Cyber Essentials is the UK government-backed cyber security certification scheme that helps organisations protect themselves against common cyber threats.
Launched in 2014, the certification has grown in prevalence and has been widely adopted by industries and insurers as a benchmark security standard.
In turn, systematic Cyber Essentials changes have enabled the accreditation to evolve in line with new risks and stay relevant to the current security climate.
Organisations approaching Cyber Essentials as a renewal – or for the first time – should be aware of new requirements relating to the certification.
All Cloud Services Are Now In Scope
Organisations with data or services hosted in a cloud environment are now responsible for ensuring that the necessary Cyber Essentials controls are implemented in these environments.
Previously, platform as a service (PaaS) and software as a service (SaaS) environments were not in scope for Cyber Essentials. This is no longer the case.
This update is among the most significant of the Cyber Essentials changes. Organisations now need to take responsibility for user access control and the secure configuration of their services.
This includes securely managing access to different administration accounts and blocking unneeded accounts.
The most obviously impacted area for this will be Microsoft 365 tenants and accounts, which now must have sufficient security measures in place. We cover more about what this entails below.
Cyber Essentials Password Requirements
There have been multiple Cyber Essentials changes relating to password security requirements.
First off, all devices require a locking function. Biometrics or a password (minimum pin length of 6 characters) are now requirements of all user devices.
When using passwords, one of the following protection methods needs to be used to protect against brute-force password guessing:
- Using multi-factor authentication
- Throttling the rate of unsuccessful or guessed attempts
- Locking accounts after no more than 10 unsuccessful attempts
Technical controls that are used to manage the quality of passwords need to include one of the following protection methods:
- Using MFA alongside a password of at least 8 characters
- Using automatic blocking of common passwords using a deny list alongside a password of at least 8 characters
- Using a password of at least 12 characters
Finally, access to cloud services needs to include:
- Using MFA alongside a password of at least 8 characters
Again, the most common business requirement for this will be Microsoft 365 accounts. However, businesses that access their data via their mobile phone or device will also need to make sure they are compliant.
Most Home Routers Aren’t In Scope
Whilst home working devices are in scope, most home routers are not. Whether the device is owned by the organisation or by the user, they are in scope.
What Cyber Essentials changes are home routers no longer being in scope.
This means that any firewall controls will be transferred to the individual’s device.
The only exception to this change is if the home worker’s router is supplied by their organisation, in which case it must have Cyber Essentials controls applied to it.
The impact of this is to ensure that user devices have a good level of protection in place. So ensuring that solutions such as antivirus are up to date is imperative.
What Do You Need To Do About Cyber Essentials Changes?
These Cyber Essentials changes are important updates to the security requirements for organisations seeking certification.
The emphasis on multi-factor authentication reflects the evolving threat landscape and the need for stronger defences against password-based attacks.
These are not necessarily quick measures to implement either. Anyone looking to renew Cyber Essentials will need to have these new measures in place well ahead of attempting to recertify for Cyber Essentials.
Need help with Cyber Essentials for your organisation? Whatever depth of requirement, our consultants can help. Discover more:
View More