Are you ready for the major update to Cyber Essentials? As of 24th January 2022, the NCSC are implementing the greatest changes to the technical controls since the scheme’s inception in 2014.
The updates are set to help businesses continue to protect themselves and their information against threats in the ever-evolving digital landscape, and to continue to raise the cyber security bar within the UK.
The National Cyber Security Centre (NCSC) and its certification partner, IASME, have reviewed the controls to reflect the realities of modern working life — including the huge shift to cloud computing and remote working that has occurred in recent years, accelerated by the pandemic.
What are the changes?
Working from home
Employees carrying out their role from home are in scope, and that includes any of the devices — personal or company-owned, defined in IASME SAQ (Stage 1) assessment — that they work on to access company corporate data.
However, home routers managed by the individual or an Internet Service Provider (ISP) are not in scope unless that are also provided by the company. Cyber Essentials firewall controls are transferred to the user’s device in the case of home router usage.
If the home worker is using a corporate single tunnel VPN, then the boundary is transferred to the corporate or virtual cloud firewall.
These changes reflect the need for organisations storing data and services via cloud services to take responsibility for configuration and user access controls — rather than the onus being on the provider.
Where it is up to the service provider to make changes and implement security controls, the organisation using the service must demand evidence that these are being carried out. This now covers IaaS, PaaS, and SaaS. Prior to the changes, only IaaS was subject to these controls.
Specific SAQ questionnaire questions will focus on reviewing secure configuration and access controls on any services in scope.
Multi-Factor Authentication (MFA)
MFA must always be used to provide an extra layer of protection when accessing cloud services — with the password stage requiring at least eight characters, and no maximum length. Due to an increasing trend in user password theft, this approach requires two or more credentials in order to access cloud platforms. This could be a managed enterprise device, an app, a physical access token or a known and trusted account.
From January 2022, under Cyber Essentials, MFA will be required for administrator accounts, with user-accounts subject to the controls from January 2023. And certification bodies assessing Cyber Essentials Plus will be required to check that separation between administration and user accounts is set up, and that MFA is in place.
A thin client — a ‘dumb’ terminal that gives access to a remote desktop — are now in scope if they connect to organisational information or services. From January 2023, they will be required to be supported and receive security updates, with the new question in the SAQ being for information only during the first 12 months.
All servers, including virtual servers on a subset or a whole organisation, are now in scope. A subset is part of an organisation whose network is segregated via a firewall or VLAN, and can be used to define what is in scope of Cyber Essentials.
Individual firewall rules per device are no longer acceptable.
Licensed and supported software
This is defined as software that your organisation has the legal right to use, and that the vendor has a commitment to updating and patching. Under the changes, the vendor must provide the future date when they will stop updating the software.
The scope will now include smartphones and tablets that can access organisational data and services when connecting via mobile internet services such as 4G and 5G. Biometrics or a pin with a minimum of six characters must be used to secure these devices. Organisations carrying out Cyber Essentials assessment must include end-user devices in the scope, not just servers, to prevent system administrator threats.
Mobile or remote devices that are only used for voice calls, text messages, or MFA are not in scope.
To protect against brute-force password guessing, organisations must implement at least one of the following:
- Using MFA
- Throttling the rate of unsuccessful attempts
- Locking accounts after no more than 10 unsuccessful attempts
And changes to technical controls to manage password security will include one of the following:
- Using multi-factor authentication in conjunction with a password of at least 8 characters, with no maximum length restrictions.
- A minimum password length of at least 12 characters, with no maximum length restrictions.
- A minimum password length of at least 8 characters, with no maximum length restrictions and use automatic blocking of common passwords using a deny list
An organisation must use separate accounts to carry out administrative functions only. This means that the same account cannot be used for emailing, web browsing, or any other day-to-day activity that may expose administrative privileges to avoidable risks.
High and critical updates must be completed within 14 days, and any unsupported software removed. Any software in scope must be licensed and supported, removed when unsupported — or taken out of scope by removing all traffic via the internet through a subset — have automatic updates enabled where possible, and be updated when:
- It will fix vulnerabilities classified as high or critical risk
- It addresses vulnerabilities CVSS v3 score of 7 or above
- There are no details about the level of vulnerabilities that the update fixes provided.
This means that organisations can no longer be selective about which updates and patches to apply, therefore removing vulnerabilities and mitigating risk.
What you need to do:
- If you’re part way through the Cyber Essentials or Cyber Essentials Plus certification process, the current standards will still apply.
- For your annual recertification, you’ll need to ensure that you meet the new standards so it’s advised that you start the process of implementing any changes that you might need to make to meet them now.
- There’s a 12 month grace period for MFA, Thin Clients, and Security Updates Management, so you don’t need to put any knee-jerk processes in place — there’s time to properly manage the changes.
- Any assessments started after the 24th January will need to adhere to the new standards.
Why Cyber Essentials?
At Synergos, our expert team can help you to successfully achieve your Cyber Essentials certification by providing guidance and support throughout the process. In turn, this will help your business to protect itself against ever-changing cyber threats and sophisticated attacks.
Helping you to protect against phishing attacks, malware, ransomware, network attacks and password guessing, among many more threats, Cyber Essentials certification evidences to stakeholders that you are serious about cyber security.
It’s also increasingly mandated by a number of government and private sector contracts, and includes cyber liability insurance for organisations under £20m. Can you really afford not to gain CE certification?