The 5 Critical Security Controls of Cyber Essentials Plus

Cyber Essentials is a government-backed certification scheme that enables you to demonstrate that your business has taken the necessary steps to protect against a cyber attack.

This scheme tests your information system against five technical security controls. If you pass, you become certified and your business can be added to the government’s directory of organisations awarded Cyber Essentials.

It gives you the reassurance that you’ve done what you can to avoid an attack and prepare your systems in case the worst should happen, and it also proves to your customers that you are a reliable partner who can be trusted with their data.

An approved Certification Body awards Cyber Essentials certification. To pass, you have to verify that your IT meets the standards laid out in Cyber Essentials – more on that in a moment – and answer a questionnaire. Though you may be required to provide evidence to the Certification Body as part of the assessment, the basic Cyber Essentials certification is a self-assessment scheme.

Cyber Essentials PLUS, however, is an independently assessed certification. It is based on the same standards as Cyber Essentials – those five technical controls – but with the addition of independent verification that you meet those standards.

Understandably, this has made Cyber Essentials PLUS a popular scheme for businesses looking to provide solid reassurance of their cyber security controls.

So, what standards do you have to meet to achieve Cyber Essentials/Cyber Essentials PLUS certification? We’re going to take a look at the five security controls below:

• Firewalls
• Secure configuration
• User access control
• Malware protection
• Patch management

1. Use a Firewall to Secure Your Internet Connection

Firewall (n) - "Hardware or software that is used to prevent unauthorised access to or from a network by limiting network traffic." 

To achieve Cyber Essentials PLUS certification, you need to ensure that all your internet-connected devices are protected by a firewall. A firewall is a virtual boundary that protects your system and devices from incoming threats. Firewalls police incoming web traffic and decide whether or not to allow it through to your network.

Depending on the complexity of your business needs, a firewall can be set up to surround just your device or your entire network.

It’s important to ensure that not just your computer but all internet-enabled devices, such as tablets, smartphones, etc., are protected. If you’re using these devices to connect to the Internet away from your office, especially using public WiFi, where security levels are unknown, the firewall should be configured accordingly.

How Do I Check My Firewall Settings?

Smaller business networks will likely have a firewall in place in the router—that’s where the Internet effectively enters the building. You can check the firewall settings by accessing the router. You’ll see which ports are open and which are closed.

Your firewall sets the rules for which ports are open and which are not. But only the needed ports should be connected – everything else should be closed. So if your website is hosted by a third-party provider, for example, you can close the web server port on your network. Same for your email. If you leave them open, you’re inviting a hacker to come in and look around.

Larger businesses will likely have more ports and users, making the firewall more complicated to manage. It’s the same process, but with more traffic.

Note: For any size of business, a firewall can’t protect against every attack. But it’s your first line of defence, so it’s worth investing in.

2. Choose the Most Secure Settings for Your Devices and Software

Secure configuration means ensuring you’ve opted for the best security settings on your devices and software.

When you purchase a new computer, tablet or smartphone, the default operating settings tend to be low on security and high on content. There will be apps and programs you don’t need and won’t use. Sometimes, they are not password protected, so you will use the default passwords.

To achieve Cyber Essentials PLUS certification, you need to reverse all that. Get rid of those unused programs taking up space—but more importantly, creating a security risk. Always use strong, unique passwords (you can easily remember)—and make sure they are secure passwords, not ‘admin’, ‘password’, or anything that can be easily guessed. Of course, this equally applies to existing devices and will need to be achieved prior to applying for certification.

The government recommends the additional use of PINs and/or touch ID to increase security and two-factor authentication (2FA) for the utmost security. 2FA is when, for example, you log in to a website and it sends a code as an email or text message for additional ID verification.

3. Control Who Has Access to Your Data and Services

In addition to protecting against attack, Cyber Essentials PLUS certification is also about minimising the damage that could be done should an attacker break through your defences.

In the event of a cyber security threat, you want to minimise what the attacker could access.

One way of doing this is by instituting user access control: i.e. giving access only to what is needed and blocking access to everything else.

Of course, this will necessitate tailoring for each user. Administrators will need greater access than regular staff members, but check how many users have administrative privileges—you may find the number has crept up over the years or that security has lapsed to the point that the admin login details are widely known.

Once you know what you’re dealing with, you can reset permissions and passwords and introduce a proper cyber security protocol to ensure all users know the importance of maintaining best practices.

