January 16 2023
This security basics series offers introductions and insights that help you manage your company’s cyber risks.
Intro to Cyber Essentials
Cyber Essentials (CE) is the absolute basic requirement that a small or medium organisation without any other certification should be meeting in terms of cyber security. So, if you’re not familiar with Cyber Essentials, or the changes that are coming, here’s what you need to know.
The National Cyber Security Centre (NCSC) recommends Cyber Essentials to all organisations based in or trading with the UK. The basic certificate can be done through a self-assessment and ensures that the organisation’s defences will provide protection against most of the more common cyber-attacks. The requirements are specified under five technical control themes:
- Secure configuration
- User access control
- Malware protection
- Security update management.
It is important to note that the cyber essentials assessment should cover the entire IT infrastructure that is required to perform the tasks of an organisation. You should also be aware that CE+ requires assessments from an external party.
Upcoming Changes to Cyber Essentials in April 2023
Looking back to January 2022, The National Cyber Security Centre introduced some changes to the Cyber Essentials technical controls. This was the biggest update since its launch by the UK government in 2014, and the updates came as a response to the ever-changing landscape within which organisations operate, that may be subject to a cyber-attack.
The NCSC implemented a 12-month grace period that allows companies to work on some of the CE requirements for up to 12 months when being assessed against the new CE standards.
The grace period applies to three requirements:
- Any thin clients included in the scope of certification must be supported and receiving security updates
- All unsupported software is either removed or segregated from scope via a sub-set
- All user accounts on cloud services are protected by Multi-factor Authentication
The grace period for these requirements has been extended to April 2023, which now coincides with this year’s update. We can expect to see the update focusing largely on clarifications, as well as important new guidance.
This includes clarification on firmware, further information, and clarification on the treatment of third-party devices, a change to the device unlocking section, clarification on suitable malware protection, and further guidance on the zero-trust model.
The driving factors of the changes announced in 2022 include the adoption of cloud services, the home/hybrid working model and the speed of the digital transformation. The COVID-19 pandemic is partially to blame as it accelerated the change to the way in which most organisations operate.
The information gathered over 2022 has reinforced the requirement for a light touch update in 2023; as more information has been gathered on the landscape within which organisations operate post COVID-19 pandemic. The Cyber Essentials technical control update will give organisations the best chance to defend themselves against cyber-attacks.
Why you should be Cyber Essentials Accredited
Cyber Essentials is a scheme that can help your organisation to mitigate 80% of the most common cyber-attacks, whilst allowing you to have confidence that your systems are secure and your customer data remains protected.
If your customers can see that you as an organisation take the steps to ensure an acceptable level of protection and maturity regarding your security, it shows them that you take great care of your data, and they can assume you will take great care of them too!
The Cyber Essentials scheme was launched in an endeavor to make the UK one of the safest places to do business, and since data breaches have serious financial repercussions and can be hugely detrimental to an organisation’s integrity and reputation, we think it’s a no brainer.