In this the second of our three-part blog series, we will explore three of the five Cyber Essential controls. We will also look at how to implement and maintain them to ensure compliance with Cyber Essentials.

The five controls

1. Anti-Malware measures
2. Patch management
3. Firewalls
4. Applying Access Controls
5. Secure Configuration

In this blog we will be concentrating on Patch management, Malware protection, and Firewalls. (The final two will be explored in the last blog of the series.)

The Cyber Essentials objective

‘To prevent harmful code from causing damage or accessing sensitive data’. The aim is to do this by restricting the execution of known Malware and untrusted software.

Malware

Malware is described as any software that is designed to intentionally cause damage to a computer, server, client, or computer network.

Malware is one of the most common forms of computer virus on the planet. It attacks software and makes copies of itself, and then sends those copies to any computer or device that has any association with the original target, eventually causing irreparable damage and issues. The infection can cause many problems – varying from malfunctioning systems to data loss – all of which are capable of destroying a business from the inside out. The most common Malware attacks are financially motivated. An astonishing ‘304 million ransomware attacks were carried out worldwide in 2020’ – can you afford to be the victim of one?

How does it work?

Cyber criminals use a variety of methods to get Malware onto your system. It could be down to the user browsing a website that has been compromised, they may open a file from a removable storage media (a memory stick, for example), or it could be something as simple as opening an email that is already infected.

You can fight back

It can be very difficult to fight back against cyber attackers, but there are actions you can take to make things harder for them.

• Only use manufacturer–approved shops for all downloads to mobiles and tablets. Apps purchased from an unknown source will not have been checked for Malware! Make it company policy that your staff do not download apps from unknown sources. The two main shops that are safe to use are Google Play and the Apple Store as they are constantly monitored to ensure that they are protected.

• Install Anti-Virus software on all computers, both at work and at home. Most popular operating systems include a free type of Anti-Virus software, but these tools are not sufficient to make you secure! You need to purchase your own additional Anti-Virus software, all of which are very easy to use and are as simple as clicking ‘enable’ once downloaded. Smartphones and tablets can require different methods, but all contain end-user device (EUD) security guidance which is quick to find online.

• You can run your apps in a ‘Sandbox’ – this will stop them from being able to communicate with other parts of your network or device, meaning that they can’t be harmed.

How do you stay compliant to Cyber Essentials requirements regarding Malware?

Cyber Essentials Certification requires that you implement one of the three approaches listed above to protect your devices against malware.

Let’s take a look at the second control on our journey through the five controls, Patch Management.

Patch Management

Cyber Essentials – The objective

‘To ensure that devices and software are not vulnerable to known security issues for which fixes are available.’

Keeping your devices and software up-to-date is more important than you think. If your devices aren’t equipped with the latest protection then you are leaving yourself vulnerable to problems and potentially business-incapacitating damage to your computer systems. Just because your devices are in your home doesn’t make them safe!

One of the reasons that manufacturers release updates is for you, the consumer, to get more from your device by using new features to improve its functionality. But this is only part of the reason – their main function is to remedy any security vulnerabilities that have been discovered in the device. Set updates to automatic wherever possible. A manufacturer will always remedy security problems as soon as possible as it is beneficial to them that you get the most from your device in a secure way. If you suffer from a security breach it could lead you to lose faith in the device or software and, in the worst-case scenario for them, possibly the manufacturer as well.

All IT has a limited lifespan. Technology is always improving; its capabilities are gradually becoming endless, and manufacturers are constantly innovating and finding new ways to get the absolute best out of your tech in the most secure way possible.

Unfortunately, mirroring the advancements in technology and, in turn, the levels of security capable within your tech, is Malware. To defeat attack updates need to be made regularly. As inconvenient as this can be, , it is essential to do them as soon as they are released, otherwise you will be unable to stay ahead of the technology, which is evolving at incredible speed. Also, as soon as your device or software is due to become unsupported by the provider, you must immediately start considering a modern replacement that is backed up and therefore cyber secure. If this is not actioned, then you are jeopardising the safety of your systems.

Cyber Essentials Accreditation – The requirements

Cyber Essentials requires you to install updates within two weeks of their release if the vendor describes the patch as fixing flaws labelled ‘high’ or ‘critical’. Your software must be licensed, supported, and up-to-date wherever possible. You must also remove all software from devices that is no longer supported.

Now for the last of the five controls that we will be exploring in this second of the three-part blog series, Firewalls.

Firewalls

Let’s take a look at how Firewalls work, the different types, and the various ways to configure them to ensure you satisfy the requirements of Cyber Essentials. But, first, we’ll explore the basics of Firewalls.

What is a Firewall and what is its purpose?

A Firewall is a security system that monitors your incoming and outgoing network traffic. The Firewall in your system creates a barrier between your trusted network and the untrusted internet network.

To explain, when you consider the door to your house, it allows and denies access; when access is permitted the door is open and monitored for what is coming in – when access is not permitted it is shut and doesn’t allow anything or anyone to enter. Going a step further, the Access Controls you choose to use act as the ‘keys’ to your system.

A Firewall stops those not permitted entry to your system from being able to gain control of your data or systems, while also providing secure access for those external to your network that you wish to permit access.

How do I go about configuring a Firewall?

Small to medium businesses with only a handful of end-point devices can implement Firewall software at device-level. A Firewall combined with other measures such as Anti-malware software and being diligent with your patch management should ensure your network’s security.

How does this help with qualification for Cyber Essentials?

To achieve compliance, you should protect every device in your network with Firewall protection. By managing those Firewall controls effectively, you are minimising risk. Once having installed your Firewall software, consider the following to ensure enhanced protection:

• Apply ‘rules’ to block activity that is untrusted. You will need to prove that the Firewall can handle high risk traffic.

• Firewall configuration must be safeguarded by strong password protection. Administrators should use long, complex passwords (with numbers, letters, and punctuation) to ensure that their digital environment is the safest it can be, as if access is achieved on an administrator’s account the ramifications could be disastrous.

• Use software Firewalls if a device is going to be used outside of the already protected business network. With remote working tools (such as laptops, tablets, and mobile phones) being used on high-risk networks (such as public WI-FI), it is essential you use technical measures to ensure safety.

• Allow permissions to employees based on who NEEDS to access that account or area. If several individuals require permissions you should introduce additional access controls wherever possible.

A Firewall is the first line of defence for your network and all the devices that reside within it. They are essential regardless of the Cyber Essentials accreditation, because your digital landscape is easily attacked without one.

In the following and last blog in the series we will explore the last two controls; Access Controls, and Secure Configuration.

We’re Netplatforms.

Implementing the correct security measures for the technical landscape of your organisation has the power to revolutionise the way your organisation works. We can implement and maintain your security measures and look for better ways to defend your system. Our success can be attributed to one thing: TRUST. Ever since our very first year in business, our clients have been happy to recommend us to other businesses, and we have grown steadily as a result of these recommendations. We can help you to truly get the most from your IT in the most secure way possible. Don’t hesitate – contact us now!

0207 993 9035 or hello@netplatforms.wmtemp.com.

________________________________________________________________________________________________________________

Book a no-obligation discovery call with a member of our team today by calling 0207 993 9035 or hello@netplatforms.wmtemp.com