Cyber Essentials – Step 2 Explained

Step 2 to Cyber Essentials

Secure configuration: Default configurations are often vulnerable, and devices should only offer the services necessary to fulfil their intended role.

What does this mean…?

Failure to manage the configuration of your systems and servers can lead to a wide variety of security issues.

If the configuration of these devices is not controlled, it is easy for a cyber attacker to manipulate and detect vulnerabilities with common security scanning tools.

Once detected, vulnerabilities can be exploited very quickly and result in a compromise of a system or internally hosted servers, such as webservers, database servers and possible access to the corporate network.

What can we do to help reduce this risk…?

  • Develop a consistent software installation and configuration management process or system. This should be supported by documented corporate policies and procedures.
  • Remove or disable unnecessary functionality from ICT systems, and keep them patched to eliminate known vulnerabilities.
  • Avoid using default passwords for your systems and devices.
  • Don’t install unnecessary software on networks and servers.
  • Assign proper file and directory permissions, and remove unnecessary access privileges from user accounts.
  • Don’t auto-run features that are enabled without first obtaining administrator consent as these can activate the installation of malware.
  • Install personal firewalls on all devices, including mobile devices.
  • Review and update your configuration management system frequently.


Cyber Essential certified body - securious

If you need further guidance with Cyber Essentials, please feel free to get in touch, and find out how this Government Scheme can help with protecting your organisation.