Let’s assume that you know what Cyber Essentials is and that you realise that it is a good basic standard for any business to have. Next month, it will be improved in an effort to counter the increasingly dangerous threat landscape, and we had all better be ready for these changes!
The biggest differences relate to the perimeter protection.
Home Workers – Anyone that does any work from home at all is now classed as a home worker. The scope of Cyber Essentials only extends to company devices / company virtual devices. Equipment such as a domestic router (not company supplied) is not in scope, but company equipment, such as a laptop being used at home for example, will be in scope.
Mobile Devices – If a mobile device uses company services or can get onto your network in any way, then it is in scope. This does not include calls, texts or MFA usage.
Cloud Services – All cloud services used by the company are now in scope.
MFA for Cloud Services – Admins will need to have MFA on all cloud services accounts. From 2023, this will extend to users too.
Servers – All servers and virtual servers used by the company will be in scope.
Thin Clients – These will be in scope. In addition to this, although only in an advisory context until January 2023, thin clients will need to be supported and receiving security updates.
Sub-Sets – Definition and implications: to quote IASME, “A sub-set is defined as a part of the organisation whose network is segregated from the rest of the organisation by a firewall or VLAN. A sub-set can be used to define what is in scope or what is out of scope of Cyber Essentials. Use of individual firewall rules per device are no longer acceptable.”
A minimum of six characters must be used for a pin or password to access a device. Biometric security is permitted instead of this.
There must be technical controls to enforce the quality of passwords, at least one of the following should be implemented:
There should be policies stating that each password needs to be unique, and if a user suspects that a password has been compromised, that password gets changed.
All software will have to be licensed and supported. All unsupported software will have to be removed or at least placed into a sub-set that prevents any communication with the internet.
Admin accounts should not be used for standard user activities. Separate accounts should be used for admin and user activities.
Although not a requirement, guidance will be provided on backing up important data.
As you can see from the list, things are tightening up. This is a good thing as anything that helps prevent a business from falling foul of cybercrime should be embraced. For your Cyber Essentials, you should look at CyberSmart, the streamlined solution.
Contact Brigantia to be put in touch with your local Brigantia Partner who will be able to advise you on getting and keeping Cyber Essentials by using CyberSmart. Email partnersupport@brigantia.com or call 020 3358 0090 for more details.