Cyber Essentials Update
Join us for our Wolfberry Webinar on the Cyber Essentials changes on Tuesday 8 Feb – Book Here
Cyber Essentials is the simplest starting point to improve your cyber security provision and protect your business, introducing good practices in information security at a low-cost.
The government backed Cyber Essentials scheme is a simple process that can help all organisations regardless of sector or size, understand the basic controls that they should have in place to mitigate against common cyber threats and reassure stakeholders and supply chains that they take the ever-increasing threat seriously.
The initial Cyber Essentials scheme was introduced in 2014 and since then, there has been multiple changes to technology, the way in which people approach work and the way that cyber security should be addressed by all organisations.
Globally, due to the pandemic, there’s also been a major shift in the way all organisations operate. Remote working has become the norm and with this, the data that was previously held within the organisation’s infrastructure has now become dispersed with a new reliance on cloud applications.
With these changes, IASME has produced a revised question set for the Cyber Essentials Certificate as a way of furthering the cyber security capabilities and assurance levels that it can provide to companies. It’s still classed as a low cost, first approach, to an organisation improving their cyber security assurance but has now focussed to improve on multiple aspects of cyber security to keep pace with changes in the information risk ecosystem.
CE / CE Plus - Evindine Changes
Cloud Services
This is the biggest change in the Cyber Essentials accreditation and has come about due to the change in working globally. From the 24th January all cloud services are now considered in scope from IASME and these include Infrastructure as a Service (IaaS), Platform as a Service (PaaS) and Software as a Service (Saas). Now that cloud services are in scope, Cyber Essentials customers will have to ensure that they have the correct user access controls and secure configurations in place to manage these cloud environments.
Thin Clients
Any terminal that provides a user with access to a remote desktop are now considered in scope. As part of a phased approach to the new Cyber Essentials question, from 2023 this change will be fully enforced and all thin client devices (any device that is used to connect to a virtual desktop environment) will need to be receiving regular security updates.
Home Working / BYOD Devices
Whether it’s company owned or owned by the user, all devices for individuals working from home are now in scope. This doesn’t mean that you have to list your home internet service provider but it does mean that firewall controls should be applied to an individual remote device to block all inbound traffic from untrusted networks. This will also be checked during a Cyber Essentials Plus audit.
Multi-Factor Authentication (MFA)
MFA is now being further enforced by the Cyber Essentials question set, especially in relation to administrator accounts and accounts accessing cloud services. This can be achieved through a managed enterprise device, an application on a trusted device, a physical separate token or by using a trusted account. Again, as a phased approach, all administrator accounts for cloud services will need MFA from January 24th 2022 and MFA for users will be marked for compliance from January 2023.
Servers
Servers are specific devices that provide organisational data or services to other devices and therefore, with the new Cyber Essentials question set, all servers (including virtual servers on a sub-set or whole organisation assessment) are now in scope. Network segregation and the creation of isolated sub-sets utilising a VLAN or firewall can be used to define what is in scope for the assessment.
Smartphones and Tablets
Any smartphone or tablet that connects to an organisations data (whether they are company or user owned) are in scope. The only exception is that these mobile devices are only used for voice calls, text messages or MFA applications.
Account Separation
There is going to be extra clarification around account separation, ensuring that all admin accounts are used for necessary tasks and not for general day to day use such as web browsing, email etc to limit avoidable risks.
Backing Up
Whilst it’s not being enforced, and the backing up of data is not a technical requirement of Cyber Essentials, IASME has now released guidance on the backing up of important data and implementing an appropriate backup solution.
New CE+ Changes
As part of these CE changes, there will be two additional tests added to the CE+ assessments that company’s go through. These will be;
· A test to confirm that account separation exists between user and admin accounts
· A test to confirm that MFA is required to access cloud services.
The changes from IASME, and the NCSC, demonstrates again their ability to further improve the Cyber Essentials accreditation to match the modern cyber security risks that all companies, regardless of size, face.
As our working landscape changes, the need for IASME to adopt these changes is great news as it shows that as an organisation, they are fully aware of the potential cyber security risks facing all companies.
Next Steps
Join us for our Wolfberry Webinar on the Cyber Essentials changes on Tuesday 8 Feb – Book Here
Or, if you would like support and advice to begin the Cyber Essentials accreditation or are soon to renew your Cyber Essentials or Cyber Essentials Plus certification then please get in touch at info@wolfberrycs.com or find out more at https://www.wolfberrycs.com/services/cyber-essentials
Wolfberry Cyber Security are an award winning, accredited certification body able to perform all cyber essentials assessments.