The Essential IT Security Checklist, Part 1: Cyber Essentials

Published
Cyber Security Checklist - Cyber Essentials

Did you know that over 30% of UK businesses suffered a cyberattack during 2019?

For medium and large businesses, that figure doubles to a whopping 60%. Even charities aren’t immune to IT security threats, with over half of high-income charities reporting cyberattacks during 2019.

Here at Get Support, we work with businesses of all sizes, so we see the impact of these cyber threats every single day. From the opportunity cost of lost data to the resources required to deal with breaches, IT security attacks can be devastating for any business. Luckily, there is plenty you can do to help protect your business against these attacks. Sometimes even the simplest of measures can be enough to prevent a costly breach.

In this first part of a two-part series, we’ll share with you the five key areas you should be focusing on to keep your business safe from the most common cyberattacks in the UK. Even better, we’ll align our advice with the Cyber Essentials certification program, so you know you’re in line with the latest official advice.

And, because it’s Get Support, we’ll explain it all in plain English – guaranteed.

Let’s get started.

A quick introduction to Cyber Essentials

Before we jump into the practical advice, let’s take a moment to explain Cyber Essentials.

In a nutshell, Cyber Essentials is a certification program operated by the National Cyber Security Centre (NCSC). Once certified, your business will be given a badge to display on your website which lets your customers know you’re serious about IT security.

Cyber Essentials is available in two flavours:

  • Cyber Essentials is a self-assessment of a company’s systems which is independently verified.
  • Cyber Essentials Plus is an assessment of a company’s systems which is carried out by a certifying body.

The Cyber Essentials certification is broken down into five different categories, each of which cover a different aspect of IT security.

If you don’t have the time or the inclination to get certified right now, don’t worry, because we’ve compiled our team’s expert advice on each of the 5 areas covered by Cyber Essentials.

Ready to tighten up your IT security? Here’s what you need to know.

1. Network security

The first step in optimising your company’s IT security should always be network security. After all, without a network connection, your doors are essentially closed. But that’s no way to run a business – so network security is the solution.

Let’s begin with the basics of network security:

  • Install a firewall. Essentially the digital security guard for your business, the firewall decides what gets in, and what gets out. It’s the first, and potentially most important, aspect of network security.
  • Offer a guest Wi-Fi network. It’s tempting to hand out your Wi-Fi passwords when people visit your office, but this is a security risk. Instead, create a siloed guest network for them to connect to.
  • Ensure remote connections are secure. With working from home more popular than ever, it’s essential that staff accessing your internal network from outside are doing so securely.

Want to take network security to the next level? Here are some of our advanced recommendations:

  • Monitoring and logging of network traffic. If the worst should happen, you want to be able to trace it back to the source. With monitoring and logging, you can do just that.
  • Restrict or filter certain network traffic. One of the simplest ways to avoid certain risks is to simply avoid them altogether. Your staff might not be huge fans of the idea, but one way to achieve this is to restrict access to certain areas of the internet from the top down.

2. Secure Configuration

This category is all about setting up your hardware and devices in the most secure way possible. A critical data breach can happen as the result of something as simple as a weak password – so this stuff really matters.

Here’s what your business should be doing:

  • Configuring each device’s internal security settings. Whenever you assign a new laptop, smartphone, or other device to your staff, you should first ensure the basics are covered. This means changing default passwords, configuring built-in firewalls, and so on.
  • Restricting admin rights on local machines. By default, most computer users – especially on Windows machines – will have an admin permission on their account. This means they can make deep-level changes across the board. If you want total device security, it’s best to restrict this role.

3. User Access Control

Just like your house or car keys, your user passwords and other login security concerns are critical to maintaining security.

Lose any one of these and you could be open to attack, so it’s no surprise that poor user access control is one of the most common reasons for cyberattacks. But don’t worry – there’s plenty you can do to stay safe.

  • Establish a password convention policy. Sorry, but ‘opensesame’ and ‘letmein’ just aren’t going to cut it here. By implementing a password policy, you can be sure your team’s passwords meet a basic level of security. Need an additional layer of protection? Ask your team to use password managers, too.
  • IP address access restrictions. When allowing remote connections, one excellent way to prevent unwanted visitors is to use a list of approved IP addresses. If anyone without one of these IP addresses tries to get in, it’ll be no dice.
  • Deploy a policy for employee exits. Here’s something a lot of businesses forget to do: remove all access rights as soon as an employee leaves the company. Establish a process for removing accounts, restoring hardware, and closing any remote connections.

There’s so much more to say about user access control that we can’t fit it all on this list – but here’s one advanced tip to consider:

  • Multi-factor authentication. We all have a smartphone in our pocket these days, so why not use it as an authentication tool? You probably already do this with various digital platforms, so it’s a good idea to bring it into your business too. MFA can be a near-bulletproof way to authenticate users into your internal systems.

4. Malware Protection

When most people think of IT security, viruses are the first thing that jump to mind, and while attacks like these have become more rare over the years, they still happen. In addition, rogue software known as malware can trick unsuspecting users into installing it – then wreak havoc with your systems.

Here’s how to stay on top of your malware and virus protection:

  • Install anti-virus software across all platforms. The advice may seem obvious, but you’d be surprised how many businesses operate without virus protection.
  • Deploy email filters. Phishing attacks happen all the time, and they’re not always easy to spot. To help prevent one of your staff members being fooled, it’s a good idea to deploy email filtering to catch suspect mail before it hits their inbox. Need more help? Check out our guide to email security.

5. Patch Management

When it comes to software updates, IT departments can sometimes feel like they’re chasing their tails. Why? Because nefarious hackers are always finding new ways to exploit outdated software. If your business doesn’t keep up with patches and updates, it’s often a matter of time until someone gains access to your systems via a backdoor in one of your apps.

Here’s how to stop that from happening:

  • Deploy patch management software. Part of the problem of maintaining software patches is simply remembering to perform the updates. You can solve this elegantly (and effortlessly) by installing patch management software which takes care of it all for you.
  • Employ a zero end-of-life policy. Another effective way to prevent backdoor cyberattacks via outdated software is to implement a policy whereby your business won’t use any end-of-life software or devices. So, for example, you wouldn’t allow the use of laptops running Windows XP or Windows 7.

Is your business cyber-secure?

In part two of this series, we’ll go beyond Cyber Essentials, and offer some more in-depth advice about other areas where your business could improve its IT security. And, because it’s Get Support, it’s always delivered in plain English.

We know there’s a lot to take in here, (and we didn’t even include everything), so if you’d like to talk through how to implement any of this IT security advice, we’re here to help. In fact, most of these options are included in our support agreements as standard.

The team of IT security experts here at Get Support will help develop and deploy a cybersecurity plan tailored to the needs of your particular business.

Get started today by calling 01865 59 4000.

Latest From The Blog

Cyber Essentials is changing (again) in 2025. But there’s good news.   

Cyber Essentials is changing in 2025. Get up to speed on the key updates, including passwordless authentication and vulnerability fixes.

Microsoft 365 Copilot Release Roundup: August, September, October 2024  

Discover the latest updates for Microsoft Copilot released during August, September, and October 2024.

What's new with the Windows 11 24H2 update?

Here’s a Get Support guide to the latest Windows 11 24H2 update, including what matters most for small businesses.