The scheme was introduced in 2014 to make the UK one of the safest places to do business and the evolution of these five technical controls reinforces the importance of organisations raising their bar for cyber security.
In November 2021, the National Cyber Security Centre announced the biggest update to the Cyber Essentials technical controls since its launch in response to the “evolving cyber security challenges that organisations now face”. These changes came into force as of 24th January 2022.
So, what exactly has changed and how?
- Home workers must be included and have their own protection from their home network. This includes anyone who works from home for any period of time, not just full-time home workers.
- New password-based and multi-factor authentication requirements. This includes either using multi-factor authentication with a password of at least 8 characters, a minimum password length of 12 characters or a minimum password length of 8 characters and the use of blocking common passwords. There must also be protection against brute-force password guessing in place (either multi-factor authentication, locking accounts after 10 unsuccessful attempts or throttling the rate of unsuccessful attempts). Organisations must also provide staff with a written password policy to advise on how to choose a good password.
- All smart phones and tablets connecting to organisation data are in scope. Device pins must have a minimum 6-digit pin code or use biometrics to unlock the device.
- All cloud services will now have to comply with cyber essentials standards. This includes Infrastructure as a Service, Platform as a Service, and Software as a Service. It’s commonly assumed that cloud services are secure “out of the box” but this is often not the case. The new requirements insist that organisations take responsibility for security configurations and user access for all cloud services.
- All cloud services must use multi factor authentication for all users. This is to provide additional protection when connecting to cloud services.
- Guidance on backing up. There is new guidance on backing up important data, implementing appropriate backup solutions and the requirement to document your backup procedure.
- All software must be kept up to date and legacy software removed. All high and critical updates must be applied within 14 days and any old or no longer supported software must be removed.
Any assessments which begin on or after 24th January 2022 must be certified to the new standard.
Whilst these changes may seem daunting, the rise of cloud computing, the increasing threat of ransomware and cyber attacks, and the change in the way we work due to the global pandemic mean that we are operating in a world that is very different to 2014 when Cyber Essentials was first launched. This major update is part of an ongoing regular review to ensure the scheme continues to focus on real life cyber security challenges that organisations face.
Here to help
At Infuse, as cyber security experts and Cyber Essentials providers, we know that managing the various elements of your cyber security can be time-consuming and bewildering and we understand how this can negatively impact your business. So, if you would like to discuss Cyber Essentials for your organisation or would like to arrange for a free cyber security audit, get in touch with one of our team today.