Cyber Essentials Sheffield
Looking for Cyber Essentials Support in Sheffield? We can help you to reassure clients and partners that you’re cyber secure, and help you to achieve certification.
We’d be delighted to have a no pressure, no nonsense, plain English conversation so we can see if we can help you and your business.
A Breakdown of the NCSC
NCSC is a government backed scheme in the UK that aims to protect your devices from a wide range of the most commonly found cyber threats. There are two types of certification for you to consider:
The Cyber Essentials certification covers your basic cyber security needs, meaning your computing systems are much less vulnerable with this in place than they would be otherwise. Many of the individuals behind cyber attacks intentionally look for targets that aren’t using Cyber Essentials, so this means you’re much less likely to even come to the attention of cyber criminals.
Cyber Essentials Plus
The difference between the standard version of the two choices is that with Cyber Essentials Plus, a hands-on technical verification is carried out. This makes it that bit more secure whilst still using a simple approach.
Why should you get Cyber Essentials?
The reasons we recommend Cyber Essentials to our clients is as follows:
- Prevent up to 80 per cent of cyber attacks
- Reassure customers that you are working to secure your IT against cyber attack
- Attract new business with the promise you have cyber security measures in place
- You have a clear picture of your organisation’s cyber security level
- Some Government contracts require Cyber Essentials certification
If you need any help with getting certified, or you just want to find out more information, feel free to reach out to us, we will be happy to talk you through it.
What Does Cyber Essentials Cover?
Assessment and certification should cover the whole of the IT infrastructure used to perform the business of the Applicant, or if necessary, a well-defined and separately managed sub-set. Either way, the boundary of the scope must be clearly defined in terms of the business unit managing it, the network boundary and physical location. The scope must be agreed between the Applicant and the Certification Body before assessment begins. A sub-set can be used to define what is in scope or what is out of scope for Cyber Essentials.
Organisations that choose a scope that includes the whole IT infrastructure, often achieve the best protection and increased customer confidence. We can work with you on what should, and what should not be in scope.
Ensure that only safe and necessary network services can be accessed from the Internet.
All devices run network services, which create some form of communication with other devices and services. By restricting access to these services, you reduce your exposure to attacks. This can be achieved using firewalls and equivalent network devices, or data flow policies in cloud services. A boundary firewall is a network device which can restrict the inbound and outbound network traffic to services on its network of computers and mobile devices. It can also help protect against cyber-attacks by implementing restrictions, known as ‘firewall rules’, which can allow or block traffic according to its source, destination and type of communication protocol.
Alternatively, where an organisation does not control the network where the end user device is connected to (e.g., when working remotely from a coffee shop), a software firewall must be configured on the device. This works in the same way as a boundary firewall but only protects the single device on which it is configured. This approach can provide for more tailored rules and means that the rules apply to the device wherever it is used. However, this increases the administrative overhead of managing firewall rules. We can help you decide the best options for your particular scenario, and also help to manage your firewall security with ease.
Ensure that computers and network devices are properly configured to:
- Reduce the level of inherent vulnerabilities
- Provide only the services required to fulfil their role
Computers and network devices are not always secure in their default configurations. Standard, out of-the-box configurations often include one or more weak points such as:
- An administrative account with a predetermined, publicly known default password or without multi-factor authentication enabled
- Pre-enabled but unnecessary user accounts (sometimes with special access privileges)
- Pre-installed but unnecessary applications or services
Default installations of computers and network devices can provide cyber attackers with a variety of opportunities to gain unauthorised access to an organisation’s sensitive information — often with ease. By applying some simple technical controls when installing computers and network devices you can minimise inherent vulnerabilities and increase protection against common types of cyber-attack.
User Access Control
Ensure user accounts:
- Are assigned to authorised individuals only
- Provide access to only those applications, computers and networks actually required for the user to perform their role
Every active user account in your organisation facilitates access to devices and applications, and to sensitive business information. By ensuring that only authorised individuals have user accounts, and that they are granted only as much access as they need to perform their role, you reduce the risk of information being stolen or damaged. Compared to normal user accounts, accounts with special access privileges have enhanced access to devices, applications and information. When such accounts are compromised, their greater freedoms can be exploited to facilitate large-scale corruption of information, disruption to business processes and unauthorised access to other devices in the organisation.
‘Administrative accounts’ are especially highly privileged, for example. Such accounts typically allow:
- Execution of software that has the ability to make significant and security relevant changes to the operating system
- Changes to the operating system for some or all users
- Creation of new accounts and allocation of their privileges
All types of Administrator will have such accounts, including Domain Administrators and Local Administrators.
Now consider that if a user opens a malicious URL or email attachment, any associated malware is typically executed with the privilege level of the account that user is currently operating. With this in mind, you must take special care over the allocation and use of privileged accounts.
Restrict execution of known malware and untrusted software, to prevent harmful code from causing damage or accessing sensitive data.
The execution of software downloaded from the Internet can expose a device to malware infection. Malware, such as computer viruses, worms and spyware, is software that has been written and distributed deliberately to perform malicious actions. Potential sources of malware infection include malicious email attachments, downloads (including those from application stores), and direct installation of unauthorised software. If a system is infected with malware, your organisation is likely to suffer from problems like malfunctioning systems, data loss, or onward infection that goes unseen until it causes harm elsewhere.
You can largely avoid the potential for harm from malware by:
- Detecting and disabling malware before it causes harm (anti-malware)
- Executing only software that you know to be worthy of trust (allow listing)
- By only executing untrusted software in an environment that controls access to other data (sandboxing/testing environments)
Security Update Management
Ensure that devices and software are not vulnerable to known security issues for which fixes are available.
Any device that runs software can contain security flaws, known as ‘vulnerabilities’. Vulnerabilities are regularly discovered in all sorts of software. Once discovered, malicious individuals or groups move quickly to misuse (or ‘exploit’) vulnerabilities to attack computers and networks in organisations with these weaknesses.
The Applicant must ensure all in scope software is kept up to date. All software on in scope devices must be:
- Licensed and supported
- Removed from devices when it becomes un-supported or removed from scope by using a defined “subset” that prevents all traffic to / from the internet
- Have automatic updates enabled where possible
- Updated, including applying any manual configuration changes required to make the update effective, within 14 days* of an update being released, where:
- The update fixes vulnerabilities described by the vendor as ‘critical’ or ‘high risk’
- The update addresses vulnerabilities with a CVSS v3 score of 7 or above
- There are no details of the level of vulnerabilities the update fixes provided by the vendor
For optimum security and ease of implementation it is strongly recommended (but not mandatory) that all released updates be applied within 14 days.
*It is important that these updates are applied as soon as possible. 14 days is seen as a reasonable period to be able to implement this requirement. Any longer would constitute a serious security risk while a shorter period may not be practical.
Commstec can help with providing automated Windows OS patching on a schedule to fit around your business, along with network and firewall updates to ensure you are always compliant, and always secure.