As a Cyber Essentials certification body ensuring that we configure laptops to meet Cyber Essentials requirements is vital to protecting sensitive data and preventing cyber threats.
In this blog post, we detail how to configure laptops to comply with all five technical requirements of Cyber Essentials: firewalls, secure configuration, user access control, malware protection, and security updates.
Tip #1 - Firewall
Every laptop must be protected by a correctly configured firewall. Most laptop operating systems come with a built-in software firewall—ensure that it is enabled at all times. This is particularly important when laptops are used on untrusted networks, such as public Wi-Fi hotspots. A robust software firewall helps to block unauthorised access and safeguard your device from external threats.
Ensure that Firewall settings can only be changed by an administrator account on the device, NOT the everyday user account.
Tip #2 - Securely Configure Laptops to Meet Cyber Essentials Requirements
Laptops should be configured to reduce vulnerabilities by only providing the services that are absolutely necessary. Key steps include:
User Accounts: Remove or disable unnecessary user accounts and change any default passwords.
Software: Uninstall or disable any software that is not required. Disable auto-run functions to prevent the automatic execution of unwanted applications.
Access Controls: Authenticate users before granting access to data and services. Use device locking controls that require a user’s presence. For unlocking the device, use a minimum PIN or password of at least six characters. If these credentials are also used for broader authentication to data and services then enable multi factor authentication along with a unique password with at least 8 characters. Without MFA, ensure a minimum password length of at least 12 characters with a deny list of commonly used passwords.
Account Management: Regularly review and remove any unused accounts from both local devices and cloud services.
Allow only dedicated administrator accounts to make changes to the laptop configuration.
By securing the configuration, you minimise potential vulnerabilities and ensure only the necessary services are active.
Tip #3 - Security Update Management
Keeping software up-to-date is critical in addressing known security issues:
Licensing and Support: Ensure all software installed on the laptop is both licensed and supported.
Removal of Unsupported Software: Remove or disable software that is no longer supported.
Automatic Updates: Where possible, configure automatic updates to ensure the software is patched as soon as new fixes are available.
Critical or high-risk updates must be applied within 14 days of release.
.
Regular updates are essential to keep your system resilient against emerging threats.
Tip #4 - User Access Control
Strict control of user access is necessary to ensure that only authorised individuals have access to the system:
Approval Process: Implement an approval process before granting user accounts.
Least Privilege: Ensure users only have access to the applications, systems, and networks required for their role. If their role changes review access and implement changes maintaining least privilege.
Unique Credentials: All devices should require a unique username and password to prevent unauthorised access.
Password Quality: Apply technical controls to enforce strong password policies and enable multi-factor authentication (MFA) wherever possible.
Compromise Response: Have clear procedures in place for when passwords are compromised, and protect external services from brute force attacks through throttling or account locking mechanisms.
By enforcing these measures, you create a secure environment that mitigates risks associated with unauthorised access.
Tip #5 - Malware Protection
Effective malware protection is essential for any secure laptop configuration:
Anti-Malware Software: Utilise anti-malware software that is regularly updated in line with vendor recommendations. This software should be able to prevent malware execution, block malicious code, and stop connections to harmful websites.
Microsoft Windows and Apple Macs have built in anti-malware solutions (Free) that are compliant if configured correctly.
Tip #6 - Bring Your Own Devices ( BYOD)
User-owned devices, including laptops, are in scope if they connect to organisational networks or cloud services, such as Microsoft 365 or Google Workspace.
Key steps in identifying BYOD devices in scope include:
Determining if staff use their own devices to access applicant organisations data and services.
Recommendation :- Create an asset register that itemises all internet-connected devices, software, and cloud services used by the business. This register should include devices owned by employees, volunteers, trustees, governors, or contractors that access work emails and/or cloud services. Most businesses use at least one or two mobile phones for email.
Ensure the scope description includes all devices that contain or can access organisational data and services, including BYOD devices.
You will include the quantities of tablets and mobile devices within the scope of the assessment, including make and operating system versions for all devices.
Ensure that BYOD devices are configured correctly if they interact with organisational services and data.
Writing and enforcing a BYOD policy that addresses the use of personal devices that connect to organisational networks, whether physical or cloud services. The policy should address which apps are of concern.
Ensuring all devices have a supported operating system.
Confirming all devices are still capable of receiving regular firmware updates.
It should be noted that student BYOD is treated as an exception. Student BYOD devices are out of scope for Cyber Essentials as long as they are on the student network and do not connect to in-scope school networks.
Conclusion
If you configure laptops to meet Cyber Essentials requirements across your organisation you will not only help your business achieve Cyber Essentials certification but also significantly enhance the overall security posture. Remember, it is always advisable to conduct regular audits and consult with security professionals to ensure ongoing compliance and protection against evolving cyber threats.
Just click the button below.
留言