cyber essentials questionnaire excel

What are Cyber Essentials?

Cyber Essentials helps organisations show clients and different partners that the most vital and rudimentary Cyber Security controls are used.

After completion of a promise certificate, the organisations are issued Cyber Essentials and Cyber Essentials Plus certificates. The certificates are designed for small and medium-sized companies to fulfil their cyber security requirements at a competitive cost. Cyber Essentials is a government-backed scheme that assists organisations in fighting against several common cyber attacks.

There are several types of cyber attacks, but a significant number are very basic, carried out by amateurs. Some fundamental but vital practices can help companies avoid cybercrimes or attacks.

An organisation can put in place five technical controls to guard against the threat of cyber attacks:

1. Firewalls
2. Secure configuration
3. Access controls
4. Malware protection
5. Patch management

Firewalls:

An organisation should protect its Internet connection by creating a ‘buffer zone’ between it’s IT network and other, external networks. This is also called a “firewall.”

The firewall analyses incoming traffic to find out whether or not it should be allowed on to its network.

✓ Types of firewall:

1. A personal firewall for each laptop or computer. It comes as a standard.
2. A dedicated firewall to protect the whole network. This involves a more complicated set up with many types of devices. A wide range of routers provide this ability.

Secure configuration:

For new software and devices to be accessed by users, manufacturers often set this as the default setup. This includes ‘everything on’ to enable seamless connectivity and usability. Unfortunately, these settings can also give cyber attackers an opportunity to easily gain unauthorized access to data.

• Check the settings:

Settings of new software and devices must be checked. If required, amendments must be made to strengthen security. For example, by disabling or removing any functions, accounts or services which are not needed/demanded.

• Use passwords:

Laptops, tablets, desktop computers, and smartphones contain data and often save the details of the online accounts that one can use, so the devices and online accounts should always be protected by a password. Passwords are an effective and easy way to prevent unauthorized users from accessing devices. A password should be hard for somebody else to guess. Before devices are distributed and used, the users must change all default passwords. The default passwords are easy to guess. The use of pins or Touch-ID can also help secure a device.

• Extra security:

For ‘important’ accounts, such as banking and IT administration, users should use two-factor authentication (2FA). An effective and common example of this involves a code sent to a smartphone which a user must enter in addition to his/her password.

Access control

The staff accounts should just provide limited access to software, settings, online services, and device connectivity functions for staff members to perform their role. This minimizes the potential damage that could be done if an account is misused or stolen. Only authorised staff members should be given access.

✓ Administrative accounts:

User’s access to accounts should be checked – administrative accounts should only be used for administrative tasks. An account with administrative privileges should be disabled for web browing or emails. This reduces the chance of compromising the admin account. An attacker with access to the administrative account can be more damaging than one with access to a standard user account.

✓ Access to software:

Another simple way to ensure that devices are secure and malware-free is to only use software from official sources.

The easiest way to do this is to allow users to only install software from approved stores, that will be screening for malware. For mobile devices, this means sources such as the Apple App Store or Google Play.

Keep your devices and software up to date:

It is important that devices are kept up to date. This applies for both installed apps, software and operating systems. It is quick, free and easy. Also known as ‘patching’. Developers and software companies regularly update apps with new features and fix security vulnerabilities.

Applying these updates is essentials to improve Cybersecurity and reduce the risk of cyber-attack. All programs should be set for ‘automatically update’. As soon as the update is released then you will be protected.

Malware protection

There are various types of malware or ‘malicious software’. Ransomware is one of the malware that gained popularity recently. Ransomware makes data or systems unusable until the victim makes a payment.

A virus is spread by clicking on an executable file, visiting an infected website, viewing an infected website advertisement or opening an affected attachment. Once a virus infects the host, it can affect other system’s software or resources, disable main functions and applications, as well as copy, delete or encrypt data. Some viruses begin repeating as soon as they infect the host, while other viruses will lie inactive until a trigger causes malicious code to be executed by the device or system.

Malware protection measures are included in all hardware. For instance, Windows has Defender, and macOS has XProtect. All laptops and PCs contain malware. You can set ‘enable’ within settings to ensure that you are secure. Staying up to date with the latest updates ensures the safety of cell phones, and tablets.

Whitelisting can also be used to protect against the risk of cyber attacks: introducing and running applications that may contain malware. The procedure includes a manager making a list of uses permitted on a gadget. A user will be prevented from misusing a gadget.

✓ Sandboxing

This involves creating confined execution (surrounding conditions), which could be used for untrusted programs. It limits or reduces, the level of access that for the applications within a program and acts as a container.

✓ Conclusion and checklists

An organisation’s cybersecurity will be improved, once the above mentioned control measures are put in place. An organisation must also have a Cyber Essentials certificate as part of its cybersecurity strategy. An organisation should also conduct a cyber secure audit to identify risks and receive a recommendation on the best course of action.