Cyber Essentials Standards Update
On January 24th, 2022, some of the biggest revisions in recent years to Cyber Essentials will be undertaken.
There will be major changes to the technical controls that help organisations against the ever-increasing risk of cyber-attacks within the digital landscape, which are reviewed at regular intervals by a team of government approved experts. Here we explore the changes to the Cyber Security Essentials Scheme, so you can see how the development of Cyber Essentials continues to allow UK businesses to improve upon their best cyber security practices.
Cyber Essentials Scheme Summary
Here we have summarised how the Cyber Essentials Scheme has changed, outlining the various elements that may impact your organisation.
Home Working Devices and BYOD are in scope but most Home Routers are not
Home routers, provided by Internet Service Providers, are now out of scope. The new Cyber Essentials Scheme means that firewall controls are now transferred to the home worker’s own device. This means that a router, supplied by the applicant company requires Cyber Essentials controls to be utilised.
All Cloud Services are in scope
The new Cyber Essentials Scheme summary includes the full integration of cloud services. The data or services of an organisation are hosted upon the cloud, meaning the organisation becomes responsible in ensuring all controls are sufficiently implemented. New definitions of cloud services have also been added for Infrastructure as a Service, Platform as a Service and Software as a Service. The implementation of said controls is dependent on the type of cloud service used, be it Public Cloud, Private Cloud, or Hybrid Cloud.
Cloud Services: Multi Factor Authentication is Required for Access
While the provision of additional protection for passwords that aren’t currently protected by other technical controls is in place, multi-factor authentication should be utilised to give extra protection to the accounts of administrators and accounts that connect to cloud services.
In terms of the passwords used for multi-factor authentication, the Cyber Security Essentials Scheme also now requires a password length of at least 8 characters, with no maximum password length limits
The Cyber Security Essentials Scheme recommends that separate accounts are used to carry out administrative activities.
The Scope of an Organisation Must Include End-User Devices
Ignoring the threats that arise from administrators who administered their server systems can cause issues if an organisation certifies their server systems only. Within the Cyber Essentials Scheme summary, changes in this requirement resolves the issues regarding organisations who could certify their company without including end-to-end devices. With this update, all software on in-scope devices must:
Be licensed and supported
Be removed from devices when it becomes unsupported
Have automatic updates supported
Be updated, involving the application of any manual configuration changes within 14 days of an update being released
This update to the Cyber Essentials Scheme is applicable to any issues surrounding critical or high-risk vulnerabilities and addresses vulnerabilities with a CVSS v3 score of 7 or above as well as when there is no information of the severity of vulnerabilities the update fixes provide by the vendor.
New Guidance on Backing Up
The Cyber Essentials Scheme Summary now provides guidance in terms of backing up your data. Although this not a technical requirement, executing the correct backup solution is highly advised.
The new recommendations include two additional tests within the Cyber Security Essentials Scheme audit:
- Test to confirm account separation between user and administration accounts
- Test to confirm MFA is required for access to cloud services
These changes within the Cyber Security Essentials Scheme will allow for a grace period of one year, permitting organisations to make changes to the following:
MFA for Cloud Services
In place from January 2022 for administrator accounts, January 2023 for user requirements.
As they must be supported and receive Cyber Security Essentials Scheme updates, the requirement will be marked for compliance from January 2023.
Security Update Management
Unsupported software that is removed from scope is to be marked for compliance from January 2023 for the first 12 months.
If you are looking for Managed IT Support or have more questions regarding the Cyber Essentials Scheme update, contact Wanstor today. For organisations that are already CE certified, these certifications will remain valid until their expiry date. Upon re-certification these new requirements will need to be met to it is recommended that you leave yourselves with enough time to prepare for any remediation work.
Any businesses that have begun their Cyber Essentials journey before 24 January but are not yet certified must continue to follow the previous regulations and will have until 24 July 2022 to complete the certification.
The NCSC has created a FAQ document for further information here: Frequently asked questions
You can read a full explanation of the revised Cyber Essentials technical controls in a blog post released by the IASME here: The January changes to the Cyber Essentials scheme reflect the changing cyber threats in today's digital environment