Further information

You can find further information online that will

help you secure your IT against cyber attack.

www.cyberessentials.ncsc.gov.uk
www.ncsc.gov.uk/smallbusiness
www.ncsc.gov.uk/charity
www.ncsc.gov.uk/guidance/10-steps-cyber-security Cyber security for your
organisation starts here
www.iasme.co.uk/cyberessentials

Five technical controls that you can put

in place today, explained without jargon

© Crown copyright 2020

Images produced with permission from third parties.
NCSC information licensed for re‑use under the Open Government Licence
(http://www.nationalarchives.gov.uk/doc/open-government-licence).
 1 Use a firewall to secure
What is Cyber Essentials? your internet connection
Cyber Essentials is a simple but effective, Government backed scheme,
created to help you protect your organisation against a range of the
most common cyber attacks.
Cyber attacks come in many shapes and sizes, but the vast majority
are very basic in nature, carried out by relatively unskilled individuals.
You should protect your internet
We advise the use of five technical controls, specifically designed connection with a firewall. This
to prevent these attacks, which include malware, ransomware effectively creates a ‘buffer zone’
and phishing. between your IT network and other
external networks. In the simplest
case, this means between your
The five technical controls: computer (or computers) and ‘the
internet’. Within this buffer zone,
incoming traffic can be analysed
Secure your internet connection ....................................... 3 to find out whether or not it should
be allowed onto your network.
Secure your devices and software .................................. 4
Two types of firewall
Control access to your data and services ................. 6
Many organisations will have a dedicated boundary firewall which
Protect against viruses and other malware .............. 7 protects their whole network.

Keep your devices and software up to date ............. 9 You should use a personal firewall on your internet connected laptop
or computer (normally included within your Operating System at no
Conclusion and Checklists ................................................... 10 extra charge).

Some routers will contain a firewall which could be used in this

boundary protection role. But, this can’t be guaranteed – if you can,
ask your internet service provider about your specific model.

Cyber Essentials Certification requires that you configure and

use a firewall to protect all your devices, particularly those
that connect to public or other untrusted Wi-Fi networks.
3
 2 Choose the most secure settings
for your devices and software

Manufacturers often set the default configurations of new software easiest of all for attackers to
and devices to be as open and multi-functional as possible. guess. So you must change
They come with ‘everything on’ to make them easily connectable all default passwords before
and usable. Unfortunately, these settings can also provide cyber devices are distributed and
attackers with opportunities to gain unauthorised access to your used. The use of PINs or touch-
data, often with ease. ID can also help secure your
device. If you would like more
Check the settings information on choosing
passwords, look at the NCSC’s
So, you should always check the settings of new software and password guidance.
devices and where possible, make changes which raise your level
of security. For example, by disabling or removing any functions,
accounts or services which you do not require.
Extra Security
For ‘important’ accounts,
Use passwords such as banking and IT
administration, you should use
Your laptops, desktop computers, tablets and smartphones contain two-factor authentication, also
your data, but they also store the details of the online accounts that known as 2FA.
you access, so both your devices and your accounts should always
be password-protected. Passwords – when implemented correctly A common and effective
– are an easy and effective way to prevent unauthorised users example of this involves a code
accessing your devices. Passwords should be easy to remember sent to your smartphone which
and hard for somebody else to guess. The default passwords which you must enter in addition to
come with new devices such as ‘admin’ and ‘password’ are the your password.

Cyber Essentials Certification requires that only necessary software,

accounts and apps are used. If you would like more information on
choosing passwords, search www.ncsc.gov.uk for ‘password’.
4 5
 3 Control who has access 4 Protect yourself from
to your data and services viruses and other malware

To minimise the potential damage that could be done if an account Malware is short for ‘malicious software’. One specific example is
is misused or stolen, staff accounts should have just enough access ransomware, which you may have heard mentioned in the news.
to software, settings, online services and device connectivity functions This form of malware makes data or systems it has infected
for them to perform their role. Extra permissions should only be given unusable – until the victim makes a payment.
to those who need them.
Viruses are another well-known form of malware. These programs
are designed to infect legitimate software, passing unnoticed
Administrative accounts between machines, whenever they can.
Check what privileges your accounts have – accounts with
administrative privileges should only be used to perform administrative Where does malware come from?
tasks. Standard accounts should be used for general work. By ensuring
There are various ways in which malware can find its way onto a
that your staff don’t browse the web or check emails from an account
computer. A user may open an infected email attachment, browse a
with administrative privileges you cut down on the chance that an
malicious website, or use a removable storage drive, such as a USB
admin account will be compromised. This is important because an
memory stick, which is carrying malware.
attacker with unauthorised access to an administrative account can
be far more damaging than one accessing a standard user account.

