Cyber Essentials Consulting - Okapi Solutions

Okapi Solutions
Go to content

Cyber Essentials Consulting

What We Do > Cyber Essentials Services
 
Cyber Essentials is a Government-backed scheme especially designed to assist micro-, small- and medium-sized organisations with their cyber-security practices and procedures.  From a risk, governance and commercial standpoint, Large and Enterprise-sized organisations are expected to have established internal cyber-security, secure identity access management, infrastructure controls.  As a minimum, these should meet the standards required by ISO 27001.

As detailed on the Cyber Essentials website there are three levels of engagement - Familiarisation, Cyber Essentials, and Cyber Essentials Plus - each of which is designed to fit with the level of commitment any particular firm can sustain.  Prior to actually commencing the certification process however, there are specific steps an organisation and its staff may take to minimise their exposure to cyber-risk.

The first of these, Familiarisation, covers:

Familiarisation with Cyber Security Terms and Basic Controls.

1.     Install and configure a firewall to secure your Internet connection.
    • Most PCs, laptops and mobile devices (phones, tablets) sold today - especially those from higher-end manufacturers - provide cyber-security software out-of-the-box.  For example, they may come pre-loaded with anti-virus software - McAfee, Norton, F-Secure, Bitdefender, AVG, Kaspersky, to name a few - which also include a firewall application within their software.  Alternatively, application-specific security software is available for free, can be pre-installed as part of the machine's OS (Operating System) - Windows Defender, MAC OS Firewall - or may be purchased from high street retailers and installed 'aftermarket'.  Third-party software or virtual firewalls (e.g., ZoneAlarm, Comodo) may also be purchased (there are free options), installed.  These applications are fairly straightforward to configure and manage but must be installed and configured on every device that needs to be connected to the internet.

    • LAN and WiFi Routers also have built-in firewalls but these must be switched on and configured to the level of security required.  The security level settings will vary depending on which devices you wish to allow to connect to your network - whether they are company-owned and managed, or if personal devices are to be used.  A word of warning here - where personal devices are to be allowed, the firewall configuration required to enable those devices to operate without almost all website access being blocked may be quite complex and time-consuming.  It is therefore almost always better to issue staff with company-controlled devices to help minimise the potential for cyber-security attacks.

    • The preferred option for the highest level of security are hardware firewalls as they can be set up between your internet router and all other networked systems, including all attached PC's, laptops and tablets.  Whilst most LAN and WiFi Routers have built-in firewalls the main use of these devices is not cyber-protection but ease of access to the internet.  For most businesses, having a separate, specific hardware firewall in place is the best option.  Further, for those firms that wish to go further and become Cyber Essentials, Cyber Essentials Plus, or ISO 27001 certified, having such a device installed and properly configured will ensure partial compliance with their requirements.



2.     Choose the most secure settings for your devices and software
    • Check your Settings:  Every device to be used, irrespective of whether they are to be connected to the internet, or whether additional security software or hardware devices are to be installed, must have their default settings reviewed and, where required, re-configured to ensure cyber-risks are minimised - not least, default Administrator access passwords.

    • Set Strong Passwords:  The majority of PCs, laptops and mobile devices are delivered with either no Administrator passwords set or, where they have been pre-set, are likely to be inadequate, that is, they do not meet the required criteria for strong passwords.  According to SplashData, as at the end of 2017, passwords like "password", "12345678", etc., continued to appear in the list of the 100 Worst Passwords.  Easily-guessed passwords are one method by which unauthorised access to an organisation's systems may be achieved.  Strong passwords should contain the following characteristics:

      • Should be a minimum of 8 characters;
      • Made up of a combination of:
        • Alpha characters:  lowercase (a, b, c,...), Uppercase (A, B, C,...)
        • Numeric characters:  (1, 2, 3, 4, 5, etc.)
        • and special (symbols) characters (-, _, $, %, ", ~, £, #, {, }, etc.)  Some special characters may be restricted by specific applications (e.g., online banking systems) due to their possible use within the application code.
      • Should not be a regular word found in a dictionary;
      • Should not be an individuals name;
      • Should not be the users' name or surname;
      • Should not be something personally related to an individual, e.g., children's names, vehicle, own street name, etc.;
      • Should be simple to remember but difficult to guess.

      • Other recommendations:
        • Set a realistic password policy within your organisation - the National Cyber Security Centre (NCSC) has published guidance for organisations which may help simplify current password policies.
        • Passwords should be changed regularly - monthly is usually fine as long as there have been no security incidents - whether or not they impacted you personally.  Should any warnings or security incidents have occured it is advisable to change your password(s) as soon as possible;
        • New / changed passwords should be significantly different from the previous password.
        • The same password should not be used across multiple accounts or applications.

