Cyber Essentials updated in response to increased threat environment

Cyber Essentials is the government’s best practice cybersecurity framework and it was introduced in 2014 to help organisations combat the rise in cyber-crime. It is now to be upgraded in what appears a direct response to an increasingly worrying threat environment that shows no sign of subsiding.

The framework comes in two versions, with the simplest form offering a set of steps organisations can follow to prevent the most common cyber-threats, becoming certified after a self-assessment.

The more advanced version is Cyber Essentials Plus, which requires a hands-on technical verification by a third-party, that specialises in delivering cyber-security advice and assessments. It covers aspects of cyber security, including but not limited to firewalls, secure configuration, access controls and malware protection.

The new version of technical requirements, will be officially released on January 24 2022. After consultation with assessors, applicants and the Cloud Industry Forum, these new requirements were deemed necessary to ensure certification remains relevant amidst a fast-moving technology and threat landscape.

What is Cyber Essentials changing and why?

There are a lot of changes planned. And as a business that has helped a number of clients achieve their Cyber Essentials certification we’re here to help answer your questions, but here’s a brief overview of the changes:

Changes for home workers

The switch to home working for many people has been recognised, along with threat this poses. The devices home workers use to access their employers applications and information are in scope for Cyber Essentials.

Personal home routers are out of scope and the Cyber Essentials firewall controls are transferred to the home worker’s device (computer, laptop, tablet and/or phone). However, a router supplied by the applicant company is in scope and must have the Cyber Essentials controls applied to it.

Cloud is now included

If an organisation’s data or services are hosted on cloud services, then they are responsible for ensuring that all the Cyber Essentials controls are implemented. Whether the cloud service provider or the user implements the control, depends on the type of Cloud.

The new requirements require organisations to take responsibility for user access control and the secure configuration of their services. This includes securely managing access to the different administration accounts and blocking accounts that they do not need.

Multi-factor makes the difference

Providing extra protection for passwords not protected by other technical controls, multi factor authentication (MFA) should always be used as additional protection for administrator accounts and accounts when connecting to cloud services.

Multi-factor Authentication requires the user to have two or more types of credentials before being able to access an account and is necessary for Cyber Essentials due to the increasing number of attacks on cloud services, using techniques to steal users passwords to access their accounts.

Other changes making the news

Alongside the major updates listed above, there are a raft of smaller changes, that all play their part in combatting the cyber criminals.

Thin clients, terminals that don’t hold much data but give the user access to a remote desktop via an internet connection, will now be in scope of the certification. Also, all servers, including virtual servers, are now in scope.

The new requirements stipulate all smart phones and tablets that connect to organisational data and services are in scope when connecting to the corporate network or mobile internet such as 4G. Mobile or remote devices used only for voice calls, texts etc., remain out of scope. Biometrics or a minimum password or pin length of 6 characters must be used to unlock a device.

All critical and high priority updates must be applied within 14 days and unsupported software should be removed.

I addition to these general updates, two additional tests have been added to the cyber essentials plus audit to confirm account separation between user and administration accounts and to confirm MFA is required for access to cloud services.

We hope this brief overview has been useful, but if you need any further advice about updating your Cyber Essentials certification, or applying for your first, please get in touch and we’ll talk you through the important simple steps to protecting your organisation.

Like what you read?