Cyber Essentials update: what you need to know
The Cyber Essentials scheme is the backbone of the UK’s cyber security strategy, and has helped thousands of businesses ward off online attacks. Since the certification was launched with industry backing in 2014, it has been adopted by a multitude of organisations as a standard security measure and benchmark, with over 120,000 certificates now having been awarded.
New changes to the Cyber Essentials scheme aim to protect against new and emerging threats, taking into account the rise of cloud services. Here’s everything you need to know about the new Cyber Essentials changes, including what they encompass, what organisations need to do, and why Cyber Essentials remains so valuable to businesses of all sizes.
What is Cyber Essentials?
Cyber Essentials is a government-backed scheme to help companies stay protected against online threats. There are two levels of certification: Cyber Essentials and Cyber Essentials Plus. The former involves a self-assessment exercise, while the latter involves a more comprehensive, hands-on technical verification process.
The way Cyber Essentials works is through the provision of guidelines which must be met in order to achieve accreditation. The requirements to gain Cyber Essentials certification can be identified by answering the questions in the Readiness Toolkit, or by working with an officially accredited Cyber Essentials partner to assess your current provisions and identify areas for improvement.
As cyber security threats and protections are constantly evolving, vigilance over Cyber Essentials provisions are required. Cyber Essentials is regularly updated, and companies must continue to demonstrate compliance by staying up-to-date with new requirements, and adapting their approach to protect against the latest threats.
The latest on cloud
Cloud services – including Software as a service (SAAS), platform as a service (PaaS) and infrastructure as a service (IAAS) – are all now in scope for the Cyber Essentials scheme. This means that businesses must now demonstrate their cyber security provisions for these services if they use them in order to gain certification.
As a result, organisations are required to take responsibility for the secure configuration of their services, whether this is conducted in-house or by an IT service provider. This commonly includes managing access to admin accounts, blocking unwanted accounts, and securing connections to remote servers.
Security changes
Another important change to the Cyber Essentials scheme is that all users to cloud services and other accounts must have additional protection. This includes further strengthening passwords, with a minimum of 8 characters now required, with no maximum length.
Further changes relating to security requirements have also been set out by Cyber Essentials, with a particular focus on multi-factor authentication (MFA). This includes locking accounts after 10 or more unsuccessful attempts at a minimum, and the use of automatic blocking of common passwords (e.g. ‘password’ or ‘12345678’).
Cyber Essentials changes
The other major change to the Cyber Essentials scheme is a more stringent set of security measures for mobile device use. With more mobile devices in use than even a few years ago, and a growing crossover between work and personal devices, these need to be more secure than ever.
The new Cyber Essentials requirement is that mobile devices have screen lock timeout measures, with a password/code having to be used to reopen the device more frequently. With this and the more stringent measures on MFA, we’re reminded of the evolving landscape of threats to individuals within a business, and the need to protect ourselves from cyber attacks in and outside of work.
If you are looking to either renew or obtain your Cyber Essentials certification, you will need to be prepared with all of the above in place. For more about Cyber Essentials changes or to discuss your cyber security needs, or to arrange an assessment, contact us today.