24 Sep Cyber Essentials – The Five Controls – 2. Secure Configuration
As we have explored, the Cyber Essentials accreditation has five key controls that need implementing and maintaining to a high standard to make a successful certification possible. We have already looked at Firewalls and the role they play in your cyber security and the quest for Cyber Essentials accreditation. In this article you will learn all you need to know about the second in our list of five measures, a Secure Configuration.
Default security settings
‘I already have default security settings on – that will do, won’t it?’ I hear you say, and the simple answer is NO, under no circumstances are the default security settings enough to meet the requirements for Secure Configuration. Factory/ Default settings are relatively insecure due to them being designed to be as unrestrictive as possible to enable fluidity for the customers when having just purchased the system – it also allows them to set their own settings from a blank canvas. To stand a chance of achieving Cyber Essentials accreditation you will have to adopt much better levels of security than just those default settings.
What problems can occur from a poorly configured system
The modern workplace is very hectic, so it can be hard to find time to do anything apart from the normal essential work functions. This being said, it is essential that, as services fall in and out of use and you acquire new hardware, you stay proactive and ready to make them and your systems as safe and protected as you can. Cyber criminals target poorly configured systems intentionally so, as a business owner, you need to be as vigilant as possible – you must find time to stay proactive.
An attacker will have little to no resistance when coming across a poorly configured system, and this will allow them to cause potentially business-defining damage to your network. They could do this in a variety of ways: they could pre-configure themselves a route for a future attack and wait to strike another time, take advantage of the unbridled access, or – in the worst-case scenario – gain access to the sensitive data you oversee.
Let’s look at some of the different problems that can be caused by not putting up a good resistance against cyber criminals.
- Take advantage of vulnerable software – Cyber criminals are opportunists; they are continuously on the lookout for vulnerabilities in your software. At the first opportunity you MUST seal-up these security weak points, by installing patches and updates as regularly as possible. If you choose not to do this then you are simply leaving your systems open to anyone to access and do as they wish.
- Unauthorised changes – Anyone can make changes to your IT landscape if you have poor access management measures in place! By allowing this to happen your data can be corrupted or stolen at any time, and knowingly allowing it to happen will also leave you in hot water legally, financially, and (arguably most importantly) reputationally – would you leave your data in the hands of a company that may not look after it? Manage permissions carefully.
Now we’ve been through the worst-case scenarios of not doing anything, let’s take a look at ways to configure your system securely.
Ways to achieve secure configuration
- Carry out vulnerability scans
It is a good idea to have a schedule for regular vulnerability scans with the intention of flagging potential security concerns. This won’t stop things from sneaking in under the radar but will allow you to work out a course of action to rectify any issue the scan uncovers.
- Establish a software update policy
Policies are important, mostly because they force you and your team to stand up and take action. You, as the manager, will lead by example and your team will follow them under the threat of the ramifications if they don’t. Draw up policies relating to the installation of important, business-critical updates. A schedule with clear guidelines for how often updates are needed for a particular application or programme is essential to ensure any issues are fixed as promptly as possible.
- Only use supported software
By using unsupported (Legacy) software you are leaving your entire network vulnerable. Unsupported software is that which is no longer updated and patched by the vendor – most software continues to work once support stops so some don’t even realise the software is unsupported, but just because it still runs it doesn’t mean it’s safe. When there is no team dedicated to creating and launching updates to guarantee its safety this leaves security loopholes for cyber criminals to exploit.
- Establish a secure configuration guideline
You need to specify a basic level security standard that all software must align with. Not all your software may work the same way so take note of each and stay on top of them.
It is not easy getting your IT infrastructure to a level of security that is considered its maximum, but the benefits and peace of mind that it allows once you do manage it are unrivalled. The job will never be over, there will always be something that is slightly more vulnerable than it should be, needs updating, needs scrapping, or needs more care and attention, but approaching your system security methodically is a great way of giving yourself a fair chance. It is essential that every single app, service, and hardware component is running at the very peak of its security capabilities.
Cyber Essentials Accreditation achieved
We understand the importance of top-level cyber security in your organisation. Our team of experts will help guide you to Cyber Essentials Accreditation and a secure future. We will ensure that you feel confident with the new tools that were implemented which made achieving the certification possible. Contact us now and find out how we can help you transform your digital landscape into a fortress that cyber criminals haven’t got a chance of being able to penetrate.