Cybersecurity abounds with “to-do lists” in the form of guidance documents and control frameworks. However, these lists alone don’t strengthen a network; implementing the controls does. Given that frameworks often contain hundreds of controls, distinguishing between basic and additional security controls is beneficial. It’s crucial to implement the foundational basics before moving on to risk assessments, strict governance procedures, and other advanced measures.
Luckily, there are also “quickstart” guidelines available. One of the best is the UK NCSC’s “Cyber Essentials”. This includes 5 technical controls that will stop most cyber attacks and make your organization much more resilient.
Help cover the cloud and hosting costs of this blog?
1 – Secure configuration
- Remove software and features you don’t need
- Do not allow administrative accounts to be used for daily work. Use separate accounts for administration, and preferably only a few people from the IT department should be able to be administrators.
- Remove default accounts, and change any default passwords.
2 – Malware protection
- Install anti-malware software on all computers and smartphones
- Configure the anti-malware software to check web links as well
3 – User access control
- Only give access to people who need it
- Only give access to necessary resources the user needs to do their job
- Implement strong authentication with two-factor authentication for all services that can be reached from the Internet
- Set a routine to go through user accounts regularly and remove or disable user accounts that should no longer be there
4 – Firewalls
- Make sure all Internet connected devices have a firewall
- Configure the firewalls to only allow the necessary traffic
- Block all inbound traffic, unless the device has a role requiring it, for example a web server
5 – Security updates
- Only use supported applications that still receive security updates
- Automated security updates where possible
- Keep an inventory of the installed software on all devices. This will be available in most modern anti-malware software systems.
- When a high severity vulnerability is published, check the inventory if you have this software and implement the patch or other mitigations quickly.
Next steps
When the essential controls are in place, the next step should be to set up an incident response plan, and practice using it. Then you are ready to start building a risk based governance structure and focus on continuous improvement and compliance using one of the big frameworks such as ISO 27001.
safecontrols 
[…] essentials is a good place to start to get the bare bones basic controls in place, as I listed here Sick of Security Theater? Focus on These 5 Basics Before Anything Else. When all that is in place, it is useful to add more basic security capabilities. Modern regulatory […]
LikeLike