Changes to the Cyber Essentials scheme
As the cyber threat continues to evolve, the Cyber Essentials scheme has made several changes to requirements to ensure businesses are fully equipped to prevent and protect against cyber criminals.
What is the Cyber Essentials scheme?
Backed by Government and industry, the Cyber Essentials Scheme was launched in 2014 with the objective of helping organisations to protect themselves against a range of common cyber attacks.
As outlined in our ‘Waging war against cybercrime’ e-book, cybersecurity should be a vital part of your business strategy, irrespective of the size or sector you operate in. Cyber attacks are on the increase and becoming more and more sophisticated. As such, it’s extremely important to implement measures that to prevent your company becoming a victim of cybercrime.
A set of basic, technical controls, the Cyber Essentials scheme enables your company to achieve two levels of certification: Cyber Essentials and Cyber Essentials Plus. The first is a self-assessment option that offers protection against the most common cyber attacks. The latter is an extension of Cyber Essentials and stipulates that a hands-on technical verification is fulfilled.
What changes have been made to the Cyber Essentials scheme?
Six areas of the scheme have been updated and are some of the biggest changes we’ve seen since its initial launch. We’ve summed up some of the key changes for you:
If your company’s data or services are hosted on a cloud service, you are now responsible for ensuring that all of the Cyber Essentials technical controls are implemented. Definitions of cloud services have been added to Information as a Service (IaaS), Platform as a Service (PaaS) and Software as a Service).
Multi-Factor Authentication (MFA)
Cyber Essentials states that MFA should be used to provide an extra layer of protection to admin accounts when the user is connecting to any cloud service. The MFA password must be a minimum of 8-characters. This will apply to all accounts in 2023.
Working from Home
If your company has adopted a hybrid working model or if any of your employees ever work from home, any devices they use to access company information or services are in the remit for Cyber Essentials. The same applies for dumb terminals.
Using a corporate VPN will transfer the boundary to the corporate firewall or virtual cloud firewall. A corporate VPN allows you to provide your employees access to a secure, end-to-end encrypted connection to any cloud resources included in your company’s network.
Any smartphone or tablet that is used to connect to your company’s data and services are now in scope of Cyber Essentials. This also applies whenever the user wishes to connect to the corporate network or via mobile internet 4G or 5G.
When unlocking any device, biometrics or a minimum 6-character length PIN must now be deployed.
Any software that is utilised on any in scope device must be:
- Licensed and supported
- Removed from the device if it becomes unsupported
- Removed from scope or segregated from the main network using a defined ‘sub-set’ to prevent any traffic to and from the internet
In addition, automatic updates must be enabled, and the user must update their device within 14 days of the release of any update.
Separate accounts should only be used to perform administrative activities. By doing this, the account will remain separate from any risk that can be avoided such as emailing or web browsing.
Any questions? Please get in touch!
If you have any questions about the changes to Cyber Essentials or if you’d like support to gain Cyber Essentials certifications, the etiCloud team can help. Simply call us on 0333 358 2222 or drop us an email firstname.lastname@example.org and we’ll get you started.