We are very pleased to announce that we have been granted a Cyber Essentials certificate, this is a significant step forward for JC designs.
What is Cyber essentials?
Cyber Essentials helps us to guard against the most common cyber threats and shows our commitment to cyber security.
To gain the Cyber Security Essentials certificate there are 5 technical controls that need to be demonstrated;
Secure internet connections
Using a firewall to secure your Internet connection, this effectively creates a ‘buffer zone’ between the IT network and other, external networks. Using a firewall acts as a buffer so incoming traffic can be analysed to assess whether it should or should not be allowed onto the network.
Securing all devices and software
It is essential to choose the most secure settings for devices and software. Most manufacturers will set default configurations on devices and software to be as open and as multi-functional as possible, to make them easily connectable and usable they come with everything on’. Unfortunately these settings can provide opportunities for cyber attackers to gain unauthorised access to data.
So we make sure all settings are checked, passwords updated and encrypted and ensure extra security is added on ‘important’ accounts.
Controlling who has access to data and services
Access to software, settings for online services and device connectivity should only be given to staff that need access and should be set adequately for them to do their job – extra permissions should only be given to individuals that actually need it. This minimises potential damage and any risk if an account is misused.
- Admin accounts – users with admin access should only be used to perform administrative tasks.
- Standard accounts should be used for general work. Ensuring your staff don’t browse the web or check emails from an account with administrative privileges means you can reduce the chance that an admin account will be compromised. An attacker with unauthorised access to an administrative account can be much more damaging than one accessing a standard user account.
Protection from viruses and malware
Malicious software makes systems or data it has infected unusable, an example of malware is ransomware, where the attacker will demand payment by a victim after the ransom is paid the systems are made available again.
Malware is also known as a ‘virus’ where a program is designed to infect legitimate software, passing unnoticed between machines, whenever they can.
Where does malware come from?
Malware can come from opening an infected email attachment, browsing a malicious website, or use a removable storage drive, such as a USB memory stick, which has been infected.
Defending against malware.
- Often anti-malware measures will be included for free within popular operating systems which can be used on all your computers and laptops. Smartphones and tablets should be kept up to date, password protected and the ability to track and erase lost devices should be switched on. Try and avoid connecting to unknown wi-fi networks, this will help keep your devices free of malware too.
- Whitelisting is used to prevent the installation and running of applications that may contain malware. An administrator is responsible for creating a list of applications allowed on a device and any application not on the list will be blocked. Whitelisting works even if the malware is undetectable to anti-virus software and requires little maintenance.
- Sandboxing. Where possible, use applications that support sandboxing. A sandboxed application is run in an isolated environment with very restricted access to the rest of your devices and network. This means your files and other applications are kept beyond the reach of malware.
Keeping all devices up and software up to date.
It is essential that all your devices are kept up to date at all times. This is true for both Operating Systems and installed apps or software, updating is quick, free and easy to do.
At the end of January we will be applying for Cyber Essentials Plus, this will involve internal network scanning and on-site assessment, scanning by a third party assessor.