Home / Blog / General / The 5 critical security controls of Cyber Essentials PLUS

April 15, 2019

Cyber Essentials is a government-backed certification scheme that enables you to demonstrate that your business has taken the necessary steps to protect against a cyber attack.

This scheme tests your information system against five technical security controls. If you pass, you become certified and your business can be added to the government’s directory of organisations awarded Cyber Essentials.

It gives you the reassurance that you’ve done what you can to avoid an attack and prepare your systems in case the worst should happen, and it also proves to your customers that you are a reliable partner who can be trusted with their data.

Cyber Essentials logo

Cyber Essentials certification is awarded by an approved Certification Body. To pass, you have to verify that your IT meets the standards laid out in Cyber Essentials – more on that in a moment – and answer a questionnaire. Though you may be required to provide evidence to the Certification Body as part of the assessment, the basic Cyber Essentials certification is a self-assessment scheme.

Cyber Essentials PLUS, however, is an independently assessed certification. It is based on the same standards as Cyber Essentials – those five technical controls – but with the addition of independent verification that you meet those standards.

Understandably, this has made Cyber Essentials PLUS a popular scheme for businesses looking to provide solid reassurance of their cyber security controls.

So, exactly what are the standards you have to meet to achieve Cyber Essentials/Cyber Essentials PLUS certification? We’re going to take a look at the five security controls below:

  • Firewalls
  • Secure configuration
  • User access control
  • Malware protection
  • Patch management

1. Use a firewall to secure your internet connection

> Firewall (n) – “Hardware or software that is used to prevent unauthorised access to or from a network by limiting network traffic.” 

In order to achieve Cyber Essentials PLUS certification, you need to ensure that all your internet-connected devices are protected by a firewall, a virtual boundary that protects your system and devices from incoming threats. Firewalls police incoming web traffic and decide whether or not to allow it through to your network.

A firewall can be set up to surround just your device or your entire network, depending on the complexity of your business needs.

It’s important to make sure it’s not just your computer that is protected, but all internet-enabled devices, such as tablets, smartphones, etc. And if you’re using these devices to connect to the Internet away from your office, especially using public WiFi – where security levels are unknown, the firewall should be configured accordingly.

> How do I check my firewall settings?

Smaller business networks will likely have a firewall in place in the router – that’s the point where the Internet effectively enters the building. You can check on the firewall settings by accessing the router. You’re looking to see which ports are open and which are closed.

Your firewall sets the rules for which ports are open and which are not. But only the ports that are needed should be connected – everything else should be closed. So if your website is hosted by a third party provider, for example, you can close the web server port on your network. Same for your email. If you leave them open, you’re basically inviting a hacker to come in and have a look around.

Larger businesses will likely be dealing with more ports and more users, so the firewall becomes more complicated to manage. It’s the same process, but with more traffic.

Note: For any size of business, a firewall can’t protect against every attack. But it’s your first line of defence, so it’s worth investing in.

2. Choose the most secure settings for your devices and software

Secure configuration just means making sure you’ve opted for the best security settings on your devices and software.

When you purchase a new computer, tablet or smart phone, the default operating settings tend to be low on security, high on content. There will be apps and programs you don’t need and won’t use. Sometimes they will not be password protected, so will use default passwords.

In order to achieve Cyber Essentials PLUS certification, you need to reverse all that. Get rid of those unused programs taking up space – but more importantly, creating a security risk. Always use strong, unique password (you can easily remember) – and make sure they are secure passwords, not ‘admin’, ‘password’, or anything that can be easily guessed. Of course, this equally applies to existing devices – and will need to be achieved prior to applying for certification.

The government recommends the additional use of PINs and/or touch-ID to increase security, and two-factor authentication (2FA) for the utmost security. 2FA is when, for example, you log in to a website and it sends a code as an email or text message for additional ID verification.

3. Control who has access to your data and services

As well as protecting against attack, Cyber Essentials PLUS certification is also about minimising the damage that could be done should an attacker break through your defences.

In the event of a cyber security threat, you want to minimise what the attacker could access.

One way of doing this is by instituting user access control: i.e. giving access only to what is needed and blocking access to everything else.

Of course, this will necessitate a degree of tailoring from one user to the next. Administrators will need greater access than regular staff members, but check how many users have administrative privileges – you may find the number has crept up over the years, or that security has lapsed to the point that the admin login details are widely known.

