Bulletproof’s range of cyber security, data protection and compliance services are your best defence against threats to your business. With nearly a decade of providing trusted security services, we’re continuing our mission of solving the greatest cyber security & compliance challenges through innovation and simplicity. Explore our range of services and find out how Bulletproof can help your business.
Helping people solve their security challenges is what we do, so we’re always keen to hear from you.
Discover CREST penetration testing & continuous security
Internal & external infrastructure, network & system testing
Manage multiple tests & get external security assurance
Thoroughly assess your web apps & APIs for security flaws
Test your response to a simulated real-world cyber attack
All cloud platforms & services tested, including Azure & AWS
Test your human cyber defences with social engineering
Android, iOS & custom mobile application security testing
Find out more about penetration testing – what it is, when you need it, and why it’s a core component of any business. Discover how pen test helps with compliance, powers best practices, and helps your organisation win new business.
Gap analysis, implementation, audits & more from GDPR experts
On-going support to easily manage your data protection obligations
Consultant-led support to meet all levels of DSPT submission
Flexible & engaging data protection training from certified experts
Get peace of mind that your data protection is being managed by trusted, certified consultants. All Bulletproof data protection services are delivered by our highly trained, experienced and qualified staff.
Gap analysis, implementation, audits & more from dedicated ISO consultants
Find the next step in your strategy with this consultant-led assessment
Get quick & easy CE certification with a range of feature-packed packages
Flexible access to top-tier information security strategy & management
Experienced SOC 2 consultants, AICA audits & compliance automation platform
On-site, remote and video-based security training to boost your resilience
Affordable expertise & support to help you meet & maintain PCI DSS compliance
Go beyond compliance with information security services that are designed to give real operational benefits to your business. All delivered by seasoned, certified Bulletproof security consultants.
24/7 defence against cyber attacks with proactive threat detection
Get help responding & recovering from cyber incidents
Detect, analyse and stop cyber attacks with real-time prevention
Forensic support & data recovery following cyber attacks
Stay on top of new vulnerabilities with powerful, flexible scanning
Evaluate your wireless network for security weaknesses
Discover how your business can identify & manage cyber threats
Comply with regulations, meet certification standards & best practices
Train and test your staff for security resilience, data protection & compliance
No matter what your cyber or compliance challenges, Bulletproof is here to help. We like to work with you as a trusted partner to solve problems, not sell services. No pressure tactics and no false promises.
Learn about our mission to make cyber & compliance accessible to all
Grow your business with high-margin, high-value & partner-ready services
Become part of the Bulletproof team & supercharge your career
Bulletproof’s in-house SOC powers our Managed SIEM & MDR services
We love to talk. Tell us about your cyber & compliance challenges
At Bulletproof we love to solve problems with simplicity & innovation. It’s our mission to make compliance & cyber security services accessible to all. We take pride in building and nurturing teams of exceptional talent, so we’re confident that our cyber security & compliance services are the best way to stay one step ahead of the hackers and protect your business.
Helping people solve their security challenges is what we do, so we’re always keen to hear from you, no matter what you have to say.
Get the latest news, views & expert insight in the world of cyber security, data protection & compliance
A helpful index of cyber security terms, compliance acronyms and industry terminology to make life easy
Discover what we have to say about the threat landscape & what businesses need to know to get ahead
Find out how we can make companies like yours Bulletproof. Don’t take our word for it, hear direct from our clients
Detailed insights & helpful tips for understanding penetration testing, data protection & more
Interesting data & top tips at a glance, with insightful infographics covering all areas of cyber security & compliance
Watch our experts talk through their thoughts & opinions on a variety of security & compliance topics
See when & where we’re going to be bringing Bulletproof insight to an event near you
Ayisha Bari
Find out what ransomware is, how attacks work & types of attack to help you get started with keeping ransomware out of your business.
Read More
It’s not surprising that adoption of Cyber Essentials certification is growing steadily year on year. It’s a valuable certification to have, not least of all for the many commercial opportunities it presents. But as a Cyber Essentials Assessor, one thing I see repeatedly is that poor network boundary implementation makes reaching certification harder than it has to be – especially for smaller organisations. That’s what I’m going to be looking at in this blog.
One of the key 5 controls that Cyber Essentials evaluates is the implementation of the network boundary. Sometimes this is a hardware router, and often with a firewall either built-in, or a hardware firewall also used. The key importance of the boundary device is that it controls all incoming and outgoing traffic and can deny access to any potentially dangerous protocols or websites. However, a common issue for Cyber Essentials applications is that these are not configured correctly, or there is a lack of knowledge about best practices for firewalls and how they can be implemented.
Let’s start with one of the most common set-ups I see, where a company has its own office and their own router/firewall that was purchased by, and is managed by, themselves. We’re off to a good start that there’s a delimitation between the corporate network and the wider internet, but just the fact of having a boundary device itself is not enough.
Your boundary device must be capable of receiving regular firmware/software (as appropriate) updates from the vendor. This also means they can’t be at their end-of-life or end-of-support dates. For a Cyber Essentials assessment, we would therefore need the make and model of the device so that your assessor can check the vendor site, end-of-sale/life publications, and firmware update history to check the end-support dates and regularity of updates. Checking the boundary device is updated is a quick thing that all businesses undergoing Cyber Essentials can do ahead of their assessment to make certification go as quickly as possible. It’s also worth looking into support lifecycles ahead of buying a new boundary device. This would stop unfortunate expenditure on a device that would not be able to actively protect the company for long.
