Achieving Cyber Essentials Plus Compliance for Remote Access

Last updated on April 3, 2024

Achieving Cyber Essentials Plus compliance is a breeze using Rublon’s Multi-Factor Authentication (MFA) for Remote Access. Here’s how it works.

Cyber Essentials is a UK government-backed scheme that helps organizations protect themselves against common cyber attacks. It sets out five technical controls that organizations should implement to achieve a basic level of cyber security. These are:

• Firewalls
• Secure configuration
• User access control
• Malware protection
• Patch management

Cyber Essentials Plus is a higher level of certification that requires an independent assessment of the organization’s implementation of the Cyber Essentials controls. It provides a greater assurance that the company has addressed the most common cyber threats and has a robust cyber security posture.

One of the key challenges that organizations face when applying for Cyber Essentials Plus is how to secure their remote access systems. Remote access allows employees, contractors, and third parties to access the organization’s network and resources from anywhere, using devices such as laptops, tablets, or smartphones. This can improve productivity, flexibility, and collaboration, but it also introduces significant risks.

Remote Access Risks

Remote access can expose the organization to cyber attacks such as:

• Phishing. A fraudulent attempt to obtain sensitive information such as usernames, passwords, or credit card details by impersonating a legitimate entity via email, phone, or text message.
• Brute force. A trial-and-error method of guessing passwords or encryption keys by trying many possible combinations until the correct one is found.
• Man-in-the-middle. An attack where a malicious actor intercepts and alters the communication between two parties without their knowledge, such as by redirecting them to a fake website or injecting malicious code into their data.
• Ransomware. A type of malware that encrypts the victim’s files or locks their device and demands a ransom for their restoration.
• Data breach. An unauthorized access to or disclosure of confidential or sensitive information, such as customer records, financial data, or intellectual property.

To prevent these attacks and achieve Cyber Essentials Plus certification, organizations need to implement strong security measures for their remote access systems. One of the most effective and recommended measures is multi-factor authentication (MFA).

How MFA Helps Achieve Cyber Essentials Plus Certification

Multi-Factor Authentication (MFA) is a method of verifying the identity of a user by requiring two or more pieces of evidence (or factors) before granting access. These factors are typically something the user knows (such as a password or a PIN), something the user has (such as a token or a smartphone), and something the user is (such as a fingerprint or a face scan).

MFA works by adding an extra layer of security to the login process. For example, after entering their username and password, the user has to enter a one-time code sent to their phone or email, scan their fingerprint, or use an app on their device. The user can access the system only after they provide the correct second factor.

Multi-Factor Authentication (MFA) makes it much harder for attackers to compromise remote access systems. This is because they would need to obtain not only the user’s credentials but also their device or biometric data. This reduces the risk of phishing, brute force, man-in-the-middle, ransomware, and data breach attacks.

How to Implement MFA for Remote Access Systems?

There are different ways to implement MFA for remote access systems. These ways depend on the type of system, the level of security required, and the user experience desired. Some of the common methods are:

• SMS-based MFA. The user receives a text message with a one-time code that they need to enter along with their password. This method is easy to use and widely supported. It relies on the availability and security of the mobile network and the user’s phone.
• Email-based MFA. The user receives an email with a one-time code or a link they need to click on along with their password. This method is easy to use and widely supported, too. It relies on the availability and security of the email service and the user’s device.
• App-based MFA. The user uses an app on their device (such as Google Authenticator or Microsoft Authenticator) that generates a one-time code or a push notification that they need to approve along with their password. This method is more secure and reliable than SMS-based or email-based MFA. However, it requires the user to install and configure the app on their device.
• Hardware-based MFA. The user uses a physical device (such as a FIDO key or a smart card) that they need to insert or tap along with their password. This method is very secure and reliable, but it requires the user to carry and maintain the device.
• Biometric-based MFA. The user uses their biometric data (such as their fingerprint or face scan) along with their password. This method is very secure and convenient, but it requires the user’s device to have biometric sensors and software.

How to Select the Best MFA Method for Cyber Essentials Plus

The choice of MFA method depends on various factors such as:

• The type of remote access system: Some systems may support only certain MFA methods or require specific configurations or integrations. For example, some VPNs may require the use of hardware-based MFA, while some cloud services may support app-based MFA.
• The level of security required: Some MFA methods are more secure than others, depending on the strength of the factors and the protection of the communication channels. For example, hardware-based MFA is more secure than SMS-based MFA, but it may also be more costly and cumbersome.
• The user experience desired: Some MFA methods are more user-friendly than others, depending on the ease of use and the frequency of authentication. For example, biometric-based MFA is more convenient than email-based MFA, but it may also be less compatible and consistent.

The best practice for implementing MFA for remote access systems is to use a combination of different methods that suit the needs and preferences of the company and the users. For example, an organization may use app-based MFA as the default method for most users but also offer hardware-based MFA as an option for users who need higher security or do not have smartphones.

