Cyber Essentials decoded: Firewalls and User Access Control

All businesses, large or small, depend on some level of digital services, online assets and applications. As cloud adoption increases, the threat of cyber-attacks does too. All innovative technologies yield benefits but also risks. Among other things, fundamentally, organisations of today’s world need knowledgeable, empowered leadership to aid in the risk and impact reduction of these threats.  

Enterprise organisations have huge volumes of data to protect and the regulations, budgets and requirements that drive their need for state-of-the-art security controls. Smaller businesses may not have this, but they need cyber protection too. They are fast becoming more frequently targeted and the difference between the two could sometimes cost the small business the greatest price, loss of clients or even business closure. 

In fact, in the UK, the average cost of a data breach has grown to nearly £2.7 million, according to IBM research and the fall-out can be crippling for small businesses. So, if you think your organisation is too small to be a target, think again. Most hacks are just opportunistic, the lowest hanging fruit, an easy target. The equivalent of popping to the shops and leaving a window open, that left you vulnerable for a short time but attackers only need a short window – excuse the pun. 

Every business must adopt good practices in cyber security to protect their data, assets, and reputation.  

What is cyber essentials?  

Cyber Essentials is a UK government scheme that offers a clear-cut cyber security strategy to businesses of all shapes and sizes.  Cyber Essentials offers two main levels: Cyber Essentials and Cyber Essentials Plus. Put simply, Cyber Essentials offers organisations an online assessment system where they self-assess their current cyber security and then have the answers independently verified, before offering you certification.  

Then you have Cyber Essentials Plus which offers the same as the basics plan, but with the bonus of offering independent validation by an accredited third party. Your systems are independently tested, and Cyber Essentials is integrated into the organisation's information risk management.  

Working on the 5 key elements of cyber security, Cyber Essentials offers a simple framework that gives protection from cyber threats, aligns with the UK National Cyber Security Centre (NCSC) and gives you numerous benefits including:  

• Reduced insurance premiums 
• Improved investor and customer confidences
• The ability to tender for business where certification to the scheme is a prerequisite. 

The 5 key elements of cyber security 

1. 1. Firewalls and Internet gateways 

Firewalls are there to monitor incoming and outgoing network traffic, and then decide if the traffic needs to be allowed through or blocked. They are a barrier between external sources and your internal network and protect you from malicious traffic like viruses and hackers. 

1. 2. User Access Control  

All organisations that have employees connecting to the Internet must implement some level of access control. By restricting access to sensitive data and requiring multiple verification methods to gain access through a control gateway, you can protect your business from threats. Essentially, you can minimise the risk of unauthorised access to important information. 

1. 3. Patch management 

Patch management refers to the ongoing practice of keeping software on computers and network devices up to date, which then means your systems can resist low-level cyber-attacks. Rather than leaving your software vulnerable to attackers, your software should be regularly patched or updated. 

1. 4. Malware protection 

Malware is short for malicious software – things like computer viruses, worms, spyware, botnet software and ransomware. All these types of software are designed to infiltrate or damage a computer system without the owner's informed consent. Malware is a big threat and an attack can be devastating to your systems and data. So, you need to protect yourself against these threats with effective anti-malware software.  

1. 5. Secure configuration 

In order to be cyber secure, you must also look at the configuration of your servers. Certain security measures can be implemented when building and installing computers and network devices to reduce unnecessary cyber vulnerabilities. It is also best practice to test these images before rolling them out in your organisation, through configuration reviews and penetration testing. 

The first two elements – Firewalls and Access Control – are critical to any robust cyber security plan. Let’s look at why they are important and the requirements from NCSC.  

Boundary Firewalls and Internet Gateways 

In order to achieve certification for Firewalls as a control, you need to show that your organisation regularly:  

• Changes any default administrative passwords  
• Prevents access to the administrative interface from the Internet unless there is a clear and documented business need, and the interface is protected by one of the following controls:
  • • • A second authentication factor, such as a one-time token; or 
      • An IP whitelist that limits access to a small range of trusted addresses. 
• Blocks any unauthenticated inbound connections as a matter of routine  
• Ensures inbound firewall rules are approved and documented by an authorised individual 
• Removes or disables permissive firewall rules as soon as they are not needed and uses a host-based firewall on devices that are used on untrusted networks, such as public Wi-Fi hotspots

These practices are important because they help your organisation confirm that every asset is secured by a correctly configured firewall (or equivalent network device). 

At The Missing Link, we support best practices such as regularly taking stock of firewall rules and having a third-party review (such as The Missing Link firewall service). Firewalls keep good traffic in and bad traffic out. But what can you do to ensure users don’t let in bad threats?  

User Access Control  

When it comes to access control, it is imperative that users first understand their basic responsibilities but that as an organisation you also protect your users. If you have a controlled gateway, you can protect your business from threats. 

In order to achieve certification for User Access Control, you need to show that your organisation regularly:  

• Authenticates users before granting access to applications or devices, using unique credentials 
• Removes or disables user accounts when no longer required 
• Where possible have implemented a two-factor authentication 
• Only uses administrative accounts to perform administrative activities  
• Removes or disables special access privileges when no longer required. 

Access control is important because you can have selective restriction of access to data, which limits the risk of unauthorised access to important information. At The Missing Link, we offer identity security solutions that will ensure your users have access to the right resources at the right time.

We recommend setting up strong authentication controls that make it much harder for threats to move laterally around a network. This reduces the likelihood of business-critical systems and data being compromised because potential threats are contained, neutralised and then remediated before any critical damage is done. 

The only constant is that both the technologies available and the threat landscape itself are constantly changing, so we understand that it can be difficult for customers to keep up with.  We advise customers day in, day out on their identity strategy. 

Protect your business  

Want to know more about the Cyber Essentials requirements? Our team at The Missing Link can offer you the expertise and support needed to achieve Cyber Essentials certification or Cyber Essentials Plus certification. 

For practical help with your certification and cyber security, please get in touch with our expert team at The Missing Link or for more information about Cyber Essentials such as Malware Protection, User Acess Control or Patch Management, click here.  

If you liked this article, you may also like:

Cyber Essentials decoded: Malware Protection

Cyber Essentials decoded: Secure Configuration

Cyber Essentials decoded: Patch Management