Once you know what you’re dealing with you can reset permissions and passwords and introduce a proper cyber security protocol to ensure all users are aware of the importance of maintaining best practice.

Administrators’ activities should also be restricted, since non work-related Internet browsing/shopping/chatting could leave their account vulnerable to intrusion. Once in, attackers would have unfettered access to everything the administrator is privy to, giving them a great deal more opportunities for exploitation.

Finally, all software should only be downloaded from manufacturer-approved stores, which will ensure it meets the required security standards – and doesn’t come with malware attached.

4. Protect yourself from viruses and other malware

Virus (n) – Programs that can self-replicate and are designed to infect legitimate software programs or systems. A form of malware.

Malware (n) – Malicious software – a term that includes viruses, trojans, worms or any code or content that could have an adverse impact on organisations or individuals.

Viruses, malware, ransomware, Trojans, worms, malicious code – to achieve Cyber Essentials PLUS certification, you’re going to need to prove you are doing what you can to avoid these things. To an extent, that means educating yourself and your staff on how viruses and malware get onto your system. Some basic rules:

  • Don’t download email attachments when you don’t know the sender, or if you do know the sender but the email looks suspicious.
  • Don’t use removable storage devices (e.g. USB sticks) when you don’t know their origin. Best to keep your own stock, rather than sharing across computers.
  • Steer clear of dodgy websites. How do you know if a website is secure? The address will usually start with ‘https’ – the ‘s’ indicates it has an SSL certificate, meaning any sensitive information you input is protected. Websites with nothing to hide will also have proper contact information, a privacy policy and a trust seal. Even so, look out for obvious signs of malicious content, including ads promoting miracle cures, suspicious pop-ups, terrible spelling and grammar – or just plain nonsense text.

In addition to good practice, Cyber Essentials PLUS certification requires you to undertake one of the following measures against malware and viruses:

Anti-malware measures – Enabling anti-malware products like ‘Defender’ in Windows and ‘XProtect’ in MacOS will increase your protection against malware on your laptop or desktop computer. Smartphones and tablets should be password-protected and regularly updated. Enable the ‘find my phone’ or equivalent function to track and erase lost devices. And it’s safer to avoid connecting to unknown WiFi networks, if possible.

Sandboxing – A term to describe the ability of an application to operate in isolation from the rest of your device. The government recommends you use versions of applications that support sandboxing to protect your files and other applications from malware. Most modern web browsers implement some form of sandbox protection.

White listing – A White List is a list of administrator-approved applications. Any application not on this list will be blocked from running. This takes our advice above (i.e. ‘steer clear of dodgy websites’) out of users hands, which makes for a stronger level of protection.

To achieve certification, you’re required to show you’re doing at least one of these things. But to feel really secure, you should be doing all of them.

5. Keep your devices and software up to date

Cyber Essentials certification requires that you keep your devices, software and apps up-to-date – also known as ‘patching’ or ‘patch management’, since the manufacturers are effectively patching holes in their software.

For the most part, this is easily achieved, since updates are fed through to your device on a fairly regular basis – all you need to do is make sure you’re installing them. The only hard part is that sometimes updates require restarts and they arrive when we’re in the middle of doing something else. We forget and procrastinate until we’ve cancelled the alert and put our devices at risk.

Again, an element of implementing best practice here is educating users: updates don’t just bring new functions or fix bugs, they also increase security. The government recommends setting devices to automatically update where possible, for the best level of protection. They also stipulate that all IT has a limited lifespan, and once updates no longer come through it may be time for an upgrade.

What next?

Cyber Essentials PLUS logo

Once you’re happy you have achieved all the technical controls outlined above, you’re ready to apply for Cyber Essentials Certification. Stuck? Confused? More questions than answers? Download our Cyber Essentials PLUS Service Guide for more information, or get in touch today.

Want to know more?

Download our popular infographic to discover the fundamential differences between Cyber Essentials and Cyber Essentials Plus.


Related articles:


About Comtact Ltd.

Comtact Ltd. is a government-approved Cyber Security and IT Managed Service Provider, supporting clients 24/7 from our ISO27001-accredited UK Security Operations Centre (SOC).

Located at the heart of a high security, controlled-access Tier 3 data centre, Comtact’s state-of-the-art UK Cyber Defence Centre (SOC) targets, hunts & disrupts hacker behaviour, as part of a multi-layered security defence, to help secure some of the UK’s leading organisations.