The Cyber Essentials scheme is a cyber security standard, which organisations can be assessed and certified against. It identifies the security controls that an organisation must have in place within their IT systems in order to have confidence that they are addressing cyber security effectively and mitigating the risk from Internet-based threats.
As a Cyber Essentials certified organisation ourselves, Qlic is very familiar with the process of accreditation. We have supported a large number of organisations through the process and implemented any necessary changes needed to achieve their own certifications. So, carry on reading to find out our 3 tips for passing…
1. Understanding the Threat to your Organisation
Despite the fact most organisations spend 5.6% of their overall IT budget on security and risk management, many organisations still don’t understand what cybersecurity is and subsequently, they don’t know how to keep hackers out.
Cyber security is one of the most important underlying factors of your organisation. With no cyber security software, your business is at risk of thousands of security breaches, hacking and the list goes on! Once your business has been a victim of a cyber attack once, you’re highly more likely to experience it again unless the right security measures and software have been put into place.
A scary statistic for you here, Since the pandemic began, cyber-attacks are up 400%, now that is a lot! Cyber security is highly important for everyone to have implemented from one-man bands to international businesses.
2. Get to know the Technical Controls of Cyber Essentials
Technical controls are safeguards that are incorporated into computer hardware, software, or firmware and implementing the following 5 is vital when it comes to making your business cyber secure!
Controlling who has access to which data within your business is highly important. All of your users should have their individual accounts where they have specific access to the data necessary for their roles.
Important rules to follow for Access Control
- No devices should be guaranted access without entering a username and password.
- All users accounts should be personal and shouldn’t have access to each others.
- Anyone who leaves your business should be stripped of all access to their acounts and systems.
- Approval from owners or directors when deciding who holds the power of an adminstrator account.
- Adminstrator accounts should only be used when absolutely necessary, such as instaling software.
- You should review the list of employees with administrator accounts regularly, as some may have changed roles within the business.
- Enable Multi-Factor Authentication for all of your users accounts.
Firewalls and Internet Gateways
A firewall is protection between your systems and the external systems which you use. When finding something that could potentially harm your system, the firewall will filter this and stop it from taking place.
Important rules to follow for Firewalls
- If you have employees working from home, they should all have a firewall implemented to secure the data being accessd on their Internet at home.
- When puttng together a password for the firewall, we recommend 16 digit character passwords for increased password entropy
- You should have firewalls enabled for all of your work devices.
When receiving a new work device or even a personal device, it will not come security ready. There will be pre-installed software and applications on the device which could present some security risks.
Important rules to follow for Device Configuration
- You should remove or disable the pre-installed applications and systems that are not needed.
- Change all default passwords for accounts and enter strong password options.
- Make sure that no password are guessable, you can achieve this by generating a secure password from LastPass or simply making up an 8 character long password with upperase and special characters in.
- Limit the number of unsuccessful login attempts to no more than 10 within 5 minutes, just in case someone tries to compromise your account in quick succession using multiple passwords
- Disable all auto-downloads and auto-runs on all of yours systems.
Making sure that your software is always up-to-date with the latest patches is another way to protect your organisation from security risks.
Important rules to follow for Patch Management
- Ensure all of your operating systems and applications used are supported by supplier who can produce regular fixes for any security problems which occur.
- Used only licensed software.
- Ensure to look into security updates upon release and have them installed into your system as soon as possible.
- Remove all unsupported applications from your devices when they are no longer supported by the developer.
Malware, which can also be known as ransomware, is used to retrieve or damage company data. Malware can also be used in conjunction with various kinds of attacks such as phishing to create a more dynamic and focused attack.
Important rules to follow for Malware Protection
- Install Anti-Malware software.
- Once you have installed the software, make sure to update it regularly.
- The Anti-Malware software should have a plugin which prevents you accesssing any malicious websites which could lead you being subjected to a security risk.
- Restrict users from installing unsigned applications or ones which have not been approved by the business.
- By creating a list of approved applications, those who work at your business will know which they should and shouldn’t download.
3. Conduct Regular Security Checks
To ensure that your devices and software remains safe and up-to-date, it is important to review the effectiveness of the cybersecurity measures you currently have in place and keep on track of any needed updates.
You should conduct regular security reviews to:
- Review all devices and software and when they were last updated.
- Keep on top of the types of devices being used throughout your organisation.
- Determine the effectiveness of your current cyber secuirty solutions and whether they need updating.
- Ensure that all software and devices are configured properly.
In Qlic’s opinion, receiving a Cyber Essentials certification is a great way to not only significantly reduce the security risks which could harm your business, but it is also a great certification to show to your clients and customers! So, whether you’re a small or large scale business, we highly recommend investing some time in achieving your own Cyber Essentials certification.
One thing to note, the world of cybersecurity is constantly evolving with new requirements and best practices, so if you fail to renew your certification within a year you will be removed from the certification list.
At Qlic, we’re Cyber Essentials certified, so if you have any questions or would like our IT experts to talk you through more of the basics of Cyber Essentials then please contact us on either 0203 904 3464 or [email protected]