Essentials Plus scheme.  

The areas of vulnerability that Cyber Essentials aims to assess include: 

• Firewalls 
• Secure Configuration  
• Security Update Management  
• User Access Controls  
• Password Based Authentication
• Malware Protection 

By implementing these technical controls, your organisation can defend itself against the most common cyber threats. So, here is a bit more information on each of the technical controls and how they help you to protect your business.

Firewalls can be hardware or software, and they provide technical protection between your network, devices, and the internet. If you do not have a firewall in place, then your devices will be less protected from cyber-attacks and malicious or unnecessary network traffic.

Secure Configuration refers to the default settings applied to your devices initially – this often includes default security and a standard publicly known password. These default security settings must be changed – devices must be secured with an administrator password and end user passwords. 

Devices also often come with pre-installed applications; these are to be removed so that you only have applications that are necessary for your organisation’s functions. If they are not removed, and they do not receive regular updates – as is common with many unused applications – cyber criminals can exploit vulnerabilities within the applications.  

Security Update Management intends to ensure that all devices and software are always up to date – an easy way to ensure this is adhered to is to enable auto-update. The auto-updates must include the latest patches and fixes to comply with Cyber Essentials. This also applies to servers, which must always be updated – it is recommended to do this immediately when an update is available.  

Any devices that are out of scope, for example Windows XP, must be updated prior to a Cyber Essentials assessment because they no longer provide the security patches, fixes and updates required to ensure security, and will result in failure. This also applies to other devices such as phones and tablets.  

If your devices are not regularly updated, cyber criminals can exploit vulnerabilities left exposed without the security patches, fixes, and updates. 

User Access Controls should be regularly checked. Users should only be given access to the resources and data that are necessary for their role, this utilizes the ‘Principle of Least Privilege’. If users require access to further resources, this can be granted upon review and on a temporary basis.

All users should have unique accounts, and they must not operate on an admin account for everyday tasks such as emails or invoicing. By operating the principle of least privilege, this helps to ensure sensitive data that may be exploited does not end up in the hands of the wrong person, such as a cyber-criminal, or malicious insider.  

Password Based Authentication requires all accounts to have user authentication. This must be a secure password, meeting the requirements set out in your organisations password policy – e.g., minimum of 12 characters, capital and lower-case letters, and special characters. This will help to combat cyber-criminals gaining access to your information through methods such as brute force attacks and dictionary attacks. 

If a user suspects their account has been compromised, there must be a process in place that allows users to change their password quickly and efficiently.  

Malware Protection is generally used to damage and steal information, and it is often used in conjunction with another type of attack, such as phishing. Malware includes software such as ransomware, spyware, and botnets. Once malware is installed on your device, it can steal and damage your data, therefore, your organisation must have a level of malware protection in place to prevent cyber-criminals from gaining access to your information.

Leaving yourself vulnerable

Without the protections that the Cyber Essentials certification ensures, you are leaving yourself vulnerable to attacks such as an SQL injection attack, which is one of the least sophisticated cyber-threats, but has the potential to lead to a huge, avoidable, data breach.

So, once you have attained the Cyber Essentials certification, and implemented a strong internal cyber secure culture, you can have confidence that your systems are secure, and your customer data is protected.  

You can promote your Cyber Essentials certification on your website or social media platforms to attract new business, and it is also worth noting that it is a government mandate that you must have Cyber Essentials or Cyber Essentials Plus to attain government contracts.  

The other 20% of cyber threats

So, we’ve discussed protecting your organisation from 80% of common cyber threats, but what about the other 20%?  

There are measures that your organisation can take to combat mature cyber-criminals and their sophisticated methods of stealing data, which leads us on to the importance of penetration testing.  

Penetration testing is a tool used to mimic the actions of a cyber-criminal to identify vulnerabilities within your network that may be used to gain access to and extract your information assets.  

We also recommend understanding the measures your competitors take to protect their security and using this as a base level for the security measures that your organisation implements. Practice shows that most cyber crime is opportunistic and finds its target in the least protected. This means that having a higher level of protection than those around you gives you a far lower chance of becoming a target.

Hackers prey on the least protected so make sure you get at least 80% covered!