Anyone looking for advice on how they can protect themselves from security incidents should consider Cyber Essentials.
This UK government scheme sets out five controls that, when implemented properly, can protect organisations from 80% of cyber attacks.
It doesn’t have the same in-depth focus as ISO 27001, the international standard for information security, but it’s a perfect solution for those who want comprehensive guidance on the fundamentals of cyber security.
The five controls of Cyber Essentials
Firewalls are designed to prevent unauthorised communication to or from private networks, but both hardware and software need to be properly set up to be fully effective.
Boundary firewalls and Internet gateways determine who has permission to access your system from the Internet, and allow you to control where your users can go.
Antivirus software may help protect the system against unwanted programs, but a firewall helps keep attackers or external threats from getting access to your system in the first place.
- Secure configuration
Failure to properly configure your Internet-facing devices can lead to a wide variety of security problems. You must therefore ensure that all parts of your organisation are configured to minimise vulnerabilities and provide only the services that are required to fulfil their intended function.
You also need to make sure that any access to those devices is properly controlled. Default passwords should be replaced with unique, complex passwords, and default admin accounts should be disabled.
Doing so helps prevent unauthorised actions and ensures that each device discloses only the minimum information about itself.
- User access control
It may be convenient to give administrator rights to all relevant employees, but you must be careful about how many people have such privileges, because it creates new risks should a criminal hacker compromise an admin’s account.
Criminals generally target accounts that have administrator rights, as it gives them access to a wide range of applications and other sensitive data.
User accounts, particularly those with special access privileges, should be assigned only to authorised individuals and managed effectively.
- Malware protection
Malware can wreak havoc by stealing confidential information, damaging files or, in the case of ransomware, locking files and preventing access unless you pay a ransom.
Anti-malware software helps you detect criminals’ attempts to plant malicious code into your systems, and regular scans will let you know if anything has slipped through the cracks.
- Patch management
Any software is prone to technical vulnerabilities and, once they’ve been discovered and shared publicly, cyber criminals rapidly exploit them if they aren’t properly patched or updated.
Regularly updating software and operating systems will help fix any known weaknesses. Doing this as quickly as possible is crucial to mitigating the risk of a criminal hacker exploiting it first.
The sixth control
The five controls outlined in Cyber Essentials are vital, but you must remember that technology is only as effective as the people using it.
Employees are always liable to make mistakes, and organisations must take appropriate measures to mitigate the risk. The best way to do that is with staff awareness training.
What you cover in these sessions depends on your employees’ job roles. For example, if they’re involved in data processing, you should provide training on the GDPR (General Data Protection Regulation).
Likewise, if they handle payment card data, they should be taught about their responsibilities under the PCI DSS (Payment Card Industry Data Security Standard).
Teaching your employees about these issues might sound onerous, but it’s actually quite simple if you use an e-learning provider.
This enables employees to study at a time and place that suits them, and means you don’t have to worry about finding a trainer or halting productivity to haul your workforce into a classroom.
Get started with e-learning
Our Complete Staff Awareness E-learning Suite offers a quick, affordable and comprehensive solution to your training needs.
The suite contains all eight of our e-learning courses, covering essential topics such as the GDPR, ISO 27001 and phishing. All you need to do is purchase a licence for the number of staff taking the courses.
The suite is available on a one-year, easily renewable licence, and the courses can be taken as many times as you like.