The Five Core Controls of Cyber Essentials – Access Control

Is it true that just 5 technical controls can help prevent most cyber attacks? What are these cyber security essentials and how do they work? Over #CyberSecurityAwarenessMonth we will explore each of the five controls in separate blog posts to find out more.

Control who can access your data and services and what level of access they have.

By creating accounts with different levels of access and privilege, you can limit the risks of accidental and malicious damage.  When a new account is created, the type of account it is will determine what the user is able to do.

An administrator is someone who is in charge of the settings and controls of a computer, and someone logged into an account with administrator privileges can do pretty much anything on the computer. They can view every file on the system, including any account maintenance, billing and subscriptions, change system-wide system settings, run all installed programs, add new programs, install new hardware drivers and change the usernames and passwords of other user-accounts.

A regular user account cannot perform administrative tasks, they are usually limited to everyday tasks such as sending emails, creating documents and conducting internet searches. If they are able to access additional files and data, it will only be those that the administrator allows.

Default accounts

If you do not know what kind of account you have and do not remember choosing one, you might be using a default account. By default, the first account created in Windows and on a Mac have administrator privileges, meaning they allow you to install, modify or delete software. This level of access carries security risks because when you are logged in you can be tricked into doing things that you never intended to do, some of which can cause major problems with the computer. It’s also quite easy for an administrator to accidentally delete an important system file or change a setting that renders the PC unstable or un-bootable. If you work for a small business or for yourself, you might not realise that you are permanently logged on with an administrator account.

Account separation

No one, not even home users, should use administrator accounts for everyday computer use, such as web surfing, emailing or office work. Instead, those tasks should be carried out by a standard user account. Administrator accounts should be used only to install or modify software and to change system settings. If you are using an account on your computer which has administrative rights, you should create a separate administrator account, and downgrade your regular account to standard-user account even when you’re the only person who uses the computer. (You can still perform administrative tasks by typing in the password to the admin account.)

The administrator account should only be used when a task absolutely has to be done that a standard user account is prohibited from doing. During normal use it is always best to log in to a regular user account. If more than one person will be using the same PC each user should have their own regular, separate account. Separate accounts ensure accurate authentication and accountability and allows you to track and control who accesses the files or is able to change something in your system. Additionally, most computers come with a ‘guest’ account enabled which allows anyone to freely access your device – you should disable it. In a similar vein, if there is an account on your computer that is no longer used, be sure to delete it.

How can this help prevent a cyber attack?

Attackers will gain credentials (username-passwords) to access accounts in order to commit crime. They do this in several different ways, for example, they might hack into a company database and steal the credentials of all their customers, they might use social engineering techniques to trick people into giving them their user names and passwords, or they may simply buy a list of credentials from other criminals selling them on the dark web.  The damage an attacker can cause is proportionate to the privileges allocated to the account details they have acquired. An important way to minimize access to your most sensitive and important data is to only provide privileged access to people who need it for their roles, keep track of who has these accounts and regularly review these privileges.

Organisations are increasingly using cloud services as a way to remotely share access to their company files. Although the security in many cloud services is far superior to anything a small organisation can organise for themselves, if the access to those services is a password alone, this can introduce a significant vulnerability to the confidentiality, integrity, and availability of the organisational data. For this reason, Multi Factor Authentication (MFA) is now an essential element of security for accessing cloud services ( in addition to most other accounts). MFA describes using more than one way to verify a users identity (not just a password). It ensures that if someone has acquired your password, they will be unable to access your account without also accessing your MFA source.

Find out more about getting Cyber Essentials certified here.