In the wake of the recent Sony hack, cyber security risks are as apparent as ever. The need to take proactive steps to ensure a business is adequately protected is likely to be a key feature on many board meeting agendas this year

While the security measures taken will differ depending on the size and nature of a business, every company, whatever the size, should be implementing relevant procedures to guard itself against cyber security risks. The Department for Business, Innovation and Skills (BIS) launched the Cyber Essentials Scheme in 2014, highlighting controls to implement to help secure IT systems and mitigate cyber security risks. The Cyber Essentials Scheme focuses on five basic qualifications of the 10 steps to cyber security launched in 2012 jointly by BIS, the Centre for Protection of National Infrastructure (CPNI) and Government Communications Headquarters (GCHQ). We explore these recommendations and set out the essential steps to take to safeguard a business.

The Cyber Essentials Scheme (Scheme) – 5 basic controls to implement

Clearly identifying information assets and systems that are susceptible to cyber security challenges is crucial to ensuring effective controls. The Scheme highlights five basic controls to put into place:

1. Boundary firewalls and internet gateways

Boundary firewalls, internet gateways or comparable network mechanisms should be in place to protect systems, applications, information and devices against unauthorised access andexposure to the internet. 

Without these, systems are at risk of being easily accessed, leaving information exposed and at risk of deletion. A boundary firewall acts as a defence by regulating inbound and outbound network traffic, blocking those common cyber threats that are created easily from widely and freely available tools on the internet.

The Scheme also recommends that:

• the password to the firewall should be strong and not the default option;
• an authorised individual should approve each rule that allows network traffic to pass through the firewall, which should be documented;
• routinely susceptible services and unapproved services should be locked at the boundary by default;
• the firewall should be kept up to date so that out of date rules are deleted; and
• it should not be possible to access the dashboard to manage the firewalls from the internet.

2. Secure configuration

Devices connected to a network must be configured to ensure that they can only provide the services required and are not given access to surplus networks or systems. This will help to reduce characteristic vulnerabilities of some devices. The default settings and applications on many devices can serve as a route for cyber attackers to gain easy access to the information on these network devices. The Scheme suggests that when installing network devices, some basic controls should be employed such as:

• user accounts that are not needed should be deleted;
• passwords should be changed from default at installation and must be strong;
• redundant software should be removed or disabled;
• software settings such as auto-run should be disabled to prevent software being active when accessing network folders and where removable storage is used; and
• a personal firewall should be enabled on computers and set to block unapproved connections by default – this may often be installed on a computer as part of an operating system.

• http://www.taylorwessing.com/globaldatahub/article_cyber_security_tips.html