Plugging the gaps: working together to ensure Cyber Essentials certification

The CREST Cyber Essentials Scheme is a great starting point for any modern organisation wishing to keep its data - and that of its customers - safe. However, it is not a catch-all to ever evolving attack vectors. We show you how to plug the gaps.

Ensuring robust IT security is essential. Keeping your data, and that of your customers, safe is a requirement for any modern business and has been brought into focus with the EU’s recent launch of the General Data Protection Regulation (GDPR). IT security isn’t just about placing a digital moat around your systems though; rather it should be a multi-part strategy that connects people and plugs holes at every level of your business. 

To help set businesses on the right path, the Government has launched an official certification based around its Cyber Essentials Scheme. However, it is important to look at the scheme as a starting point rather than a catch-all. Over-reliance on this scheme could cause companies to get lulled into a false sense of security, due to it leaving numerous gaps for potential infiltration. Let’s look at the recommendations one by one:

Use a firewall to secure your Internet connection 
Cyber Essentials rightly advises you to protect your Internet connection with a robust firewall to create a ‘buffer zone’ between your network and the outside world. Within this buffer zone (also known as a DMZ or demilitarised zone) potential breaches can be detected and addressed before they affect the wider network, thus mitigating the damage caused. 

Cyber Essentials Certification requires that you use a firewall to protect all your devices, particularly those that connect to public or other untrusted Wi-Fi networks. However, it is important to understand that firewalls aren’t one-size-fits-all, so it is imperative that security is maximised with a configuration that tightly matches the specific needs of the individual organisation.
Choose the most secure settings for your devices and software 
The scheme advises that you should always check the settings of new software and devices and where possible, make changes which raise your level of security. For example, disabling functions which you do not require. This is because manufacturers generally set the default configurations to be as open as possible. It also outlines the importance of changing default passwords which come with new devices. This is important, as failure to do so promptly has been the root cause of many recent attacks such as those on the Dyn servers last year

Ensuring you have the most secure settings for your devices and software is imperative. However, with the increased trend towards shadow IT, what is connected to your network is difficult to ascertain without the requisite discovery tools. It is, therefore, important to continually scan for new potential points of infraction.

Control who has access to your data and services 
It is always a balancing act between giving staff access to the services they require to perform their role effectively and shoring up any unnecessary gaps. However, less is always best. Remember to only give extra permissions to those who need them and then consider making them time-out after a set period.

Cyber Essentials Certification requires that you control your staff’s access to your data through user accounts. More than that, it recommends that you disable any accounts that are not in active use. It is imperative that this is done immediately when someone leaves the organisation, especially when the employee in question has left under a cloud. 

Protect yourself from viruses and other malware 
The scourge of malware continues to dominate headlines. Central to gaining Cyber Essentials Certification is the requirement to implement basic cybersecurity hygiene. 

In today’s climate – as threats continue to evolve and become more complex – we recommend developing mitigations across three distinct layers as outlined by the NCSC. The first is to prevent malicious code from being delivered onto devices. The second is to prevent malicious code from being executed on those devices. The third is to increase your resilience to infection, and enable processes so that you can respond rapidly to infections should they occur.  

Keep your devices and software up-to-date 
Ensuring that your organisation's devices are up-to-date is imperative. Vendors release regular updates – known as patches – which not only add new features but also fix any security vulnerabilities that have been discovered. Applying these updates is one of the most important things you can do to improve security. The impact of last year’s most infamous cyber-attack – WannaCry – could have been mitigated if patches released by Microsoft some two months earlier had been installed.

Cyber Essentials Certification requires that you keep your devices, software, and apps up to date. However, don’t just leave it up to Windows Server Update Service (WSUS), as it doesn’t update third-party software (such as the ever-popular Java). Meaning that relying purely on WSUS you could leave your systems open to attacks.

There is no doubt that Cyber Essentials can help you guard against the most common cyber threats and demonstrate your commitment to cybersecurity. Once you have taken the time to investigate and put them in place, these five basic controls will put you and your organisation on the path to better data security.

However, whilst achieving Cyber Essentials Certification is a good target to have, it should not be the be-all and end-all for organisations. For businesses to mitigate the threats born out of a rapidly evolving cyber threat landscape – and to remain compliant to regulations and legal framework such as GDPR and others – they need a multi-layered approach to security that itself continues to evolve.

Key takeaways:

  • Configure your firewalls to your specific needs
  • Default admin identities are the first place an attacker looks
  • Switch off user access as soon as an employee leaves
  • Have a layered approach to IT security
  • WSUS does not update third-party software applications