Access to software
Another simple and effective way to ensure your devices stay secure
and malware-free is to only use software from official sources. The
easiest way to do this is to only allow your users to install software
from manufacturer-approved stores, which will be screening for
malware. For mobile devices, this means sources such as Google Play
or the Apple App Store.

Cyber Essentials Certification requires that you control access to

your data through user accounts, that administration privileges
are only given to those that need them, and that what an
6 administrator can do with those accounts is controlled. 7
 5 Keep your devices and
software up to date

How to defend against malware No matter which phones, tablets, laptops

or computers your organisation is using,
A
 nti-malware measures are often included for free within it’s important that the manufacturer still
popular operating systems. For example, Windows has Defender. supports the device with regular security
These should be used on all computers and laptops. For your updates and that you install those updates
office equipment, you can pretty much click ‘enable’, and you’re as soon as they are released. This is true
instantly safer. Smartphones and tablets should be kept up to for both Operating Systems and installed
date and password protected. If you can avoid connecting to apps or software. Happily, doing so is quick,
unknown Wi-Fi networks, this will help to keep your devices free easy, and free.
of malware too.
W
 hitelisting can also be used to prevent users installing and Also known as ‘Patching’
running applications that may contain malware. The process
Manufacturers and developers release regular updates which not
involves an administrator creating a list of applications allowed
only add new features, but also fix any security vulnerabilities that
on a device. Any application not on this list will be blocked
have been discovered.
from running. This is a strong protection as it works even if the
malware is undetectable to anti-virus software. It also requires Applying these updates (a process known as patching) is one
little maintenance. of the most important things you can do to improve security.
Operating systems, programmes, phones and apps should all be
Sandboxing. Where possible, use versions of the applications
set to ‘automatically update’ wherever this is an option. This way,
that support sandboxing. For instance, most modern web
you will be protected as soon as the update is released.
browsers implement some form of sandbox protection.
A sandboxed application is run in an isolated environment with However, all IT has a limited lifespan. When the manufacturer no
very restricted access to the rest of your devices and network. longer supports your hardware or software and new updates cease
In other words, your files and other applications are kept out of to appear, you must replace it with a supported product if you wish
reach, if possible. to stay protected.

Cyber Essentials Certification requires that you implement

Cyber Essentials Certification requires that you keep your
at least one of the approaches listed above to defend
devices, software and apps up to date.
against malware.
8 9
 www.cyberessentials.ncsc.gov.uk/advice/
Conclusion and
Checklists

Once you have taken the time to investigate and put them in place, 3. Control who has access to your data and services
these five basic controls will put you and your organisation on the path
Read up on accounts and permissions
to better cyber security.
Understand the concept of ‘least privilege’
Cyber Essentials Certification should be your next target, but you can
work towards that goal at a pace which suits you. Know who has administrative privileges on your machine

In the meantime, you can check how much progress you’ve already Know what counts as an administrative task
made by completing the handy checklists laid out below. Set up a minimal user account on one of your devices

1. Use a firewall to secure your internet connection 4. Protect yourself from viruses and other malware
Understand what a firewall is Know what malware is and how it can get onto your devices
Understand the difference between a personal and a boundary firewall
Identify three ways to protect against malware
Locate the firewall which comes with your operating system and turn it on
Read up about anti-virus applications
Find out if your router has a boundary firewall function. Turn it on if it does.
Install an anti-virus application on one of your devices and test for viruses
2. Choose the most secure settings for your devices and software Research secure places to buy apps, such as Google Play and
Know what ‘configuration’ means Apple App Store

Find the Settings of your device and try to turn off a function that you Understand what a ‘sandbox’ is
don’t need.
5. Keep your devices and software up to date
Find the Settings of a piece of software you regularly use and try to turn
off a function that you don’t need Know what ‘patching’ is
Read the NCSC guidance on passwords Try to set the operating system on one of your devices to ‘Automatic update’
Make sure you’re still happy with your passwords Try to set a piece of software that you regularly use to ‘Automatic update’
Read up about second factor authentication List all the software you have which is no longer supported

10 11