Cyber Essentials overhaul: what you need to know

The NCSC introduces the biggest update to the scheme since its 2014 launch.

In response to the evolving cyber security challenges facing businesses in 2022, the UK Government’s Cyber Essentials scheme is being updated. As of today, January 24th, a number of significant changes are being introduced to take into consideration the impact of the pandemic on modern working practices.

And with an increased focus globally on security, it’s predicted that there will be a significant spending increase on cyber resilience over the next 12 months. As always, it’s best practice to get the foundations in place first — which is where Cyber Essentials comes in. A sizeable proportion of incidents could be prevented by following just these few sensible precautions as specified by the newly-refreshed, more rigorous scheme.

What is Cyber Essentials?

Cyber Essentials is a globally recognised IT standard developed by the National Cyber Security Centre (NCSC) to help you protect your organisation against the most common cyber attacks. The required controls (including areas such as Firewalls, User Access Control and Security Update Management) help businesses build and maintain a robust infrastructure that’s designed to minimise cyberattacks from threats such as malware or ransomware.

Why obtain Cyber Essentials?

For some businesses, it’s a prerequisite to trade — for example, with a government body or as part of a supplier due diligence process. For others, it demonstrates a recognised level of commitment to IT security. In either case, the scheme details a set of sensible controls that every organisation would benefit from both in terms of customer reassurance and their own cyber resilience.

What are the key changes?

Cloud services

Historically, SaaS (Software as a Service) and PaaS (Platform as a Service) were considered out of scope for the assessment. But with the growing reliance on the cloud to provide key business systems, this is no longer the case. Now, organisations must take responsibility for managing user access and securely configuring their services.

Home workers

Any devices used to access organisational information are now in scope, regardless of location — which for a lot of businesses includes employees’ homes. As an IT function, it would be impossible to control or mandate how a home network is configured or protected, so naturally the focus will sit with the device used to access corporate resources.

BYOD (Bring Your Own Device)

With workforces more portable than ever, working from a mobile device is now standard practice for some businesses. Many companies allow the use of BYOD which provides flexibility to combine personal and work use of the same device. And now that any device accessing corporate data is considered in scope, BYOD presents IT teams with the challenge of striking a balance between protecting the company data and respecting the owner’s privacy.

Unsupported software

All applications must be licensed and supported, with any unsupported software either removed from devices or removed from scope by preventing all traffic to and from the internet. In addition to this, automatic updates must be enabled where possible, with a further requirement to ensure that updates are applied within 14 days of being made available.

Additional security controls

The scheme has been updated to mandate the use of multi-factor authentication (MFA) across your business, specifically when accessing cloud services and while using privileged administrator accounts. There have also been changes in terms of device PINs, password policies and device locking recommendations.

Where do I start?

Whether you plan to achieve Cyber Essentials itself or not, the scheme encompasses a collection of practical controls to help protect your business from the most common cyber threats that affect organisations every day — so it makes sense to implement these policies regardless.

But in reality, many IT teams are already operating at pace to keep on top of their day-to-day workload. And with a plethora of software solutions available (some of which you may already be paying for), it can be difficult to know where to start.

By outsourcing these activities to a trusted and experienced partner — either for a one-off project or a longer-term support relationship — your security posture can be improved and IT budget maximised in a shorter timeframe, freeing up your in-house team to work on other priorities.

Next steps

In a world where businesses are constantly under threat from cyber attacks, there’s never been a more relevant time to consider your business security posture to ensure you’re prepared for what comes next.

Whether you’re seeking expert guidance to pass your Cyber Essentials certification or want to maximise your budget while leveraging the latest security solutions, call 03330 11 22 55 today to speak to one of our specialists.