    • Use Additional Authentication Tools:  
      • Multi-Factor Authentication (MFA) is a security procedure that requires an additional method of authentication (other than username and password) to verify a user's identity for accessing internal or external systems, or for performing actual transactions.  Users of online 'free' email systems (Yahoo, GMail, etc.) will be aware of procedures requiring them to input a further, random authentication factor sent to them via SMS (registered mobile telephone number) or email (alternative registered email address).  This method is extremely difficult to compromise without first obtaining physical access to the mobile telephone or alternative email address.
      • Access to randomly-generated authentication codes was once the preserve of large organisations given their implementation costs.  Now, small- and medium-sized firms can utilise MFA services via cloud- based providers.
      • Other MFA tools include personal hardware devices - usually the size of a USB Memory Stick - which either generate random, one-time codes that are synchronised with a 3rd-party authentication server or, when plugged into a device's USB port, authenticate the user to the machine in use.



3.    Control who has access to your data and services
    • Use Administrative Accounts for Administrative Tasks Only:
      • By default, new PCs and laptops are supplied 'out of the box' with a single account having full administrator privileges.  Prior to regular use, standard user accounts for general work with reduced privileges / system(s) access should be created on individual PCs and laptops for day to day tasks.  Accounts with administrative privileges should only be used to perform administrative tasks by designated system administrators.  This separation will ensure staff do not browse the web nor connect to personal email accounts whilst the device is in full administrator mode.

    • Access to Software
      • In parallel with limiting access to administrator accounts, users shpuld be restricted - as a minimum - to only being able to install additional software and Apps on their devices from a pre-approved list and from official sites.  It is recommended that organisations draw up specific policies on what software:
        • is actually available to users;
        • is allowed to be installed without special permission;
        • may be downloaded/purchased and installed only with specific permission (usually, a request for the software is made to the user's Line Manager and the IT Department).  Whilst on its face this may appear to involve increased resource costs, this should be balanced against the potential risk and costs involved should a breach occur due to unapproved software or malware being installed.



4.     Protect yourself from Viruses and Other Malware
    • Install Good Anti-Virus/Anti-Malware Software
      • Other than being careful about the websites you surf and following good cyber-security practices, another simple way to protect yourself against virusesand malware is to use a good anti-virus/malware product like those available from McAfee, Norton, F-Secure, Bitdefender, AVG, Kaspersky, etc., as mentioned above (no specific recommendations are made here).

    • Ensure Anti-Virus Definition Files are Updated Regularly
      • New and modified viruses and malware are released on the internet everyday and your virus scanner needs to be able to recognise and block these new types.  The only method through which this can be done is for the software's virus definition files to be updated/patched regularly.  When installed, users can either set their software to automatically download and install the virus definitions and other updates, or undertake this manually.

    • Install a Script-blocking Browser Add-on
      • Another option to minimise the risk of websites installing malicious code, viruses, malware, etc., is to install browser add-ons or plugins which allow the user to control the execution of client-side (browser) scripts and thereby the generation of content on the users' device.  Whilst client-side scripts for legitimate websites are safe - they are used to manage user interactions, state, security, and performance - they can also be used to execute malicious code, e.g., keystroke trackers, on the device.  Most browsers, via their respective App 'stores', will provide free or paid-for script blocking plug-ins designed for that specific browser.



5.     Keep your devices and software up to date
    • Update your computer's operating system (OS) to a supported version.
      • Running an unsupported OS means security issues remain unpatched, resulting in increased cyber-security risk.
      • Microsoft now recommends all personal computers run a version of their Windows 10 OS.  Mainstream support for earlier versions of Windows - 3.11, ME, 2000, XP, Vista, Windows 7, Windows 8.1 - has ended, though extended support for the last two OS's run until 14th January 2020 and 10th January 2023 respectively.

    • Download and install the Operating System and Application service packs and patches when notified.
      • Devices running one of Microsoft's OS's can be set to automatically download and install the latest service packs and security patches.  Whilst this may be a convenient process, and is recommended by Microsoft, the scheduled updates may clash with or constrain ones use of the device - especially where major service pack updates are to be installed.  Microsoft patch releases usually occur on the 2nd and 4th Tuesday of the month and is formally known as 'Patch Tuesday'.  Apple, on the other hand, do not publish an update schedule but release updates and patches for multiple operating systems on an ad-hoc basis.



Okapi Solutions, in partnership with qualified individuals and organisations, assist businesses with their Cyber Security journey with the aim of achieving Cyber Essentials, and ultimately, Cyber Essentials Plus.  We have also partnered with Information Security companies who help organisations achieve the Information Security Management System Standard ISO/IEC 27001.

Should you require advice or assistance to acheive Cyber Essentials certification please contact us.


Back to content