The recent changes to the Cyber Essentials Scheme encourage UK businesses to further strengthen their cybersecurity and protect their best interests.
These days it’s not just businesses and their employees that are spending more time online, but cybercriminals too. This is why it is now more important than ever for companies to invest in strengthening their cybersecurity.
Introduced by the UK Government in 2014, the Cyber Essentials Scheme is one of the most important references for businesses that want to keep their operations safeguarded from cybercriminals. This year, some of the important technical control requirements of this scheme have seen a change, and it’s something that businesses of all sizes should be aware of.
In this article, we will share with you in detail these changes and highlight the steps you would need to take in order to maintain your compliance. But first let’s have a look at what the cyber essential scheme is, why it has been updated in 2022, and why you should be concerned about the recent changes.
The Cyber Essentials Scheme is a certification scheme that was introduced in 2014 by the UK Government, in order to support businesses in improving their cyber security and help make the UK one of the safest countries to do business. It is managed by the NCSC (National Cyber Security Centre) and guides UK businesses on how they can safeguard their IT operations.
The scheme highlights 5 technical controls in order to achieve this goal:
The world of cybersecurity has changed a lot since 2014, when the Cyber Essentials Scheme was first introduced in the UK. Use of cloud services and the work from home culture has become the norm. In order to ensure that the scheme is totally in-line with the evolution of business operations, the NCSC has decided to introduce a few important changes to the scheme.
The recent changes to the Cyber Essentials Scheme are of high importance to all organisations in the UK, regardless of whether their organisation is already Cyber Essentials certified or planning to get the certification in the near future. It’s also crucial to take note of these recent changes if you are planning to do a merger or acquisition, perform supply chain diligence or simply looking for reliable business partners. Needless to say, all organisations in the UK with sizable operations should ideally renew their Cyber Essentials and Cyber Essential Plus certifications every year and also be aware of the new controls in order to ensure the certification doesn’t expire.
In the recent changes made to the cyber essential system, various elements of a corporate network and cybersecurity have been brought within scope and this includes:
All the home based devices used by the employees for office work, whether they are smartphones, tablets or laptops, will now come under the scope of the security recommendations shared in the Cyber Essentials Scheme. As a result, both the employers and employees will need to ensure that the firewall settings on their home working devices comply fully with the guidelines shared in the Cyber Essentials Scheme, if they’re serious about maintaining their compliance.
It was a common practice for organisations to certify only their server systems and ignore the need for including end user devices in their security assessment exercise. The recent change has made it compulsory to ensure the security of endpoint devices, in an effort to avoid any loopholes that hackers can take advantage of.
Implementing MFA or multi-factor authentication is now an important requirement for maintaining compliance with the Cyber Essentials Scheme in 2022 and beyond. The reason is that MFA provides an extra layer of security on top of password protection and makes it very difficult for bad actors to hack a user’s account and infiltrate into the corporate network.
In an effort to reduce the security risk for businesses, the NCSC has made a security recommendation that requires IT administrators to install newly released high/critical risk software updates within 14 days of their release. In addition to this, they are also responsible to ensure that:
Employees should use separate accounts for office work and avoid using those accounts for standard user activities, like browsing the web or checking social media, which might expose the corporate network to vulnerabilities. By maintaining separate accounts and practising online hygiene, they can greatly reduce the risk of cybersecurity incidents.
Even though the organisations will be allowed a grace period of one year for implementing the suggested changes IT leaders should start preparing for the same as soon as they can, to avoid losing the certification and most importantly, to improve their organisation’s cybersecurity.