Cyber Essentials Controls
Secure Configuration
Secure configuration is one of the five core controls within Cyber Essentials. It is designed to ensure that devices, software, and cloud services are set up securely from the start and do not retain unnecessary features, accounts, or settings that could be exploited by attackers. Because out-of-the-box configurations are often not secure by default, organisations are expected to actively review and harden their systems. By removing unused software, disabling unneeded accounts and features, securing passwords, locking devices, and reviewing exposed services such as open ports, businesses can reduce unnecessary risk, make their systems harder to attack, and improve their overall cyber resilience.
Secure Configuration
Remove or Disable Unused Software
Any software, services, or applications that are not needed for day-to-day business use should be removed or disabled. The more software and features a device has enabled, the more potential vulnerabilities and access points it may present. This includes pre-installed software, optional operating system features, and applications that are no longer required. Reducing unnecessary software helps minimise the attack surface and lower the risk of compromise.
Remove or Disable Unrequired Accounts
Unused accounts should also be removed or disabled. Old user accounts, guest accounts, default accounts, and any other accounts that are not required for normal business use can create unnecessary security risks if left in place. Cyber Essentials expects organisations to keep accounts under control and ensure that only current, legitimate users have access to devices and cloud services.
Disable Autoplay and Autorun
Autorun and autoplay should be disabled on operating systems and browsers where relevant. These features can allow software or media to launch automatically when removable media such as a USB device is connected. Disabling them helps prevent unauthorised or potentially malicious software from running without the user’s knowledge, adding an extra layer of protection against accidental infection.
Use Secure Password Settings
Cyber Essentials requires organisations to make proper use of the technical controls available on password-protected systems. Passwords should be configured to meet the required standard: either at least 8 characters with multi-factor authentication, at least 8 characters with a deny list that blocks common passwords, or at least 12 characters if the account relies on a password alone. Password systems should not impose a maximum length that weakens security.
For internet-facing services, organisations must also protect against brute-force password guessing. This can be achieved through multi-factor authentication, locking accounts after repeated failed attempts, or limiting the number of guesses allowed within a set period. These controls reduce the risk of attackers gaining access through automated password attacks.
Lock Devices Properly
Mobile devices and other portable systems that access organisational data or services should have an appropriate locking mechanism in place. Under Cyber Essentials, this generally means a unique password or PIN of at least 6 characters, or a biometric method such as fingerprint or facial recognition where supported. Device locking helps protect business data if a device is lost, stolen, or left unattended.
Configure Open Ports Securely
The Five Cyber Essentials Controls
