RB Consultancy Logo
Call NOW

Cyber Essentials: Security Updates

Introduction

Keeping devices secure with vendor-provided updates is key for cyber security best practice. It helps prevent unauthorised access and helps keep devices safe from harm. Whether pursuing Cyber Essentials, Cyber Essentials Plus, or just looking to be secure, applying security updates is a crucial step.

 

Why Security Updates Are Important

Devices that run software can contain security flaws, known as vulnerabilities. Vulnerabilities are discovered regularly. Once discovered, malicious individuals can misuse (or exploit) the vulnerabilities and find ways to attack computers / networks. Vendors therefore provide regular updates and guidance to fix these weaknesses. The vendors can rely on other entities to ensure fixes are applied in a timely manner.

 

Security Updates in Cyber Essentials

To meet Cyber Essentials certification requirements, organisations must ensure:

  • Software is licenced and supported, to have access to the security updates
  • Remove devices when not in support or move to a sub-set, to reduce risks 
  • Have automatic updates enabled where possible, to help automate and ensure updates are applied 
  • Be updated or have manual configuration changes applied within 14 days, to address critical/high risk vulnerabilities or when no details of the risk are provided by the vendor, to ensure weaknesses that are most risky are addressed within a reasonable amount of time
  •  

Considerations and Key Notes

When reviewing security updates for your organisation, please consider:

  • Enabling automatic updates on operating systems and applications – reduce manual activity, speed up activity, but not fully remove the need for manual processes
  • Applications, malware protection software, email clients and browsers, are important to update – keep devices and data secure
  • 14 days is the maximum time to apply updates for Cyber Essentials – sooner is better, as devices are exposed to the vulnerabilities in the meantime

 

Key Notes

  • Cyber Essentials uses Common Vulnerability Scoring System (CVSS) version 3 and considers vulnerabilities with a base score of 7 or above as being high/critical risk

 

Example Scenario

Organisation ABC uses software that is supported by the vendor:

  • For Organisation ABC, no out-of-support software is in use and the focus is on security updates
  • Security updates are applied within 14 days – operating systems, applications, email server/client, browsers, firmware on network equipment, malware protection
  • Automatic updates are enabled (where possible) and a manual check is carried out to ensure all updates have taken effect
  • A mobile device management solution (MDM) and vulnerability assessment tool are considered to automate and speed up processes – this requires investment and is put on the roadmap
  • Software lifecycle is monitored to ensure continuity of support from the vendor – plans can be put in place to address and upgrade operating systems/applications before support ends

 

Tips and Recommendations

  1. Having a way to monitor the lifecycle of operating systems and applications should help avoid end-of-support issues
  2. Removing or retiring operating systems and software that are out of support helps reduce risk
  3. If there’s a business need to use out-of-support software, document the risk and take action to reduce risk through use of a sub-set
  4. Consider guidance and support from an NCSC Cyber Advisor for implementation of the technical controls 

For more detailed guidance, review the IT Requirement for Infrastructure document and/or visit the IASME knowledge hub for Cyber Essentials.

 

How We Help

At RB Consultancy Ltd, we support organisations in their desire to improve cyber security and also to meet Cyber Essentials and Cyber Essentials Plus requirements:

  • We explain the importance of security updates
  • We help ensure security updates are being applied in a timely manner
  • We explain why the Cyber Essentials questions are being asked and how they intend to protect organisations in different ways
  • We ensure security update settings and processes align with Cyber Essentials guidelines
  • We assess and issue organisations with Cyber Essentials and Cyber Essentials Plus certifications

 

Conclusion

Security updates are a critical component of cyber security and Cyber Essentials certification. Out-of-date software can leave your organisation vulnerable. By implementing best practices and ensuring compliance with Cyber Essentials technical controls, organisations can significantly reduce cyber risk. If you would like assistance with security update configuration, or Cyber Essentials / Cyber Essentials Plus certification, please contact us for support.

Cyber Essentials: Security Updates

Tagged ,

Leave a Reply

Your email address will not be published. Required fields are marked *

RB Consultancy

Company Details

  • Registered address: 20 - 22 Wenlock Road, London, England, N1 7GU
  • Trading address: Pioneer House, Pioneer Business Park, North Road, Ellesmere Port, Cheshire, CH65 1AD
  • Company Number: 14677066
  • VAT Registration Number: 479590726

Useful Links

Services

Contact

Cyber Essentials
Copyright © 2024 – All rights reserved.