If you weren’t already aware, Cyber Essentials is a Government-backed scheme in place to help organisations to protect themselves against growing security threats. Cyber Essentials has been proven to reduce risks by over 80% and demonstrates to key stakeholder your ongoing commitment to protecting critical data.
With the velocity and magnitude of security threats increasing on a seemingly daily basis, The NCSC are making changes to Cyber Essentials, with most focussing on protecting the perimeter of your IT infrastructure.
Here’s what you need to know:
Defined Perimeter Protection
- Home Workers– People who work from home in at least some capacity are now considered a ‘Home Worker’. Cyber Essentials is scoped to include company supplied devices only, with anything not supplied by the company (i.e. domestic router) not in scope.
- Mobile Devices– If a mobile device uses company services or can access the company network any way, it will be within the scope of Cyber Essentials. This does not include calls, texts or MFA usage.
- Cloud Services– All cloud services used by the company are now in scope.
- MFA for Cloud Services– Network Administrators will be required to have Multi-Factor Authentication on all cloud services accounts. This will be extended to all users in 2023.
- Servers– All servers and virtual servers used by the company will be in scope.
- Thin Clients– Thin Clients will be included in the scope but will need to be supported and receiving security updates from January 2023.
- Sub-Sets– Sub-Sets are defined by IASME a, “A sub-set is defined as a part of the organisation whose network is segregated from the rest of the organisation by a firewall or VLAN. A sub-set can be used to define what is in scope or what is out of scope of Cyber Essentials. Use of individual firewall rules per device are no longer acceptable.”
Pin numbers or passwords to access a device must contain a minimum of six characters but Biometric security such as fingerprints or Face ID is a permitted alternative.
Passwords and MFA
At least one of the following must be implemented to protect against brute-force password attacks:
- Account lock-out after no more than ten failed login attempts.
- Multi-Factor Authentication
- Throttling the rate of failed login attempts.
There must be technical controls to enforce the quality of passwords, at least one of the following should be implemented:
- A password of at least eight characters, plus Multi-Factor Authentication.
- Password containing at least 12 characters.
- Password containing at least 8 characters, plus automatic blocking of common passwords using a deny list.
Policies should be in place stating that each password needs to be unique, and if a user suspects that a password has been compromised, that password is to be changed.
Supported Software and Updates
- All software must be licensed and supported. All unsupported software will have to be removed, or at least placed into a sub-set that prevents any communication with the internet.
- Automatic security updates must be active if possible.
- Software should be updated in any of the following circumstances within 14 days:
- Details of the vulnerabilities addressed in update are not released by the vendor.
- The updates are labelled as high-risk or critical.
- The updates address vulnerabilities with a CVSS v3 score of seven or above.
Administrator and User accounts
Administrator accounts should not be used for standard user activities. User and admin activities should be carried out using separate accounts.
Guidance for Backing Up
Guidance will be provided on backing up important data, although it isn’t a requirement.
In summary, things are tightening up. This is certainly a good thing, as any changes that help to prevent cybercrime should be embraced. For any questions on Cyber Essentials and what the changes mean for you, get in touch – [email protected]