If the device is found to be at end-of-life, or to have not received an update for a certain amount of time, it would result in a failure of a Cyber Essentials assessment. This is due to the device not being able to protect against the latest ever-changing and developing security threat landscape.
Next, we would need to see confirmation that the default password of your router or firewall device has been changed, and the steps that were taken to do this so that we can verify this has definitely been completed. The best time to do this is when the device is first set up. The password must be strong, not easily guessable, and therefore less likely to be hacked.
Lastly, the issue of protection when working away from the office has not yet been considered. Even if there is a boundary device onsite there still needs to be protection in place in the event an employee was to work from home on occasion, at a conference, travelling, or if they’re just normally a remote worker. Therefore, the use of a VPN or software firewalls, and how these are implemented, would need to be noted in your Cyber Essentials to cover this.
This brings us nicely to our next scenario. In the post-pandemic world, remote working is often the norm. Now the biggest mistake for companies in this position is to believe they are exempt from this requirement and state there are no firewalls/boundary devices in place due to a fully remote workforce and no company routers. Whilst it is true for Cyber Essentials that home-based workers' ISP devices (such as the combi modem-router you get from your domestic broadband supplier) are out of scope, there still must be protections in place. Let’s take a look at what’s needed.
So here is where many companies get confused, but this can be much more straightforward than people think. All supported Windows and Mac OSes come with built-in firewalls. Simply checking the firewall is enabled on all devices would meet the need of having the basic firewall cover on all devices. As long as the Operating System on devices is kept up to date, this would be effective for compliance in Cyber Essentials. How’s that for a quick win?
Some companies may wish to go further here and also purchase some reputable firewall/endpoint software packages to ensure a more tailored and in-depth cover. For example, many Bulletproof Cyber Essentials packages include Defense.com subscription, which can feature endpoint protection. In this case, when completing your Cyber Essentials, you would need to provide the version details to ensure the installed software is up to date and therefore receiving the most recent security updates.
For software firewalls, a Cyber Essentials Assessor must confirm that the default firewall password has been changed. For the use of OS firewalls, this requirement could be met by confirming the default Admin password on all devices has been changed (and the steps on how this was done) so it can be verified the action has been completed.
Another common area of confusion is when organisations have a boundary device managed by an external IT provider or has serviced offices.
Let’s now look at where your boundary device is managed by a third party, such as your IT provider. I’m going to say this in plain language: these are still in the scope of your Cyber Essentials certification and all questions need to be fully answered and applied! Even though it has been outsourced to a third party company, the certifying company still has overall responsibility for ensuring protection needs are being met. Outsourced service is not outsourced responsibility. The supplier must advise on how the default firewall password has been changed and know the configuration of the password. If these details aren’t known, then working with the provider to find these details needs to happen so this can be properly managed going forward.
Think of it this way: if the firewall is not up to date, is at end-of-life, or the password configuration is not strong enough, finding out now and asking the provider to replace or update the device would be much better than finding out after a worst-case scenario of a successful cyber attack on the company network. The Cyber Essentials self-assessment is all about identifying weak areas and improving them to ensure your company has a better security posture at the end, so if any of these things aren’t in place or are found then it’s a great opportunity to remediate. Cyber Essentials isn’t about judgement or criticism, it’s about doing what it takes to meet the basics.
In the case of a serviced or shared office, where the servicing company is providing the boundary device, the make and model details ideally should be provided in your Cyber Essentials assessment. Again, it should be confirmed if it’s currently in support by the manufacturer. If it’s not, then it won’t pass Cyber Essentials, and you’ll need to discuss it with the service provider and ask that this be replaced with a supported device. If doing Cyber Essentials Plus, you’ll also need permission to perform an external vulnerability scan on the serviced device.
Otherwise, in the scenario where the above details are unable to be released by the service provider or you, or the provider is having difficulty obtaining the details, or you can obtain the details but do not have permission for the device to be VA scanned, then there is a way forward. The equipment can be marked as out of scope and a new network boundary marked. This could be with your own hardware firewall in front of the third-party device, or locally to each machine at the software firewall level. In these cases, the previous advice still applies. Given that a Cyber Essentials Plus certification requires a vulnerability scan, having your own, single boundary device, rather than software firewalls on everyone’s laptop, will make certification easier.
Another area that is sometimes forgotten to be considered when looking into firewall configuration is whether there are any open ports, and the process around these. If there are open ports needed, say for VPN access or any other external services, well, this is absolutely fine. The problem is if open ports are not properly documented and monitored. There should be a clear business case in place for the need of the open ports, and a regular review process to check all open ports. This is to ensure there are no misconfigurations, all is up to date and if a port is no longer needed to be open, it is closed promptly. This will provide optimum protection from any hackers using bot tools to identify open ports as a way into a network.
As you can see, Cyber Essentials doesn’t expect you to reinvent the wheel or be a technical genius on the topic of business firewalls (phew – a sigh of relief I hear). Instead, it’s all common sense security basics, the rationale behind which should be clear. Thinking about these simple steps would help protect company assets from security threats and keep you safe online. In today’s world, this knowledge is ever more important.
Jemma has a long background in IT specialises in cyber security. As a Cyber Essentials Assessor she has a great eye for technical detail and prides herself on a smart approach to helping businesses through certification.
Get expert assessor-led support and all the tools needed to pass with out flexible packages.
If you are interested in our services, get a free, no obligation quote today by filling out the form below.
I'd like to receive Bulletproof communications about relevant services and events
For more information about how we collect, process and retain your personal data, please see our privacy policy.