22 Apr A deeper look at the Cyber Essentials Certification – Secure Configurations
As we covered in the last blog in the series, the Cyber Essentials Certification can protect your organisation against 80% of common cyber attacks. We have already covered some of the ways to manage your Firewalls to guarantee you pass. In this – the second blog in the series – we are going to take a look at Secure Configurations and how to be sure you will pass the Certification in this aspect.
Questions regarding Secure Configuration
- Have all unnecessary or default user accounts been deleted or disabled?
All accounts set up on the computer or other devices related to – or on – your network should be necessary to the business! There should be no unused accounts on the system and no guest accounts. An administrative account can do this through the control panel on the computer or on another device.
- Have all passwords been changed from default or guessable to something non-obvious?
Passwords are often the most common weak point in a business’ cyber security arsenal. The default setting of the device when purchased isn’t good enough for security purposes and it is essential that it is changed. For your passwords to be strong it is essential that all your passwords follow the following guidelines:
- Use a mixture of upper and lower case
- Use numbers and special characters
- DON’T use a dictionary or recognisable sequence of letters or numbers (e.g., ABC, 123).
Make your passwords something completely random even to you. The more relatable it is to you, the weaker it makes your cyber defences.
There is more to passwords than just creating them though – the way passwords are selected and stored is important. It is acceptable under the Certification to use a respected password manager app. There are web sites and applications that will assess a password and determine its strength – it is advisable to use this to help staff select the strongest possible passwords.
- Has all software which is unnecessary for your organisation been removed or disabled?
Similar to the first point we made, any software that is not required and used by your organisation should be removed immediately by uninstalling it. This is relevant whether the software was just used once, or where a newer version has made the old one redundant. You must remove them at the first opportunity. Understandably, there are certain circumstances that don’t allow you to delete software as and when you want to (licensing agreements, for example) – if this is the case, the software in question should be disabled to the point at which only administrators can run it when necessary.
- Have all auto-run features which allow file execution without user authorisation (for example, when they are downloaded from the internet) been disabled for all media types and network file shares?
Programmes should always need approvals to run. Occasionally this will be a user with particular need of the programme – but most often this should be an administrator. The ability to autorun programmes can be set within the control panel or your organisation’s equivalent.
- Are external users authenticated before they are given internet-based access to commercially or personally sensitive data, or data which is critical to the running of the organisation?
Put simply, anyone who requires access to the network when not in the same physical location should have to provide some confirmation of who they are. This is done through the use of two-factor authentication and might mean that the user has to carry a token or other device which can be used to obtain a unique code or PIN to enter into the system – this is also often achieved via text message. It is essential that the system doesn’t allow anyone to log in without some form of secondary identification and authentication.
> How do I uninstall software or delete redundant user accounts that might be jeopardising my cyber security?
> How do I know what password management tools to use?
> How do I manage approvals?
> How do I implement an easy-to-use two-factor authentication system?
To be confused about all this is understandable, and, for those that aren’t as tech literate as others, the above questions are more than justifiable to ask. That’s where we come in.
Helping you to Cyber Certification – Netcom
Our team of experts will assist you in the process of uninstalling redundant user accounts, finding a password management tool that works for you, implementing an easy-to-use two-factor authentication system, and managing approvals across your organisation. We can guide you into a future with IT as a powerful – and most importantly – secure ally. We pride ourselves in developing a relationship with our clients and ensuring they prosper from the technology and plans introduced for them to get the most from their IT. We can guide you to achieve the Cyber Essentials Certification with flying colours! Contact us now and find out how we can help you.