The best MFA providers, such as Rublon MFA, allow companies to choose their own set of authentication methods from multiple available options. Rublon Administrators can use Policy-Based Access Control (PBAC) policies to modify the availability of the methods as well as other security controls.

How to Achieve Cyber Essentials Plus With MFA?

To achieve Cyber Essentials Plus certification, organizations need to demonstrate that they have implemented the Cyber Essentials controls effectively and consistently across their IT infrastructure. This includes their remote access systems, which need to meet the following requirements:

• Firewalls. Remote access systems should be protected by firewalls that prevent unauthorized access and filter malicious traffic. Firewalls should be configured to allow only the minimum necessary ports and protocols for remote access and to block any known or suspicious sources of attacks.
• Secure configuration. Remote access systems should be configured securely to reduce the attack surface and prevent exploitation. This includes disabling unnecessary services and features, enforcing strong password policies and encryption standards, applying security patches and updates regularly, and removing any default or unused accounts or credentials.
• User access control. Remote access systems should have user access control mechanisms that limit the access rights and privileges of users based on their roles and responsibilities. Users should only have access to the resources they need to perform their tasks and should not be able to share or transfer their access with others. Users should also be required to authenticate themselves before accessing the system using MFA.
• Malware protection. Remote access systems should have malware protection software that detects and removes any malicious software that may infect the system or compromise its security. Malware protection software should be updated frequently with the latest virus definitions and signatures and should scan the system regularly for any signs of infection.
• Patch management. Remote access systems should have patch management processes that ensure that any security vulnerabilities or bugs in the system are fixed as soon as possible. Patches should be tested before deployment and applied in a timely manner to avoid exposing the system to potential attacks.

How the Assessment Body Verifies Cyber Essentials Plus Requirements

To verify that an organization meets the requirements, it needs to undergo an independent assessment. Such an assessment is done by a Cyber Essentials Plus certification body. The assessment involves a technical audit of the organization’s IT infrastructure, including its remote access systems, as well as a vulnerability scan and a simulated attack test. The assessment aims to check whether the company has implemented the Cyber Essentials controls correctly and whether they can withstand common cyber attacks.

MFA Can Help You Pass Cyber Essentials Plus Assessment

If the organization passes the assessment, they will receive a Cyber Essentials Plus certificate that validates their cyber security level and provides them with various benefits, such as:

• Improved reputation and trust. Cyber Essentials Plus certification demonstrates to customers, partners, suppliers, regulators, and investors that the organization takes cyber security seriously and has taken steps to protect their data and systems.
• Reduced risk and cost. Cyber Essentials Plus certification reduces the likelihood and impact of cyber attacks on the company’s operations, reputation, and finances. It also helps them comply with legal and regulatory obligations, such as the General Data Protection Regulation (GDPR) or the Network and Information Systems (NIS) Directive.
• Increased competitiveness and opportunities. Cyber Essentials Plus certification gives the organization a competitive edge in the market and enables them to bid for contracts that require a high level of cyber security, such as government or defense contracts.

How Rublon Meets the Requirements for MFA in Cyber Essentials Plus

One of the requirements for MFA in Cyber Essentials Plus is to ensure that only authorized users can access your systems and data. This means that you need to implement MFA for all remote access services (such as VPNs or cloud services), administrative accounts (such as system administrators or privileged users), and any other accounts that have access to sensitive or critical data. Rublon MFA can help you meet this requirement by providing strong multi-factor authentication and protection for your authentication data, preventing unauthorized access from stolen or compromised credentials, and complying with industry standards and best practices for MFA.

Rublon MFA protects remote access to services and applications such as:

• Virtual private networks (VPN)
• Remote Desktop Connection (RDP)
• Remote Desktop Web Client (RD Web Client)
• Remote Desktop Web Access (RD Web Access)
• Remote Desktop Gateway (RD Gateway)
• Outlook Web App (OWA)
• And more!

If you are interested in protecting your remote access systems with MFA to achieve Cyber Essentials Plus certification, Rublon MFA is a perfect choice. We are an ISO27001-certified multi-factor authentication provider with years of experience. We can help you implement the best MFA solution for your organization.

Conclusion

Cyber Essentials Plus is a valuable certification that helps organizations improve their cyber security posture and protect their remote access systems from common cyber threats. To achieve Cyber Essentials Plus certification, organizations need to implement strong security measures for their remote access systems, such as multi-factor authentication (MFA).

There are different ways to implement MFA for remote access systems depending on the type of system, the level of security required, and the user experience desired. The best practice is to use a combination of different methods that suit the needs and preferences of the organization and the users.

To verify that they have implemented MFA and other Cyber Essentials controls effectively and consistently across their IT infrastructure, organizations need to undergo an independent assessment by a Cyber Essentials Plus certification body. If they pass the assessment, they will receive a Cyber Essentials Plus certificate that validates their cyber security level and provides them with various benefits, such as improved reputation and trust, reduced risk and cost, and increased competitiveness and opportunities.