Let’s assume that you know what Cyber Essentials is and that you realise that it is a good basic standard for any business to have. Next month, it will be improved in an effort to counter the increasingly dangerous threat landscape, and we had all better be ready for these changes!
The biggest differences relate to the perimeter protection.
Defined Perimeter Protection
Home Workers – Anyone that does any work from home at all is now classed as a home worker. The scope of Cyber Essentials only extends to company devices / company virtual devices. Equipment such as a domestic router (not company supplied) is not in scope, but company equipment, such as a laptop being used at home for example, will be in scope.
Mobile Devices – If a mobile device uses company services or can get onto your network in any way, then it is in scope. This does not include calls, texts or MFA usage.
Cloud Services – All cloud services used by the company are now in scope.
MFA for Cloud Services – Admins will need to have MFA on all cloud services accounts. From 2023, this will extend to users too.
Servers – All servers and virtual servers used by the company will be in scope.
Thin Clients – These will be in scope. In addition to this, although only in an advisory context until January 2023, thin clients will need to be supported and receiving security updates.
Sub-Sets – Definition and implications: to quote IASME, “A sub-set is defined as a part of the organisation whose network is segregated from the rest of the organisation by a firewall or VLAN. A sub-set can be used to define what is in scope or what is out of scope of Cyber Essentials. Use of individual firewall rules per device are no longer acceptable.”
A minimum of six characters must be used for a pin or password to access a device. Biometric security is permitted instead of this.
Passwords and MFATo protect against brute-force password attacks, at least one of the following should be implemented:
- Account lock-out after no more than ten failed login attempts.
- Use of MFA
- Throttling the rate of failed login attempts.
There must be technical controls to enforce the quality of passwords, at least one of the following should be implemented:
- A password of at least eight characters, plus MFA.
- A password of at least 12 characters.
- A password of at least eight characters, plus automatic blocking of common passwords using a deny list.
There should be policies stating that each password needs to be unique, and if a user suspects that a password has been compromised, that password gets changed.
Supported Software and Updates
All software will have to be licensed and supported. All unsupported software will have to be removed or at least placed into a sub-set that prevents any communication with the internet.
- If possible, automatic security updates must be active.
- Within 14 days, software should be updated in any of the following circumstances:
- Details of the vulnerabilities addressed in update are not released by the vendor.
- The updates are labelled as high-risk or critical.
- The updates address vulnerabilities with a CVSS v3 score of seven or above.
Admin and User accounts
Admin accounts should not be used for standard user activities. Separate accounts should be used for admin and user activities.
Guidance for Backing Up
Although not a requirement, guidance will be provided on backing up important data.
As you can see from the list, things are tightening up. This is a good thing as anything that helps prevent a business from falling foul of cybercrime should be embraced. For your Cyber Essentials, you should look at CyberSmart, the streamlined solution.
Contact Brigantia to be put in touch with your local Brigantia Partner who will be able to advise you on getting and keeping Cyber Essentials by using CyberSmart. Email firstname.lastname@example.org or call 020 3358 0090 for more details.