On the 24th of January, some of the technical control requirements for Cyber Essentials will change in line with recommended security updates.
By correctly implementing the five basic security controls, the Cyber Essentials scheme will help you reduce the impact of such threats as:
- Phishing attacks
- Malware
- Ransomware
- Password-guessing attacks
- Network attacks
Obtaining the Cyber Essentials certification can help you prevent around 80% of cyber-attacks. But the requirements to obtain this certification are changing.
What are these changes?
1. Home working is in scope, but most home routers are not
With the huge increase in home working, it’s very common for people to now access their work through a home device (personal) or home routers. These home routers are out of scope, however, any end-user devices used to access an organisations infrastructure are in scope for Cyber Essentials and must have the Cyber Essentials controls applied. Anyone who works from home for any amount of time is classed as a ‘home worker’ and this rule will apply.
2. All cloud services are in scope
Many of us now access work through cloud solutions with organisations utilising a cloud-based infrastructure to operate. With the changes, any cloud services must now be fully integrated into the scheme. The definition of ‘cloud services’ in these cases are Infrastructure as a Service, Platform as a Service and Software as a Service. If your organisation’s data or services are hosted via cloud (whether that is fully or a hybrid model) then you must ensure that Cyber Essentials controls are implemented.
3. Multi-factor authentication must be used for access to cloud services
There have been an increasing number of attacks on cloud services where threat actors are able to access user accounts to gain access to the wider network. Multi-factor authentication (MFA) will now be required to access cloud services.
Most of us use some form of MFA every day, such as with our banking app. MFA uses a minimum of 2 factors to gain access to an account – something you know and something you have. So, a password you know and a device or biometric (face, voice and print recognition) authentication.
MFA is now a requirement for Cyber Essentials and the password element of the MFA approach must be at least 8 characters long but there are no maximum length restrictions.
4. Smart phones and tablets are now in scope
Any device that you use to connect to your corporate network and access organisational data and services via mobile internet (e.g. 4G) will be in scope from the 24th January. If mobile devices are only used for voice calls, text messages or MFA then these devices will not be in scope.
5. End-user devices must be included in an organisation’s scope
6. Two additional tests have been added to the Cyber Essentials Plus audit
- Test to confirm MFA is required for access to cloud services.
- Test to confirm account separation between user and administration accounts.
How will these changes affect you?
If you register and pay for Cyber Essentials certification before 24th January 2022, you will be assessed on the old Cyber Essentials question set and have up to six months to complete your self-assessment.
To find out what you need to do or to discuss any questions you have, talk to one of our security experts today. You can give us a call, email us to get in touch on our live chat now.
