Your Cyber Essentials Checklist: How to review your cyber security
After the question, ‘Do we have the cyber security we need?’, often comes the next question, ‘How do we know?’
If you’re reviewing your cyber security, but you don’t know what you’re aiming for, then you can find yourself
- investing heavily, but still leaving areas exposed
- spending more than you need to stay safe
- protecting all areas of your system, just not enough to be truly secure
You need a yardstick to measure your cyber security, so that when you’re building your protection, you know what the foundations are and how you lay them.
The National Cyber Security Centre (NCSC) created the Cyber Essentials scheme so that organisations can assess and certify their cyber security fundamentals. It is the perfect way to establish how secure your business is, and to set a target for improvement.
What is Cyber Essentials?
The NCSC describes most cyber crime as “the digital equivalent of a thief trying your front door to see if it’s unlocked”. Essentially, Cyber Essentials certifies that a business has its digital doors locked.
If it sounds basic, that’s because it is. However, a surprising number of businesses aren’t compliant with the Cyber Essentials criteria. Only 14% of businesses know about the scheme, and only 6% have the certification.
It’s a surprisingly low uptake, considering that having the certification gives you automatic cyber liability insurance (if your turnover is under £20 million), and that Cyber Essentials is one of the minimum requirements for a business hoping to bid for a lot of government contracts.
So, what is on the Cyber Essentials checklist?
- Secure configuration
- User access control
- Malware protection
- Security update management
For each of those areas, there is a range of conditions your business will need to meet to get the Cyber Essentials certification.
The first step though, will be to establish what is in ‘scope’, so that you focus your efforts on protecting the areas that need attention, and you don’t spend excess time on things that don’t.
What is in scope for a Cyber Essentials checklist?
The short answer is that most systems and devices for business use are in scope, so the cyber essentials checklist will apply to them. However, some things are more complex than ‘yes’ or ‘no’, or aren’t assessed as part of a basic Cyber Essentials assessment.
For example, if your team members use personal devices at work, those devices are in scope if they use operational data or use the same services as the business’s own devices, but they’re not in scope if they’re only used for Multifactor Authentication (MFA) or the apps that are native to the device.
The routers that your hybrid employees own are not in scope, even if they use them for remote work. However, the device they work on (almost certainly a laptop) will be in scope, and it will need suitable protection.
Having established where to apply the cyber essentials checklist, here are the five areas that you need to assess.
The old-fashioned approach to a firewall was to place on around all internet-facing systems and devices so that malware would find it difficult to enter. That’s still part of a modern firewall strategy, but the current approach is to include firewalls between systems, not just facing outward. Then, if malware does manage to penetrate one layer of defence, it doesn’t have the freedom of your whole IT system.
Here are the Cyber Essentials requirements for your firewalls.
- You must change the default admin password, and the new one must be hard to guess
- Your firewall cannot allow administrative access from the internet, except for documented business needs. In that case, it either needs a Multi-Factor Authentication login, or a small list of trusted IP addresses that can access it (with a password)
- Firewall must block unauthenticated inbound connections
- An authorised person must approve all rules for inbound connections, document those rules, and include the business need for each
- Immediately remove access cases that are no longer required
- Install firewall on devices that use (or may use) untrusted networks (e.g. public Wi-Fi)
You could think of the Secure Configurations element of Cyber Essentials as the ‘housekeeping’ of your IT security.
You need to assess and maintain the hygiene of your IT system. Over time, if you don’t keep on top of the software, accounts, permissions, and privileges that you have set up, then you can have a system full of obsolete profiles and applications that represent a risk to your security.
- Disable and delete unnecessary user accounts (like guest accounts and former employees’ accounts)
- Replace all passwords that are easy to guess or discover (including all default passwords)
- Remove software and services that you don’t need
- Do not allow auto-run features (settings that allow file execution without authorisation)
- Make all data and services authenticate users before allowing access
- Use device locking controls (e.g. device locks after 10 unsuccessful login attempts)
User access control
Make sure that you’re following basic best practice for logins, passwords, and system access.
The more people who have access to systems, the greater the risk. Be deliberate and controlled with who has a login to what — only have as many users as essential, and be sure to remove the accounts and credentials that are no longer relevant.
- Set an approval process for the creation of user accounts
- Give users unique credentials and base access on passwords or pins
- Disable accounts after a defined period of inactivity, and when a user leaves the business
- Remove privileged access when no longer necessary (e.g. after a change of role)
- Use multi-factor authentication (MFA), when possible (and always for cloud services)
- Create separate accounts that are for administrative tasks and nothing else (e.g. no web browsing or email accounts)
Keeping malware out of your systems is more thorough and proactive than installing some antivirus software. It involves a series of principles and protocols that you need to apply and practise.
- Keep all anti-malware software up to date (update signature files at least daily)
- Configure software to scan files whenever accessed, downloaded, or opened
- Scan all webpages for malware when accessed through a browser
- Prevent access to malicious websites
- List approved applications and prevent the installation of software that is not included
- ‘Sandbox’ code with an unknown origin — run the code isolated from other resources
Security update management
Out-of-date software is a very easy target for cyber criminals. Software updates address weaknesses in the system which cyber threats have discovered or learned to exploit. If you don’t update your software, it’s like not replacing a broken door to your house — it’s not hard for anyone to get in.
Some businesses do diligently update their software, but don’t realise when their supplier stops providing updates. That ‘end-of-life’ software is no longer supported, so it’s no longer secure.
- Ensure your software is all licensed by the provider
- Ensure the provider is still supporting the software
- Remove all software that is no longer supported
- Update the software within 14 days of the update’s release
- Enable all available automatic updates
- If the update requires manual configuration changes, apply those also within 14 days
The next steps to getting the Cyber Essentials Certification
The Cyber Essentials certification involves a self-assessment to declare that you meet the criteria. Having read all of the above, you may be aware of areas where your processes or your systems aren’t up to scratch.
At Arc, we run cyber securities reviews based on the Cyber Essentials checklist you read here. We can assess where you might need to tighten up your cyber security, and advise you on how to do it. Then, you can confidently pursue your Cyber Essentials certification.
Book your review here.