Cyber Essentials Decoded: Firewalls and User Access Control
Enterprise vs. Small business: The cyber security gap
Enterprise organisations protect huge volumes of data and adhere to regulations, budgets, and requirements that necessitate state-of-the-art security controls. Smaller businesses, though they may lack these resources, also need cyber protection. They are increasingly targeted, and the consequences can be severe, including loss of clients or even business closure. In the UK, the average cost of a data breach is £3.4 million, according to IBM’s Cost of a Data Breach report. Although this is down from £3.8 million in 2022, it still marks a 9% increase since 2020. Such breaches can cripple small businesses.[1]
If you think your organisation is too small to be a target, think again. Most hacks are opportunistic, targeting the lowest-hanging fruit and easy targets. Leaving a window open while you pop into the shops makes you vulnerable for a short time, but attackers only need a short window.
Implement Cyber Essentials certification for robust security
Every business must adopt good practices in cyber security to protect their data, assets, and reputation. One effective measure is obtaining Cyber Essentials Certification. So, what is Cyber Essentials?
Understanding Cyber Essentials and Cyber Essentials Plus
Cyber Essentials is a UK government scheme that provides a clear-cut cyber security strategy for businesses of all sizes. Cyber Essentials offers two main levels: Cyber Essentials and Cyber Essentials Plus. Essentially, Cyber Essentials allows organisations to self-assess their current cyber security through an online assessment system, which is then independently verified before offering certification.
Cyber Essentials Plus offers the same basics but includes independent validation by an accredited third party. Your systems undergo independent testing, and Cyber Essentials integrates into the organisation’s information risk management.
The 5 key elements of cyber security
Working on the 5 key elements of cyber security, Cyber Essentials provides a simple framework that protects from cyber threats, aligns with the UK National Cyber Security Centre (NCSC), and offers numerous benefits, including:
- Reduced insurance premiums.
- Improved investor and customer confidence.
- The ability to tender for business where certification to the scheme is a prerequisite.
1. Firewalls and Internet gateways: Your first line of defence
Firewalls monitor incoming and outgoing network traffic and decide whether to allow or block the traffic. They act as a barrier between external sources and your internal network, protecting you from malicious traffic like viruses and hackers.
2. User Access Control: Protecting sensitive data
All organisations with employees connecting to the Internet must implement access control. Restricting access to sensitive data and requiring multiple verification methods through a control gateway helps protect your business from threats. These measures minimise the risk of unauthorised access to important information.
3. Patch management: Keeping your systems updated
Patch management involves keeping software on computers and network devices up to date to resist low-level cyber-attacks. Regularly patching or updating your software prevents vulnerabilities that attackers could exploit.
4. Malware protection: Shielding against malicious software
Malware, short for malicious software, includes viruses, worms, spyware, botnet software, and ransomware. These types of software are designed to infiltrate or damage a computer system without the owner's consent. Malware protection is crucial as an attack can devastate your systems and data. Effective anti-malware software is necessary to protect against these threats.
5. Secure configuration: Building a strong foundation
To be cyber secure, you must configure your servers properly. Implementing certain security measures when building and installing computers and network devices reduces unnecessary cyber vulnerabilities. It's best practice to test these configurations before deploying them in your organisation through configuration reviews and penetration testing.
How to achieve certification for firewalls and internet gateways
To achieve certification for firewalls as a control, your organisation must:
- Change default administrative passwords.
- Prevent access to the administrative interface from the Internet unless there is a documented business need and protect the interface with a second authentication factor (e.g., a one-time token) or an IP whitelist.
- Block any unauthenticated inbound connections routinely.
- Ensure an authorised individual approves and documents inbound firewall rules.
- Remove or disable permissive firewall rules when not needed and use a host-based firewall on devices that operate on untrusted networks like public Wi-Fi hotspots.
These practices help ensure every asset is secured by a correctly configured firewall or equivalent network device.
Supporting best firewall practices
At The Missing Link, we recommend you regularly review firewall rules and use a third-party service, such as The Missing Link firewall service, for additional review. Firewalls keep good traffic in and bad traffic out, but how do you ensure users don't let in bad threats?
Securing your business with effective User Access Control
To achieve certification for User Access Control, your organisation must:
- Authenticate users before granting access to applications or devices, using unique credentials.
- Remove or disable user accounts when no longer required.
- Implement two-factor authentication where possible.
- Use administrative accounts only for administrative activities.
- Remove or disable special access privileges when no longer required.
Access control allows selective restriction of access to data, limiting the risk of unauthorised access. At The Missing Link, we offer identity security solutions to ensure your users access the right resources at the right time.
We recommend strong authentication controls to make the lateral movement of threats around a network much harder. This reduces the likelihood of business-critical systems and data being compromised, as potential threats are contained, neutralised, and remediated before any critical damage occurs.
Navigating the Evolving Cyber Threat Landscape
Both available technologies and the threat landscape constantly change, making it difficult for customers to keep up. We advise customers daily on their identity strategy.
Protect Your Business with Cyber Essentials Certification
Are you looking to understand Cyber Essentials requirements? Our team at The Missing Link has the expertise and support you need to achieve Cyber Essentials certification or Cyber Essentials Plus certification.
For practical assistance with your certification and cyber security needs, connect with our expert team. To explore more about Cyber Essentials, including Malware Protection, User Access Control, and Patch Management, delve into our comprehensive guides and resources. Let us help you secure your business today.
References
[1] https://uk.newsroom.ibm.com/24-07-2023-IBM-Security-Report-Cost-of-a-Data-Breach-for-UK-Businesses-Averages-3-4m