Businesses

1. Change default or weak account passwords

2. Change default administrative password on firewalls

3. A minimum password length of at least 12 characters, with no maximum length restrictions - use automatic blocking of common passwords using a deny list, promote the use of strong password standards (education)

4. Authenticate users before granting access to applications or devices

5. Ensure appropriate device locking controls - biometric, password or PIN before gaining access to the services. Biometric tests, passwords and PINs.

6. Ensure devices and software (especially antivirus) are set to auto update

7. Install Antivirus on staff PCs

8. Implement MFA, where avaliable

9. Enforce Two-Factor Authentication across your Organisation.

10. Remove or disable unnecessary software

11. Manual backup to separate device, kept elsewhere

12. Lock accounts after no more than 10 unsuccessful attempts

13. Wait between attempts increases with each unsuccessful attempt. This should permit no more than 10 guesses in 5 minutes

14. Disable any auto run feature which allows file execution without user authorisation

15. Configure regular scans of devices and the network for malware.

16. Remove or disable user accounts when no longer required, in particular special access accounts

17. Use separate accounts to perform administrative activities only

18. Providing usable secure storage for passwords, e.g password manager

19. Automatic cloud backups

20. Create a log of all of the data that is important to the organisation

21. Block unauthenticated inbound connections by default

22. Every device in scope must have a firewall.

23. Scan web pages automatically when they are accessed through a web browser

24. Allow access to a specific set of websites, block everything else.

25. Prevent access to the administrative interface from the Internet, unless there is a clear and documented business need.

26. Disable remote administrative access to firewalls entirely

27. Multi-Factor Authentication on Firewalls

28. Use IP Allowlists (Whitelists) on Firewalls and block all other connections by default.

29. Do not allow applications that are unsigned, have an invalid signature or do not match your organisations software whitelist.

30. Sandbox applications