26 Jan Cyber Essentials – Access Control

Cyber essentials – The Aim of Access Control

The objective of Cyber Essentials is – with the assistance of access control – to ensure user accounts only provide access to applications, networks and computers that the user needs to perform their role – the keyword in this sentence is ‘need’. Cyber Essentials makes sure user accounts are assigned to authorised individuals and not just anybody.

Access control should be at the forefront of concern for your business. Its importance can never be understated, but in the climate, the world has been living in and with the majority of businesses having at least a partially remote workforce – the past year has elevated this importance to new heights.

Access Control – Cyber Essentials requirements

Cyber Essentials Certification requires you utilise user accounts to control access to your data. There are controls as to what can be done with administrative accounts and privileges to those accounts are only given to those that need them.

User accounts in your business facilitate access, allowing the use of applications, devices and sensitive information (contact details, bank details, personal information of any kind etc). Only allowing access to authorised personnel with user accounts that mirror their station within the business dramatically reduces the risk of information being stolen or damaged.

If accounts with special access privileges to devices, applications and information are compromised severely enough – this has the power to completely incapacitate your business. In extreme circumstances, they can be exploited to facilitate a large-scale attack on your systems – causing long term detrimental effects to all aspects of your business, from reputation to functionality.

Administrative accounts

Administrative accounts typically allow the use of software that can completely obliterate the security measures your business has in place if in the wrong hands. Every administrative role will have access to these accounts, including Local Administrators and Domain Administrators. Making revised decisions as to who can use the administrative accounts is essential. For example, if a user opens an email attachment that has malicious intent and is infected with a Malware Virus, the Malware is typically free to cause carnage up to the privilege level of the account that the user is operating in, meaning this could cause irreparable damage to business infrastructure (depending on the level of access the user has).

For example:

David is logged into an administrative account and opens a malicious email attachment. All associated malware is likely to need administrative privileges.

Using David’s administrative privileges, a type of malware known as ransomware encrypts all of the data on the network and then demands a ransom.

You may think, “oh, that won’t happen to me” but studies show that small to medium businesses make up a staggering 43% of all cyberattacks worldwide.

Requirements for Cyber Essentials Accreditation

To apply for Cyber Essentials, you must have control over the user accounts and the privileges granted to each one.

You must have a user account creation and approval process in place within the organisation.

You must authenticate users before granting access to application devices using unique credentials for each.

You must also be sure to disable or entirely remove user accounts when no longer in use; remove or disable special access privileges to an individual’s account when no longer required; implement two-factor authentication and only use administrative accounts to perform administrative activities.

Having the Cyber Essentials accreditation shows potential customers that you intend on keeping their information as secure as possible.

We’re Netcom, we can protect your business

Do you want your business to prove it takes the right steps to protect the information held on behalf of your customers, and Cyber Essentials certification is a recognised step toward that. We at Netcom provide you with your Cyber Essentials certification upon passing and can guide you to ensure the pass as quickly as possible. Contact us now for more information.

For guidance on IT strategy, cybersecurity and digital transformation why not book a free, no-obligation discovery call today by calling 0114 361 0062.