Cyber Essentials is a vital certification for demonstrating your organisation's commitment to cyber security. One crucial, often overlooked, aspect of compliance is your router – the gateway between your network and the internet. This post will break down everything you need to know about router security in plain English, helping you achieve and maintain Cyber Essentials certification.
Tip #1 - What's In, What's Out? Defining Your Network Boundary
The first step is understanding which routers fall under the scope of your Cyber Essentials assessment. This defines your network's "boundary."
In Scope:
Office Routers: Any router in your office or shop that you control is definitely in scope. Even if your Internet Service Provider (ISP) supplied it, if you can change its settings, it's your responsibility.
Company-Provided Home Routers: If your organisation provides routers to employees working from home, those routers are also in scope. You'll need to know the make and model of these.
Any router that is under the control of your organisation.
Out of Scope:
Home Routers (ISP-Provided): If your employees use their own ISP-provided routers at home, and your organisation doesn't control the router, those are generally out of scope. However, see the section on VPNs below.
Managed Office Routers (Beyond Your Control): If you're in a fully managed office space where the ISP or building management completely controls the router, and you cannot change its settings, it's likely out of scope.
The Key Point: It's all about control. If you can configure the router, it's probably in scope. If you can't, it's probably not. You will need to list the make and model of all routers in scope.
Your Router: The First Line of Defence (Boundary Firewall)
Your router usually acts as your boundary firewall. Think of a firewall like a security guard at a gate. It checks incoming and outgoing traffic, blocking anything suspicious. This is a critical layer of protection for your entire network.
Tip #2 - VPNs: Shifting the Boundary (and the Issues)
Virtual Private Networks (VPNs) complicate things, but in a good way (if done right!). Here's the breakdown:
Corporate VPN (Back to the Office): This is the good kind for Cyber Essentials. When an employee working from home uses a company-provided VPN, it creates a secure, encrypted "tunnel" back to your office network. Essentially, it's like they're plugging their computer directly into the office network, even though they're miles away.
Boundary Shift: The corporate VPN moves the internet boundary from the employee's home router to your office's firewall (or a virtual/cloud firewall that your company controls). This is excellent because you can then apply all your company's security policies to their connection.
Cyber Essentials: A direct, single-tunnel corporate VPN is highly recommended for remote workers under Cyber Essentials.
Split Tunnel VPNs: are not considered secure, they do not shift the boundary to the corporate firewall.
Commercial VPN Services (e.g., NordVPN, ExpressVPN): These are great for personal privacy, but they don't help with Cyber Essentials compliance.
No Boundary Shift: These services encrypt your traffic, but they don't move your organisation's internet boundary. You have no control over the firewall settings of a commercial VPN provider.
Not Sufficient: Relying solely on a commercial VPN is not enough to meet Cyber Essentials requirements for your boundary firewall.
Why Commercial VPNs Might Not Be Compliant
The core issue is control. Cyber Essentials requires you to manage the firewall at the point where your network connects to the internet. Commercial VPNs use pre-configured firewalls that you don't control. While they offer encryption, they don't give you the necessary control over the boundary firewall.
Tip #3 - Configure Routers To Comply With Cyber Essentials : The Essential Steps
Now, let's get down to the practical steps for securing your in-scope routers:
Change the Default Password (Immediately!): This is the most important step. Routers often come with default usernames and passwords (like "admin" and "password"). Hackers know these defaults! Change the administrator password immediately upon receiving the router, even if the router claims to have a unique pre-configured password. This also applies to the local admin password if relying on the devices software firewall.
Strong Password Configuration: The new password must be strong. Cyber Essentials offers a few acceptable options:
Multi-Factor Authentication (MFA): This adds an extra layer of security (like a code from your phone) + a password of at least 8 characters.
Automatic Blocking of Common Passwords: The system prevents users from choosing easily guessed passwords + a password of at least 8 characters.
A Long Password: A password of at least 12 characters.
Document Your Password Change Process: You need to be able to explain how you change the password on your routers and firewalls. This demonstrates you understand the process.
Keep the Firewall Enabled: This might seem obvious, but some routers have the firewall turned off by default. Make sure it's switched on and properly configured.
Manage Open Ports: Ports are like doorways in your firewall. By default, most should be closed. "Opening a port" allows specific types of traffic through.
Business Justification: Any open port must have a documented business reason. Don't just open ports because someone asks; understand why it's needed.
Close Unnecessary Ports: If a port is no longer needed, close it.
Default Open Ports: Be extra careful with routers you buy separately (not from your ISP). Some have all ports open by default, which is a massive security risk.
Firmware Updates: Router firmware is like the router's operating system. Manufacturers release updates to fix security vulnerabilities.
14-Day Rule: You must install high-risk or critical security updates within 14 days of release. If auto update is an option, turn it on.
Supported Firmware: Make sure your router's firmware is still supported by the manufacturer. Unsupported firmware is a major risk and can lead to an automatic Cyber Essentials fail.
Block Unnecessary Services: Your boundary firewall should be configured to block any services being advertised to the internet by default, unless there is a specific documented business requirement.
Remote Configuration Access (If Needed): If you must access your firewall settings over the internet (which is generally discouraged), you need extra protection:
Multi-Factor Authentication (MFA): Highly recommended.
Trusted IP Addresses + Managed Authentication: Restrict access to only specific, known IP addresses, combined with strong authentication.
Inbound Firewall Rules: Review and confirm the rules allowing traffic into your network. Ensure each rule corresponds to a known and necessary device or service.
Understand Firewall Access: You must know how to access your firewall's settings and be able to change the administrator password if you suspect it's been compromised.
Home Routers (If Supplied by the Business):
If your organisation supplies routers to home workers, all the above steps apply. You need to ensure these routers are configured securely, just like your office routers.
In Summary
Securing your routers is fundamental to Cyber Essentials compliance. By understanding the scope, the role of VPNs, and how to configure routers to comply with Cyber Essentials, you can significantly improve your organisation's cyber security posture and protect your valuable data. Don't be afraid to ask your IT support or a cyber security consultant for help if any of this is unclear. They can guide you through the process and ensure you're fully compliant. OCM provide Cyber Essentials certification as an approved Certification Body. If you have questions or need help then :-
About the Author – OCM Engineers
Hi, I’m an OCM Engineer, part of the expert team at OCM Communications, where we specialise in IT support and solutions, AI, network infrastructure, and cybersecurity with compliance. Our mission is to help businesses stay connected, secure, and efficient by providing insightful advice, practical solutions, and the latest industry updates.
With a BSc in Computing and Law and 30+ years of experience in designing, implementing, and supporting business systems, I bring extensive expertise backed by Microsoft and Google certifications and lead Cyber Essentials Assessor credentials. I’m passionate about making complex technology accessible for businesses of all sizes. Whether it’s optimising your network, strengthening security, or harnessing AI tools, I’m here to share knowledge and guide you through the evolving world of business technology.
Need tailored solutions or have questions? Get in touch – we’re here to help!
Bình luận