The aim of this blog post is to give you a summary of the important changes to the Cyber Essentials Scheme.
What is Cyber Essentials?
Cyber Essentials is a government-backed scheme that was created to help organisations demonstrate they have the appropriate security in place. Achieving the standard helps organisations demonstrate they are taking the necessary steps to protect themselves from cyber security attacks and to keep customer data safe. Once these risks are identified and managed, the organisation will be awarded the Cyber Essentials certificate.
Why are changes occurring to Cyber Essentials?
Over the past two years, the adoption of cloud services has massively increased due to the pandemic, as well as home/hybrid working now being the new norm for many people and organisations nationwide. As employees are using their own devices and Internet routers for work purposes, these changes have significantly increased the risk landscape, providing cybercriminals with additional opportunities to exploit. Therefore, Cyber Essentials will now take these into consideration during the assessment process.
What changes occurred to Cyber Essentials?
Cloud services are now fully integrated into the scheme. If an organisation’s data or services are hosted in the cloud, they are subject to Cyber Essentials, and the organisation is responsible for ensuring the right controls are implemented.
There are three different types of cloud services. For example, Infrastructure as a Service (IaaS), Platform as a Service (PaaS), and Software as a Service (SaaS). Who implements the controls will differ based on the design of the cloud service used.
Any devices used by remote workers to gain access to organisational information, whether they are owned by the organisation or not, are now covered by Cyber Essentials.
Passwords and multi-factor authentication:
Due to the rise of attacks on cloud services, multi-factor authentication must now be used to provide additional security while connecting to cloud services. MFA requires users to provide several credentials, before being able to access an account.
There are four types of additional factors that may be considered:
• A managed/enterprise device
• An app on a trusted device
• A physically separate token
• A known or trusted account
All software on in-scope devices must be:
Click here to find out more about the Cyber Essentials changes.
ASME. 2022. The January changes to the Cyber Essentials scheme reflect the changing cyber threats in today’s digital environment – Iasme. [online] Available at: <https://iasme.co.uk/cyber-blog/the-january-changes-to-the-cyber-essentials-scheme-reflect-the-changing-cyber-threats-in-todays-digital-environment/> [Accessed 26 January 2022].
Ncsc.gov.uk. 2022. We think Cyber Essentials is, well, still essential …. [online] Available at: <https://www.ncsc.gov.uk/blog-post/we-think-cyber-essentials-is-well-still-essential> [Accessed 26 January 2022].