What You Need To Know
All computers and network devices within a business should be configured properly. ‘Out of the box’ configured computers and network devices cannot be classed as secure because of the default settings that come with them. An example of this is a predefined username and password for the administrator account when a device is set up. This makes it very easy for cyber attackers to gain access to the devices and all the information stored on them.
Secure Configuration sits across everything you do with information systems, including the other controls that comprise the Cyber Essentials scheme. The premise is that you should not rely on a piece of software or hardware being configured correctly ‘out-of-the-box’ for your needs or environment. The settings should be customised to provide the security and protection that your organisation requires.
All unnecessary user accounts should be removed or disabled. This includes any guest accounts that the business have created and any old accounts the business still has on the system. This can be from staff that have left or fired.
All default passwords should be changed immediately by the owner of the account and should follow these guidelines:
- The longer the password the better, a password of 12 characters or more is suggested.
- Avoid using memorable words, these will include names, places and any words that can be found in the dictionary.
- Make the password a mix of lower case, upper case, digits and special characters.
- Do not use the same password for everything, have a different password every time.
All these tips and more can be found on our guide to creating a safe password here.
All unnecessary software that has been installed or came with the computers should be removed. This includes application, system utilities and network services.
All computers should have the ‘auto-run’ functionality disabled to stop any malicious programs running without the consent of the user.