In today's digital age, it’s become essential for businesses to ensure the safety and security of both their data and their systems. Cyber threats are becoming more and more sophisticated and prevalent, and businesses need to take proactive measures to protect themselves. One of the best ways for organisations to safeguard themselves is Cyber Essentials, which also allows them to demonstrate to customers and stakeholders that they take their cyber security responsibilities seriously.
Cyber Essentials is a government-backed and industry-supported scheme, designed to help businesses in every industry (and of every size) protect themselves against some of the most common cyber threats. Launched back in 2014 by the National Cyber Security Centre (NCSC) and IASME, its Cyber Essentials delivery partner, Cyber Essentials is a framework for businesses to work towards, and can help them identify any weaknesses in their current security measures. While it’s not a guarantee that a business will never be targeted by cyber criminals or hit by a cyber attack, it’s still a good foundation for businesses to build their cyber defences on. Once they’ve gained the Cyber Essentials certification, businesses can showcase their commitment to cybersecurity to their customers - some will even require an up-to-date certification before working with a company. Just as cyber criminals are constantly changing their tools and their tactics, Cyber Essentials needs to adapt as well. This April, the scheme will be changing once again, and any business taking part will need to ensure they meet the new requirements.
The last big Cyber Essentials update was in January 2022, and it was the biggest update since the scheme began. Since then, cyber criminals’ techniques have continued evolving, and the NCSC has updated the requirements. This year’s update isn’t as in-depth as last year’s, but some of the new changes offer clarity on the last update. Some changes have been made to the wording and the format of the Cyber Essentials requirements document, making it more accessible and easier to understand, while others offer guidance. We’ve rounded up some of the most important new updates, which you and your business will need to address if you want to reduce the risk of cyber attacks.
Before this new update, all firmware was classified as ‘software,’ meaning it all needed to be kept up to date at all times. As information on firmware was sometimes difficult to find out from vendors, this update has clarified things - businesses only need to ensure that router and firewall firmware is up to date.
More information has been provided, clarifying which third-party devices (such as contractor or student devices) are covered. A new table shows how the devices should be treated, and when they fall under the scope of Cyber Essentials.
A new change has been made to address issues around default settings in devices. Some settings, such as the number of login attempts that can be made before a device is locked, can’t be reconfigured, and it’s now acceptable for users to use these default settings.
After this update comes into effect, anti-malware software will not have to be signature-based, and sandboxing is no longer an option. Organisations will need to ensure that their malware protection is active on all devices that are in scope, that it is appropriately configured, and kept up to date at all times.
The new update has also added guidance on zero-trust architecture. Although there are no requirements to implement this security framework, users will be advised on how to implement it - as well as the importance of asset management.
The latest Cyber Essentials update will take effect from 24 April 2023, which means that all new applications started on or after this date will use the new requirements and question set.
After the last update, in January 2022, organisations with existing Cyber Essentials were initially given a grace period of 12 months to update their cyber defences and ensure that they meet the new requirements. This was changed earlier this year, and extended to April, in order to coincide with the latest update.
As of 24 April, however, the new changes will take effect, and all organisations must meet them in order to earn the Cyber Essentials certification. There will also be changes to the requirements for Cyber Essentials Plus testing, to align with the rest of the updates. The biggest change is to the malware protection tests, which have been refreshed and simplified for applicants.
If you’re looking to obtain your Cyber Essentials certification soon, or if you’re looking to renew an existing one, you’ll need to ensure you meet all of the new requirements. Our expert cyber partners at Cyber Security Associates have more than 50 years of experience dealing with cyber threats, and they’re also a Cyber Essentials Certified Provider.