Irrespective of sector, size or location, every UK business is now a potential target for cyber criminals. And, as the threat continues to evolve, it is more crucial than ever to be prepared.
To keep a step ahead, a number of changes have been made to the Cyber Essentials scheme to ensure companies are fully equipped to prevent and protect against cyber criminals in the event of an attack.
Here, Jonathan Ashley, co-founder of etiCloud, outlines what the Cyber Essentials scheme entails and how recent changes to it might affect your company.
What is the Cyber Essentials scheme?
Backed by Government and industry, the Cyber Essentials Scheme was launched in 2014 with the objective of helping organisations to protect themselves against a range of common cyber attacks.
As outlined in our e-book ‘Waging war against cybercrime’ , cybersecurity should be a vital part of your business strategy. Attacks are on the increase in every size and sector and becoming more and more sophisticated. As such, it’s extremely important to implement measures that to prevent your company becoming a victim of cybercrime.
A set of basic, technical controls, the Cyber Essentials scheme enables your company to achieve two levels of certification: Cyber Essentials and Cyber Essentials Plus. The first is a self-assessment option that offers protection against the most common cyber attacks. The latter is an extension of Cyber Essentials and stipulates that a hands-on technical verification is fulfilled.
What changes have been made to the Cyber Essentials scheme?
Six areas of the scheme have been updated and are some of the biggest changes we’ve seen since its initial launch. Some of the key changes are:
If your company’s data or services are hosted on a cloud service, you are now responsible for ensuring that all of the Cyber Essentials technical controls are implemented. Definitions of cloud services have been added to Information as a Service (IaaS), Platform as a Service (PaaS) and Software as a Service).
Multi-Factor Authentication (MFA)
Cyber Essentials states that MFA should be used to provide an extra layer of protection to admin accounts when the user is connecting to any cloud service. The MFA password must be a minimum of 8-characters. This will apply to all accounts in 2023.
Working from Home
If your company has adopted a hybrid working model or if any of your employees ever work from home, any devices they use to access company information or services are in the remit for Cyber Essentials. The same applies for dumb terminals.
Using a corporate VPN will transfer the boundary to the corporate firewall or virtual cloud firewall. A corporate VPN allows you to provide your employees access to a secure, end-to-end encrypted connection to any cloud resources includedin your company’s network.
Any smartphone or tablet that is used to connect to your company’s data and services are now in scope of Cyber Essentials. This also applies whenever the user wishes to connect to the corporate network or via mobile internet 4G or 5G.
When unlocking any device, biometrics or a minimum 6-character length PIN must now be deployed.
Any software that is utilised on any in scope device must be:
• Licensed and supported
• Removed from the device if it becomes unsupported
• Removed from scope or segregated from the main network using a defined ‘sub-set’ to prevent any traffic to and from the internet
In addition, automatic updates must be enabled, and the user must update their device within 14 days of the release of anyupdate.
Separate accounts should only be used to perform administrative activities. By doing this, the account will remain separate from any risk that can be avoided such as emailing or web browsing.
If you have any questions about the changes to Cyber Essentials or if you’d like support to gain Cyber Essentials certifications, the etiCloud team can help. Call Jonathan Ashley on 0333 358 2222 or email firstname.lastname@example.org