Following the migration of office to home working and adoption of cloud technologies for remote collaboration, cyber criminals have identified even more vulnerabilities in which to exploit. So, with these rapid changes, we’ve had to advance existing cyber security strategies to deny these newfound opportunities for attack. And at the centre of our attention right now is the National Cyber Security Centre (NCSC) Cyber Essentials scheme, with the power to combat 85% of the most common cyber attacks to eliminate threats for organisations across the globe.
Cyber Essentials is a Government-backed scheme, introduced by the NCSC, to help protect organisations from the ever-evolving cyber threat landscape and safeguard against common cyber attacks. By completing the certification, organisations can demonstrate their commitment to cyber security. The requirements cover five main technical controls that aim to protect devices, internet connection, data and services. These include software updates, firewalls and routers, malware protection, access control and secure configuration.
The two levels of certification - Cyber Essentials and Cyber Essentials Plus - can help you determine the level of protection you invest in. With Cyber Essentials Plus you'll receive the added benefit of a more hands-on technical verification approach, involving the administration of vulnerability assessments for additional assurance. Certification for both levels can be achieved through NCSC’s partner, Information Assurance for Small and Medium Enterprises Consortium (IASME).
The scheme, reviewed by experts at IASME to ensure effectiveness, has released updates for 2022 to keep its five technical controls in line with evolving security challenges. Since its launch in 2014, this is the biggest major update to the technical controls, and it comes as no surprise, after businesses worldwide have had to rapidly adopt digital transformations mid-pandemic.
Security has become a challenge since working from home, which led to an update in Cyber Essentials for home routers. Whilst routers were previously provided by the employer on-site, the shift to remote working and purchase of home routers has put them out of scope. Now, IoT devices must be protected with a firewall, rather than a home router (unless provided by their employer, then it will be in scope of Cyber Essentials). These changes can be easily met with the use of a Virtual Private Network (VPN) that uses a corporate firewall, therefore transferring the boundary of the scope.
To meet the demands of remote working, cloud services have been fully integrated into the scheme’s update. Organisations will need to check that their existing services meet Cyber Essentials standards. Platform as a Service (PaaS) and Software as a Service (SSaS) are now in scope, and so, organisations must take responsibility for user access control and the secure configuration of their services. Those taking charge of implementing one or more of the five controls within its cloud services must provide evidence of doing so to the required standard.
Where we've adapted to using cloud services to access corporate information, so have cyber criminals, but they’re using it to launch attacks. To mitigate the risk of attack, we can use MFA as an extra layer of protection, which requires more than one verification method to access an account. Cyber Essentials have suggested four types of additional factors that may be considered: a managed enterprise device, an app on a trusted device, a physically separate token and a known or trusted account.
The new scope outlines that all high and critical updates must be applied within 14 days and unsupported software removed. All in-scope devices must be licensed and supported, and have automatic updates enabled. When updates become unsupported, these must be removed from devices. These device updates should be performed within 14 days of being released, in which: update fixes vulnerabilities are defined as ‘critical’ or ‘high risk’, updates address vulnerabilities with a CVSS v3 score of 7 or above, or if there are no details on the level of vulnerabilities being fixed.
Organisations can no longer be selective about which patches they use, as this can render them vulnerable, the extent of which was emphasised by a public cyber attack against a vulnerability in the Microsoft Exchange System. After developing from a complex state actor attack to a commoditised ransomware attack in just seven days, the update to Cyber Essentials technical controls concerning 14-day critical updates is justified.
To read the full list of Cyber Essential updates that must now be adhered to, find out more via IASME.
The updates to Cyber Essentials technical controls came into effect for new assessment accounts on 24th January 2022. Those undergoing assessments now, or before the date, will continue to reflect the existing technical controls, so in-progress certifications will not be affected. The NCSC has applied 12 months of grace for those needing to complete new certifications within the next 6 months. Though, if your Cyber Essentials is up for renewal after the 24th of January 2022, you’ll need to consider making the required changes to your existing cyber security solutions.
And, for those looking to invest in Cyber Essentials for their business, there’s no better time than now! With fresh new updates rolled out in January, the scheme is at its peak performance.
To take control of your vulnerabilities and find out what updates you’ll need to implement, contact our expert team at Infosec K2K. We’ll help you stay protected against rising cyber security threats. Get in touch!