With the new update of Cyber Essentials released early this year, we have ready for you a few substantial changes that your organisation should know.
The National Cyber Security Centre (“NCSC”) stated new infrastructure requirements for Cyber Essentials and Cyber Essentials Plus. The most recent version came into force on the 24th of January 2022.
Since the update has launched in 2014, it has been the most significant amendment to the scheme’s technical controls. Therefore, for companies considering becoming Cyber Essentials or Cyber Essentials Plus certified, being aware of the new requirements is necessary to successful certification.
But first, what is Cyber Security and why is it important?
Cyber Essential is a government-backed and industry recognised initiative that help businesses mitigate common internal-based threats as well as raise cyber security awareness. For more details about Cyber Essential and Cyber Essential Plus, have a look at our blog post, and if you would like to find more extensive information, go to the gov.uk page.
This year’s update is one of the most extensive changes of the scheme’s technical controls since it has first launched in 2014. Reshaped by feedback from industry experts and businesses, the new version has been made in response to changes in the cyberthreat landscape to align Cyber Essentials more effectively with the other guidelines. It flags for more frequent reviews of the controls in the future.
The updates include revisions to a technical requirement that relates to:
- The use of cloud services
- Muti-factor authentication
- Password management
- Security updates
Please note, that if you are already going through any assessments, or which have started before January 2022, you will be able to continue to use the previous technical standard. If your organisations use the previous standard, you will have six months from the 24th of January to complete the assessment.
Organisations that need to make some adjustments for being assessed against the updated requirements will have a grace period of up to 12 months for some new standards.
What are the changes occurring to Cyber Essential and Cyber Essential Plus?
During and after the pandemic, many companies have reshaped the model of working, re-adjusting to more mobile, digital, cloud-based operations and communications. All to enable modes of productivity and efficiency for hybrid working staff, but also to create new security risks against cyber threats.
What has changed since January 2022 in Cyber Essential and Cyber Essential Plus?
1. Bring your own device (BYOD)
Mobile and laptops owned by any size businesses have always fallen in the scope of the certificates. However, any employee that uses a personal device that access organisation data or services also fall in scope. The only exceptions are for:
- Native voice applications
- Native text applications
- Multi-factor authentication applications
2. Routers, wireless devices and working from home
Internet Service Provider (“IPS”) routers and users’ routers are out of the scope, meaning that Cyber Essential firewall examinations must be employed on the user’s devices. However, if the employee uses a router supplied by the organisation, the router will be in scope.
Wireless devices, such as wireless access points, are taken into consideration in circumstances when:
- In scope, if a device can connect and communicate with other devices through the Internet
- Not in scope if a device is a component of a home-based, user-owner ISP router
- Not in scope, if the threat is unable to attack directly through the Internet.
3. Cloud Services and web applications
Cloud-based services and applications are now fully integrated into the scheme. If an organisation’s services, data and applications are operating in the cloud, they are subject to Cyber Essentials, and the organisation is responsible for all the controls to be safely implemented.
Cloud services are now categorised as Software as a Service, Infrastructure as a Service and Platform as a Service. New controls include checks of multi-factor authentication to ensure safe control measures for administrator and user accounts.
What does your organisation need to do?
The new version of Cyber Essentials has already launched on the 24th of January 2022, with further updates planned for 2023. All organisations which have certified before this date, don’t need to apply new requirements until their current certification is valid.
Cyber Essentials applications planned on or after the 24th of January must use the new version. Additionally, some organisations may need to apply extra efforts to meet the new requirements, as they have permitted a grace period of up to 12 months.
The new updates to Cyber Essential will make certification more difficult to achieve. On the other hand, the new version of the scheme aims to improve the level of cybersecurity, even more since organisations started embracing cloud systems, hybrid working to their full potential.
As expert IT providers and cybersecurity professionals, we believe, that that the stronger organisation’s security posture, the harder is for any organisation to breach. And whilst it may be harder and more costly to achieve, as an investment, it will pay off in the long run. Particularly, when compared to the costs of data breaches, and very often, unrepairable consequences.
Need more advice?
Contact one of our friendly team of IT specialists to find out more about the updates or if you are looking for support with Cyber Essential or Cyber Essential Plus. The advice is free, and knowing that you are speaking with an IT professional should give you more comfort to ask questions and trust our advice. Let us today how we can support your business IT security.
As a team of IT experts, we pride ourselves on providing the best technology solutions to businesses across the UK since 1993. We have plenty of great advice that we can share with you! So, if you have any questions about your business' IT:
- Call us on 0330 333 7439
- Or simply drop us an email at firstname.lastname@example.org