The 5 controls of Cyber Essentials – Data security by controlling access

The importance of controlling who can access your data and services can’t be stressed enough. Without proper access control, you could leave your staff or company open to untold problems, data loss, theft, or breach of privacy being just a few. Not to mention the legal ramifications from not adhering to data protection laws.

Cyber essential – The Objective

The objective of Cyber Essentials is to ensure user accounts provide access to only those applications, networks and computers required for the user to perform their role. They ensure user accounts are assigned to authorised individuals only.

Access control – Cyber Essentials requirements

Cyber Essentials Certification requires that you control access to your data through user accounts. It also requires that administrative privileges are only given to those that need them and that what an administrator can do with those accounts are controlled.

Access is facilitated to every active user account in your organisation, this allows the use of devices, applications and sensitive business information. By ensuring that only authorised individuals have user accounts and are given limited access to the point at which they need it, you reduce the risk of information being stolen or damaged.

When accounts with special access privileges to devices, applications and information are compromised this can cause real problems, they can be exploited to facilitate large-scale corruption of information, unauthorised access to devices in the organisation and disruption to the business process.

For example:

Administrative Accounts

Such accounts typically allow the execution of software that can make severe security threatening changes to the operating system if in the wrong hands.

All types of Administrators will have such accounts, including Domain Administrators and Local Administrators. You must make revised decisions on who you allow the use of the privileged accounts. If a user opens a malicious email attachment, any associated malware is typically executed with the same privilege level of the account that the user is currently operating, meaning it could severely damage the infrastructure of the business altogether.

For example:

Lucy is logged into one of the administrative accounts, she opens a malicious email attachment, all associated malware is likely to need administrative privileges.

Unfortunately using Lucy’s administrative privileges, a type of malware known as ransomware encrypts all of the data on the network and then demands a ransom.

User access control

Applies to: Email, web and application servers; desktop computers, laptop computers, tablets and mobile phones.

Requirements under this technical control theme

If you’re seeking to apply for the Cyber Essentials accreditation then you must be in control of the user accounts and the privileges granted to each user account.

The applicant must have a user account creation and approval process, as well as to authenticate users before granting access to application devices using unique credentials. The applicant must remove or disable user accounts when no longer required, implement two-factor authentication, remove or disable special access privileges when no longer required, and use administrative accounts to perform administrative activities only.

Here at 4TC, we can help your business with all aspects of cybersecurity.

Our expertise covers a wide range of bases, from proactive maintenance and Backups to full-network anti-virus and managed anti-spam solutions.  We provide managed services, project management and advice to ensure the businesses we work with remain out-of-bounds to Cybercriminals.