26 Oct Cyber Essentials – The Five Controls – 4. Access Controls
We have already covered four of the five controls as required by Cyber Essentials to achieve their accreditation. In the following article we will explore Access Controls, the fourth control in our walkthrough to a successful certification.
The aim of Access Controls
The objective of implementing access controls is to ensure that only the people required to have access to applications, networks, and computers actually have it; if their role doesn’t require access then there is no need for them to have it. Cyber Essentials want user accounts to be assigned to authorised individuals that need access, not just to anyone.
The current climate has dramatically increased the need for efficient access controls. They should have been at the very top of your business security concerns anyway but, with the world of work gradually converting to an at least partially remote one, what was once a need is now a priority.
Access controls – The Cyber Essentials requirements
To achieve Cyber Essentials accreditation, you must utilise user accounts to control access to the data that you oversee. There must be clear controls as to what can be done with administrative accounts and a guarantee that the privileges to such accounts are only given to those that need them.
The risk of information being lost or stolen can be reduced dramatically if you only allow access to authorised personnel with user accounts that mirror their station in the business. User accounts in your business allow the use of applications, devices, and access to sensitive information – information that, if released or stolen, could cause serious financial and reputational ramifications for you, your team, and your organisation as whole.
The consequences of ‘special’ access privilege accounts – those that allow access to devices, applications, and information – being compromised could be disastrous and potentially incapacitate your entire organisation. In some circumstances they could even be used as the vessel for an attack on a larger scale – if your reputation, team, and bottom line weren’t affected by the original attack then they will be after the second one!
Let’s take administrative accounts for example – they typically allow the use of software that has the power – if in the wrong hands – to render your security measures useless. Every company has an administrator that will have access to these accounts – this is why making a revised decision on who has access to each account should be an immediate priority. Let’s say one of your users opens an email attachment, it looks legit and she does that same thing every day, but unfortunately one contains a Malware Virus – the Malware can now cause as much trouble as it is designed to all the way up to the access privilege of the account that the user is operating in. Depending on the level of access the user has, this scenario could see you bidding farewell to your entire business.
In order to apply for Cyber Essentials you must have control over the user accounts and the privileges granted to each and every one. You need to have a user account creation and approval process in place within your organisation, and to authenticate users before granting them access to apps and devices – obviously, whilst ensuring you use unique credentials for each.
Be sure to disable or remove user accounts when they are no longer needed, remove or disable any access privileges that exist to an individual’s account when they are moving to a department that doesn’t require it, and implement two-factor authentication using only user administrative accounts that need access to complete any administration duties.
We will now move onto the last article in the series – Patch management – and begin to understand how an accumulation of all of the five controls will not only ensure you achieve certification but also prepare you for a better, more stable future with your IT.
Cyber Essentials Accreditation achieved
We understand the importance of top-level cyber security in your organisation. Our team of experts will help guide you to Cyber Essentials Accreditation and a secure future. We will ensure that you feel confident with the new tools that were implemented which made achieving the certification possible. Contact us now and find out how we can help you transform your digital landscape into a fortress that cyber criminals haven’t got a chance of being able to penetrate.