Cyber Essentials updates – What you need to know

On 24th January 2022, the NCSC (National Cyber Security Centre) released updates to Cyber Essentials technical controls. The last Cyber Essentials updates took place in 2014, and since then cloud computing has been on the rise, multi-factor authentication is more available, ransomware is a pervasive threat and of course the global pandemic happened, bringing about an unprecedented change in the way organisations are working and technology is used.
 

The recent Cyber Essentials updates reflect these changes – expanding to address a new range of scenarios including home working, BYOD and cloud services, with some of the key changes being highlighted below…

Home working

Home working was previously viewed as an exception, however for many organisations this has become the norm and is here to stay. A frequently asked question around home working, is the role of Internet Service Providers (ISP) routers. These have been taken out of scope, as expecting individuals to configure routers correctly wouldn’t be practical. However, this highlights more importance on ensuring firewall controls are correctly applied to end user devices.

Multi-Factor authentication & passwords

Multi-Factor Authentication (MFA) provides an extra layer of protection for accounts and is now widely available and free with most services, so guidance on choosing the right additional factor has for your organisation has now been included. It is important to remember that it should be useable and accessible to employees. Password requirements and guidance has also been updated, referencing the ‘Three Random Words’ advice (comprising your password of 3 random words), but this isn’t a mandated approach, and methods such as using a password manager or other strategies should still be considered.

Cloud services

A shared responsibility model has been implemented for cloud services, dictating the security obligations of each party (the cloud provider and the cloud user), to ensure accountability is clear. Five technical controls have also been mapped to the three main types of cloud service (IaaS, PaaS, SaaS), however this is only a guide – giving the ultimate responsibility to the application, of ensuring the cloud provider is implementing services properly.

Backups

There are no technical requirements in Cyber Essentials on backing up data, however there is now guidance on backing up important data and implementing an appropriate backup solution is highly recommended – reflects the rise of ransomware and cyberattacks.

If you would like to find out more about the recent Cyber Essentials updates and what this could mean for your organisation, then please Click Here to speak to one of our specialists. Alternatively, existing customers can contact their Nviron Account Manager.