Cyber Essentials – a minimum baseline of cyber security for all businesses
In January 2022, the Government’s Cyber Essentials scheme received its biggest overhaul to date. The significant changes to the technical requirements in the scheme reflect the security challenges in today’s digital world.
How does the Cyber Essentials scheme work?
Cyber Essentials is an effective, baseline cyber security scheme centred around five technical controls that help protect organisations of all sizes from the majority of commodity cyber attacks. A team of experts review the scheme at regular intervals to ensure it stays effective in the ever-evolving threat landscape. The evolution of Cyber Essentials allows UK businesses to continue raising the bar for their cyber security, it is now widely considered the minimum level of cyber security for all businesses.
Cyber Essentials works in the format of a verified self-assessment questionnaire. Organisations log onto a secure portal to answer a series of questions that address the scope of the assessment, their employees, devices and work location. They will also answer questions that address the five core controls, which include user access control, secure configuration, security update management, firewalls and routers, and malware protection.
A senior member of the board will sign a document to verify that all the answers are true and then a qualified external assessor will mark the answers.
The preparation and process of getting certified to Cyber Essentials will give an organisation a clear picture of their cyber security and an opportunity to improve.
For organisations that require a higher level of assurance, Cyber Essentials Plus starts with the Cyber Essentials questionnaire but the technical controls are then physically audited to verify that they are in place.
SMEs based in the UK with a turnover of less than £20 million who certify their whole organisation to Cyber Essentials qualify for cyber liability insurance which is included in the price of certification.
The Cyber Essentials certification badge signals to customers, investors and those in the supply chain that an organisation has put the Government approved minimum level of cyber security in place and can be trusted with their data and business. Many contracts stipulate Cyber Essentials as a pre-requisite.
The scheme was introduced by the UK Government in 2014, as a way to help make the UK the safest place to do business. The environment that the scheme operates in has changed dramatically in the last seven years and, to reflect these changes, some of the technical control requirements were updated in January 2022 in line with recommended security updates. The pricing of Cyber Essentials has also changed and has adopted a tiered structure based on organisation size.
While micro-organisations will continue to pay the current £300 assessment charge, small, medium and large organisations will pay a little more, on a sliding scale that aims to better reflect the complexity involved in assessing larger organisations.
The main technical changes
In recent years, business cyber security has been further challenged by the wide adoption of cloud services and remote working, the move to home working and use of privately owned devices. Many of the Cyber Essentials technical requirement changes reflect this new environment.
Home working devices are in scope, but most home routers are not.
Anyone working from home for any amount of time is classified as a ‘home worker’. The devices that home workers use to access organisational data and services, whether they are owned by the organisation or the user, are in scope for Cyber Essentials.
Home routers that are provided by Internet Service Providers or by the home worker are now out of scope for the assessment but Cyber Essentials firewall controls apply to the home worker’s device (computer, laptop, tablet and/or phone). However, a router supplied by the applicant company is in scope for the assessment and must have the Cyber Essentials controls applied to it.
Why the change?
Home working or hybrid working (coming into the office for only some of the working week) is now normal practice for most businesses and is unlikely to change back in the short term. It is difficult to impose rules onto multiple employee’s private home routers unless it is provided by the organisation.
All cloud services are in scope
Cloud services are now fully integrated into the scheme.
If an organisation’s data or services are hosted on cloud services, then the organisation is responsible for ensuring that all the Cyber Essentials controls are implemented on that service. Definitions of cloud services have been added for Infrastructure as a Service, Platform as a Service and Software as a Service. Whether the cloud service provider or the user actually implement the control depends on the type of cloud service but the user has a responsibility to check that the controls are put in place.
Why the change?
People commonly assume that cloud services are secure out of the box, but this is not the case. It is necessary for users to take responsibility for the services they use and spend time reading up and checking their cloud services and applying the Cyber Essentials controls where possible. Previously, Platform as a Service (PaaS) and Software as a Service (SaaS) were not in scope for Cyber Essentials, but the new requirements now insist that organisations take responsibility for user access control and the secure configuration of their services which would include securely managing access to the different administration accounts and blocking accounts that they do not need. Where the cloud service is in charge of implementing one or more of the controls ( eg security update management or anti-malware), the applicant organisation has the responsibility to seek evidence that this is done to the required standard.
Multi factor authentication (MFA) must be used for access to cloud services
As well as providing extra protection for passwords that are not protected by other technical controls, multi factor authentication should always be used to provide additional protection to administrator accounts and user accounts when connecting to cloud services.
No matter how an attacker acquires a password, if multi factor authentication is enabled on the account, it will act as a safeguard on the account.
The password element of the multi-factor authentication approach must have a password length of at least 8 characters with no maximum length restrictions.
Why the change?
There has been an increasing number of attacks on cloud services, using techniques to steal or brute force a user’s passwords to access their accounts.
Automatic updates should be enabled where possible and all high and critical updates must be applied within 14 days
Why the change?
All organisations must apply all high and critical updates on all their systems, with no exceptions. The reason for this change can be illustrated by the high profile vulnerability in the Microsoft Exchange System. That attack went from being a complex nation state attack to a commodity attack within seven days and it was commoditised into a ransomware attack only 12 hours later. It proved that a high complexity attack can be commoditised in hours. The updated Cyber Essentials requirement raises the bar because organisations can no longer be selective about which patches they apply and leave themselves vulnerable.
Guidance on backing up
Backing up your data is not a technical requirement of Cyber Essentials because the scheme focuses on measures to prevent an attack as opposed to aspects to allow recovery after an attack. However, with the recognition of the vital importance of backup, there is now guidance on backing up important data and implementing an appropriate backup solution is highly recommended.
How the changes will work
There will be a grace period of one year to allow organisations to make the changes for the following requirements: MFA for cloud services, thin clients and security update management.
Help and support
If you need help preparing your organisation for Cyber Essentials, there is a free online tool that helps you gauge your current level of cyber security in relation to where you need to be to achieve Cyber Essentials. The Cyber Essentials Readiness Tool includes a series of guidance documents, written for non-technical people, to help you understand the five controls and how they apply to your business.
Your answers to the readiness tool questionnaire will inform the tailored guidance and step by step action plan which will be presented to you when you reach the end of the readiness tool.
For in depth and bespoke support, contact one of the Cyber Essentials Certification Bodies located around the UK and Crown Dependencies. These specialists are trained and licenced to certify against Cyber Essentials and are available to offer consulting services to help you achieve your certification.
The new requirements for infrastructure document and self-assessment question set can be found here.
Apply for Cyber Essentials here. Alternatively you can contact the Sutcliffe & Co Team for more details.