Rapid digital transformation, mass adoption of cloud-based services and migration to home-working were necessary changes for businesses to survive the pandemic that’s held the world captive for the past two years. These dramatic changes over a short period of time presented cybercriminals with new opportunities for exploitation.
We’ve all been witness to burgeoning cybercrime that’s increasingly sophisticated and complex as malicious actors take advantage of the world being in a time of crisis. Businesses and governments have not only needed to change the way they work, but they have needed to also change their approach to cyber security to ensure they are adequately equipped to prevent and respond to multiplying attacks.
To meet the increasing level of threats head-on, the National Cyber Security Centre (NCSC) is planning to update the technical controls of its Cyber Essentials scheme on 24th January 2022. The upcoming updates reflect the necessary changes businesses and governments need to make to remain cyber secure in the face of cybercriminals which are becoming ever more sophisticated.
But, first, what is NCSC’s Cyber Essentials?
Cyber Essentials is a simple but effective, government-backed scheme that helps you to guard against the most common cyber threats and demonstrates to your customers and other businesses your commitment to cyber security. The requirements are specified under five technical control themes, which are: firewalls, secure configuration, user access control, malware protection and security update management.
Why is it changing?
To reflect the rapid digital transformation we’ve recently undergone, the NCSC in partnership with the Information Assurance for Small and Medium Enterprises Consortium (IASME), recently completed a major technical review of the scheme in response to the new cyber security challenges organisations now regularly face. This will be the biggest major update of the scheme’s technical controls since it was launched in 2014.
What are the updates?
The new revisions will help organisations maintain their basic cyber hygiene and continue to assure their customers and supply chain that effective security solutions are in place. In response to the evolving world around them, the new scheme will introduce changes to controls around cloud services, as well as home-working, multi-factor authentication, password management and security updates. With input from the NCSC’s and IASME’s technical experts, these updated controls will align Cyber Essentials closer to other initiatives and guidance.
Organisations will need to make changes to meet the new requirements such as, bringing home working devices but not routers into scope; using multi-factor authentication for access to cloud services; applying all high and critical updates within 14 days and removing unsupported software; and following guidance on backing up important data.
Two new tests have also been added: one to confirm account separation between user and administration accounts; the other to confirm multi-factor authentication is required for access to cloud services.
When will the changes come into effect?
Whilst the new version of the Cyber Essentials requirements will come into place for new assessment accounts from the 24th of January 2022, there’s no need to panic if your organisation is up for renewal before or after that date.
Any assessments already underway, or that begin before that date, will continue to use the current technical standard, meaning that in-progress certifications will not be affected. Come the 24th January 2022, these assessments will have six months to complete the new certification. The NCSC recognises that the updates will require extra effort from some organisations to comply, so a 12 month period of grace will be in place for some of the requirements.
And if your Cyber Essentials is up for renewal after the 24th of January 2022, then you might need to make a few changes to your cyber security solutions. Luckily, our expert cyber partners at Cyber Security Associates can help!
To find out where your business is currently at and what solutions you may need to upgrade or change, check out our cyber security solutions with Cyber Security Associates.
About the author
James Griffiths, Co-founder and Technical Director, Cyber Security Associates
James Griffiths is the co-founder and Technical Director of CSA and provides the direction and governance of all cyber technical and operational capabilities and services. James has worked within Cyber Security for over 15 years, which included a distinguished career as an Army Royal Signals Senior Operator. James provides both on-site and virtual cyber technical advice and cyber response services to both large enterprises and SME’s. He stands out from the crowd thanks to his experience and knowledge in providing advice and solutions around all key cyber security areas.