Cyber Essentials Secure Settings Explained
Manufacturers often set the default configurations of new software and devices to be as open and multi-functional as possible. They come with ‘everything on’ to make them easily connectable and usable. Unfortunately, these settings can also provide cyber attackers with opportunities to gain unauthorised access to your data, often with ease.
Check the settings
You should always check the settings of new software and devices and, where possible, make changes that raise your level of security. For example, disable or remove any functions, accounts, or services you do not need.
Your laptops, desktop computers, tablets, and smartphones contain your data, but they also store the details of the online accounts that you access. This means that both your devices and your accounts should always be password-protected. Passwords—when implemented correctly—are an easy and effective way to prevent unauthorised users accessing your devices. Passwords should be easy for you to remember but hard for somebody else to guess. Default passwords (like 'admin' and 'password') that come with new devices are the easiest of all for attackers to guess, so you must change all default passwords before devices are distributed and used. The use of PINs or touch-ID can also help secure your device. If you would like more information on choosing passwords, look at the NCSC’s password guidance.
For especially important accounts, such as banking and IT administration, you should use two-factor authentication (also known as 2FA, multi-factor authentication, or MFA). Examples of two-factor authentication include authorising the login through a smartphone app, or entering a verification code sent to you by text.
Secure Settings—What Cyber Essentials Requires
Cyber Essentials Certification requires that only necessary software, accounts, and apps are used.
This applies to: Desktop computers, laptop computers, tablets, mobile phones, firewalls, routers, and email, web, and application servers
Ensure that computers and network devices are properly configured to:
- Reduce the level of inherent vulnerabilities
- Provide only the services required to fulfil their role.
Computers and network devices are not always secure in their default configurations. Standard, out-of-the-box configurations often include one or more weak points such as:
- An administrative account with a predetermined, publicly known default password
- Pre-enabled but unnecessary user accounts (sometimes with special access privileges)
- Pre-installed but unnecessary applications or services.
Default installations of computers and network devices can provide cyber attackers with a variety of opportunities to gain unauthorised access to an organisation’s sensitive information, often with ease.
By applying some simple technical controls when installing computers and network devices, you can minimise inherent vulnerabilities and increase protection against common types of cyber attack.
Requirements under this technical control theme
Computers and network devices
The applicant must be active in its management of computers and network devices. It must routinely:
- Remove and disable unnecessary user accounts (such as guest accounts and administrative accounts that won't be used)
- Change any default or guessable account passwords to something more complex and secure
- Remove or disable unnecessary software (including applications, system utilities, and network services)
- Disable any auto-run feature that allows file execution without user authorisation (such as when they are downloaded from the internet)
- Authenticate users before allowing internet-based access to commercially or personally sensitive data, or data that is critical to the running of the organisation.