Administrators’ activities should also be restricted since non-work-related Internet browsing, shopping, and chatting could leave their accounts vulnerable to intrusion. Once in, attackers would have unfettered access to everything the administrator is privy to, giving them many opportunities for exploitation.

Finally, software should only be downloaded from manufacturer-approved stores, which will ensure it meets the required security standards and doesn’t contain malware.

4. Protect Yourself From Viruses and Other Malware

Virus (n) – Programs that can self-replicate and are designed to infect legitimate software programs or systems. A form of malware.

Malware (n) – Malicious software - a term that includes viruses, trojans, worms or any code or content that could harm organisations or individuals.

Viruses, malware, ransomware, Trojans, worms, malicious code – to achieve Cyber Essentials PLUS certification, you must prove you are doing what you can to avoid these things. To an extent, that means educating yourself and your staff on how viruses and malware get onto your system. Some basic rules:

• Don’t download email attachments when you don’t know the sender, or if you do know the sender but the email looks suspicious.
• Don’t use removable storage devices (e.g. USB sticks) when you don’t know their origin. Best to keep your own stock, rather than sharing across computers.
• Steer clear of dodgy websites. How do you know if a website is secure? The address will usually start with ‘https’ – the ‘s’ indicates it has an SSL certificate, meaning any sensitive information you input is protected. Websites with nothing to hide will also have proper contact information, a privacy policy and a trust seal. Even so, look for obvious signs of malicious content, including ads promoting miracle cures, suspicious pop-ups, terrible spelling and grammar, or just plain nonsense text.

In addition to good practice, Cyber Essentials PLUS certification requires you to undertake one of the following measures against malware and viruses:

Anti-malware measures—Enabling anti-malware products like Defender in Windows and XProtect in macOS will increase your protection against malware on your laptop or desktop computer. Smartphones and tablets should be password-protected and regularly updated. Enable the ‘Find My Phone’ or equivalent function to track and erase lost devices. If possible, avoid connecting to unknown WiFi networks.

Sandboxing – A term to describe an application's ability to operate in isolation from the rest of your device. The government recommends you use versions of applications that support sandboxing to protect your files and other applications from malware. Most modern web browsers implement some form of sandbox protection.

Whitelisting – A White List is a list of administrator-approved applications. Any application not on this list will be blocked from running. This takes our advice above (i.e. ‘steer clear of dodgy websites’) out of users hands, which makes for a stronger level of protection.

To achieve certification, you must show you’re doing at least one of these things. But to feel really secure, you should be doing all of them.

5. Keep Your Devices & Software Up to Date

Cyber Essentials certification requires that you keep your devices, software and apps up-to-date – also known as ‘patching’ or ‘patch management’, since the manufacturers are effectively patching holes in their software.

For the most part, this is easily achieved, since updates are fed through to your device fairly regularly – all you need to do is make sure you’re installing them. The only hard part is that sometimes updates require restarts and they arrive when we’re in the middle of doing something else. We forget and procrastinate until we’ve cancelled the alert and put our devices at risk.

Again, an element of implementing best practices here is educating users: updates don’t just bring new functions or fix bugs; they also increase security. The government recommends setting devices to automatically update, where possible, for the best level of protection. They also stipulate that all IT has a limited lifespan, and once updates no longer come through, it may be time for an upgrade.

What Next?

Once you’re happy you have achieved all the technical controls outlined above, you’re ready to apply for Cyber Essentials Certification. Stuck? Confused? More questions than answers? 

Want to know more?

Download our popular infographic to discover the fundamental differences between Cyber Essentials and Cyber Essentials Plus.

Related articles:

• Getting ready for Cyber Essentials PLUS certification
• 5 steps to get your business ready for Cyber Essentials certification
• What is a Vulnerability Scan and does my company need one?
• The 5 critical security controls of Cyber Essentials PLUS
• INFOGRAPHIC: The 8 most common types of cyber attacks
• INFOGRAPHIC: How to create strong passwords (you can remember!)

About CyberOne

CyberOne is a government-approved Cyber Security and IT Managed Service Provider, supporting clients 24x7 from our ISO27001-accredited UK Security Operations Centre (SOC).

Located at the heart of a high-security, controlled-access Tier 3 data centre, CyberOne's state-of-the-art UK Cyber Defence Centre (SOC) targets, hunts, and disrupts hacker behaviour as part of a multi-layered security defence to help secure some of the UK’s leading organisations.