Preparing for Changes to Cyber Essentials 2022

If you are not familiar with Cyber Essentials, it’s a simple but effective Government backed scheme that can protect your organisation against the most common cyber-attacks. Statistics vary but around 50% of SME’s are hacked every year. Many of these smaller businesses will have been attacked simply because they are much easier targets than larger organisations which have cyber protection in place.

For those of you already Cyber Essentials certified, there are some significant changes coming at the end of January in an effort to counter the increase in cybercrime. We’ve summarised some of the main changes here.

Home Workers – This now includes anyone that does any work from home at all, and covers any company device / company virtual device such as a laptop being used at home

Equipment such as a domestic router (not company supplied) will be out of scope

Mobile Devices – If a mobile device uses company services or can get onto your network in any way, then it is in scope, this includes BYOD devices

Cloud Services – All cloud services are now in scope, this includes services like Dropbox, M 365 etc

Muti Factor Authentication for Cloud Services – Admin users will need to have MFA on all cloud services accounts. From 2023, this will extend to users too, so you should be preparing for this no

Servers – All servers and virtual servers used by the company will be in scope

Thin Clients – These will be in scope. In addition to this, although only in an advisory context until January 2023, thin clients will need to be supported and receiving security updates

Device Locking – A minimum of six characters must be used for a pin or password to access a device (laptop, notebook, smart phone). Biometric security is permitted instead of this

Passwords and MFA – To protect against brute-force password attacks, at least one of the following should be implemented:

  • Account lock-out after no more than ten failed login attempts
  • Multi Factor authentication
  • Throttling the rate of failed login attempts

At least one of the following technical controls should be implemented to enforce the quality of passwords

  • A password of at least eight characters, plus MFA
  • A password of at least 12 characters
  • A password of at least eight characters, plus automatic blocking of common passwords using a deny list

Your internal policies should state that each password needs to be unique, and if a user suspects that a password has been compromised, that password gets changed.

Supported Software and Updates – All software must be licensed and supported. All unsupported software should be removed or placed on a separate network that prevents any communication with the internet

If possible, automatic security updates must be active

Software must be updated within 14 days if:

  • Details of the vulnerabilities addressed in the update are not released by the vendor
  • The updates are labelled as high-risk or critical
  • The updates address vulnerabilities with a CVSS v3 score of seven or above

Admin and User accounts – Separate accounts should be used for administrator and user activities

Guidance for Backing Up – Although not a requirement (yet!) guidance will be provided on backing up important data

As you can see things are tightening up. This is a good thing as anything that helps prevent a business falling victim to cybercrime should be embraced. If you have any questions about these changes and how they will affect you, get in touch and we’ll make sure you retain your certification going forward

E: T: 0203 947 5792