Product
Why Cyber Essentials isn’t enough
A Cyber Essentials certification is a significant first step in protecting your business against cyberattacks. By annually renewing your…
Nicky Whiting
Head of Consultancy Division
20th December 2021
First launched in 2014, the Government-backed Cyber Essentials certification scheme has been a key security tool for businesses of all sizes to uphold a basic level of cyber resilience. However, the National cybersecurity Center (NCSC) has announced that the certification will have had a major update around its technical controls as of the 24th January 2022.
The purpose of the changes is to ensure the certification keeps up with the ever-evolving threat landscape that surrounds businesses and their cybersecurity. Especially considering the impact of the sudden shift to remote working and cloud services over the past couple of years.
So what does the update mean for your business? Whether you’re certifying for the first time or renewing, we’ve compiled everything you need to know.
What’s involved in a Cyber Essentials assessment?
The Cyber Essentials scheme has two levels for certification: Cyber Essentials and Cyber Essentials Plus.
Cyber Essentials
The first level of certification involves your business completing a self-assessment form regarding its current security policies, software updates and measures surrounding security best practices. It’s common practice to work with a certification body to help achieve certification first-time. Support is available from our certified Cyber Essential Assessors within your Defense.com package. Our team can review your answers and provide additional support ahead of submitting your assessment to the Cyber Essentials accreditation body, IASME.
Cyber Essentials Plus
The Plus certification is a more advanced assessment of your security. You must have completed the first basic Cyber Essentials certification within the 90 days prior to applying for the Plus. Extra controls within the Plus certification include vulnerability scanning and a workstation assessment, as well as remediation of any uncovered security risks. It will also require an assessor to conduct the audits and authenticate that controls are in place, rather than a self-assessment as per the basic certification.
What changes will we see in the updated Cyber Essentials?
The last couple of years has significantly impacted the way businesses operate, with hybrid working policies and digital transformations. Due to this, the NCSC and IASME saw a need to update the Cyber Essentials scheme in order to reflect and protect against the subsequent increased cybersecurity threats.
The updates to the scheme will primarily cover increased use of cloud services, bring your own device working (BYOD), as well as best practice measures such as password management, multi-factor authentication and guidance around backing up your data.
Key updates include:
- Questions have been updated with explanations and further details needed from you.
- Cloud services are now included in the scope of both basic and plus certifications.
- Some parts of the scheme are an advisory for the next 12 months, for instance using MFA on all cloud services. If you haven’t implemented this by your renewal in 2023, the advisory turns into a fail.
- Cyber Essentials Plus now involves a MFA test and local admin rights check on each workstation tested. There may also be more workstations used for testing.
What are the changes to Cyber Essentials?
On January 24th 2022, Cyber Essentials will undergo the following changes to its technical control requirements:
Cloud services: Cloud services are now in scope. If an organization hosts its data or services on a cloud platform, it is the responsibility of the organization to ensure all Cyber Essentials controls are implemented. However, some controls can also be implemented by the cloud service provider. The type of cloud service (IaaS, PaaS or SaaS) will determine who implements which controls.
Home working: Any devices used by home workers to access business information, including devices owned by either the user or the business, are in scope. However, home routers supplied by an Internet Service Provider (ISP) are no longer in scope.
Multi-factor authentication (MFA): MFA must be applied and used by administrative users to access all cloud services. Although it is not yet a condition for all standard users of cloud services to apply MFA, it will be a requirement from January 2023.
Password management: To protect against brute-force attacks, businesses must use one of the following protections:
- Multi-factor authentication (MFA)
- Limit the amount of unsuccessful or guessed attempts
- Locking accounts after 10 unsuccessful password attempts in 5 minutes
Additionally, one of the following technical controls must be used to control the quality of passwords:
- MFA as well as passwords that contain at least 8 characters with no restrictions on length of password
- A minimum password length of 12 characters with no restrictions on maximum length
- A minimum password length of 8 characters with no restrictions on maximum length and automatic blocking of common passwords using a deny list
Security updates: All security updates (both critical and high-risk and with a CVSS score of 7 or above) must be applied within 14 days and all unsupported software removed.
Biometrics: To unlock a device, biometrics or a password/pin with a minimum length of 6 characters must be used when the credentials are to solely access the device. Where the credentials can be used elsewhere, then the technical controls from password management should be implemented.
All servers now in scope: All servers, including virtual servers on a ‘sub-set’, which defines what is in scope and what is out of scope, are now in scope.
Account separation: Businesses must use separate accounts to perform administrative duties. Standard user activities, such as emailing and web browsing, should not be used from administrative accounts. This is to prevent admin privileges being exposed.
Thin clients: Organizations using thin clients (a dumb terminal that gives access to remote desktops) to access business-related information, are not in scope of the Cyber Essentials scheme but must be declared.
Key dates your business should know about the Cyber Essentials changes
-
24th January 2022: The updates for Cyber Essentials and Cyber Essentials Plus come into effect.
-
24th July 2022: Businesses have 6 months from the above date to complete their Cyber Essentials assessments against the current standard if it has already been scheduled. Businesses who are already certified will remain so until they need to renew, therefore you should familiarise yourself with the new updates if your renewal is upcoming.
-
January 2023: There will be further updates announced about changes proposed for Cyber Essentials and Cyber Essentials Plus.
Price changes for the scheme
The NCSC and IASME also announced a new tier-based pricing structure for Cyber Essentials, which will also comes into effect from 24th January 2022.
The tiered pricing is based around internationally recognized definitions of business size, and is as follows:
| Organization Type | Pricing |
|---|---|
| Micro organizations (0–9 employees) | £300 +VAT |
| Small organizations (10–49 employees) | £400 +VAT |
| Medium organizations (50–249 employees) | £450 +VAT |
| Large organizations (250+ employees) | £500 +VAT |
Summary
The Cyber Essentials scheme is an important stepping stone to securing your business against a range of cyber threats. It’s low-cost, easy to conduct, and protects you against common hacking attempts.
The changes to the scheme will further strengthen businesses cyber resilience as the NCSC has recognized the impact of evolving working practices on the threat landscape. These changes are more in-depth and so your business gains a greater peace of mind over their cybersecurity, and customers can hold more value to your certification.
To find out more about a Cyber Essentials certification for your business, information on the scheme’s updates, or the required assessments involved, simply get in touch.
Nicky Whiting
Head of Consultancy Division
Share this article
Affordable SMB cybersecurity with Defense.com™
Try all these security quick wins and more with Defense.com™. Start a free trial today!
Resources
Insights
Getting started with compliance
For a lot of companies, ‘getting compliant’ with something in cybersecurity or data protection usually means people’s eyes roll…
Insights
Public Sector Budgeting for Cybersecurity
Cybersecurity is one of the biggest challenges public sector organization face today…
Insights
10 things an IT manager should know about cybersecurity
As an IT manager, you’ll know that cybersecurity is a specialist subject with its own skillset, certifications, and technologies…
