Be ready for the new Cyber Essentials

Padlock symbolizing cybersecurity
(Image credit: Shutterstock)

The number of cyber-attacks on UK businesses has hit an unprecedented high. One in 10 businesses and a quarter of charities reported a cybersecurity breach or attack in 2021 according to the latest Government cyber data, with the report displaying evidence that cyber risks grew during the pandemic as businesses struggled to administer cybersecurity measures remotely.

About the author

Dave Woodfine is Co-founder and Managing Director of Cyber Security Associates (CSA).

The UK’s National Cyber Security Centre (NCSC) has responded by updating the requirements of its ‘Cyber Essentials’ (CE) certification from 24th January - the most significant overhaul of the scheme’s technical controls since it was launched in 2014. A government-backed certification, companies have six months to complete the new annual cyber defense assessment (12 months for some of the new requirements) to help them defend against the growing sophistication of cybercriminals and to give proof to their customers and partners of their cybersecurity posture.

While these changes to the certification are positive and much needed to combat the constant threat of cyber attacks, they will require extra effort for companies to comply. What’s more, for those working in or with the public sector or highly regulated organizations such as finance and banking, the certification will be compulsory. So, here’s some tips to help you pass the new certification assessment and help keep your business secure.

Secure home workers’ devices

With 8.4 million people in the UK operating from home at some point in the week since the start of the pandemic, Cyber Essentials has been adapted to account for this new way of working.

Home workers’ internet routers will no longer be classed as under the scope of the scheme, whereas all devices capable of connecting to the internet will be.

Firewalls will have to be installed on all devices used while working at home, including tablets, smartphones, and laptops, and when unlocking these, users must use biometrics, or a password that’s at least six characters long. If a router has been supplied by the company, however, then that will be in scope. What’s more, if the worker is using a corporate VPN, then that transfers the boundary to the company firewall rather than the worker’s device.

Cloud services now apply

Another big change is that all cloud services are now included. If any of your organization's data or services are hosted on cloud services, then you will be held responsible for implementing controls to protect the data, rather than the cloud services provider. New definitions of cloud services have been added, including Infrastructure as a Service (IaaS), Platform as a Service (PaaS), and Software as a Service (SaaS) - whether the cloud service provider or the user is responsible for implementing any controls depends entirely on the type of cloud service.

When connecting to cloud services, multi-factor authentication (MFA) must always be used. There has been a sharp increase in threat actors attempting to steal passwords, and MFA can help keep data more secure. Instead of just using a password, users must always use another factor to keep their accounts more secure. Under Cyber Essentials, there are four different factors that are accepted, which are: a known or trusted account, an app on a trusted device, a physically separate token or a managed enterprise device.

What are the other changes?

There are other changes too, both big and small. For a start, businesses aren’t allowed to choose which patches or software updates they use. All high and critical updates must be installed within 14 days, and automatic updates should be enabled. All servers are now classed as in the scope of Cyber Essentials and will need to pass the assessment, as well as devices and thin client if they’re used to access the organization's information or services. Other updates consist of new or more concise definitions to terms like ‘servers’ or ‘licensed and supported.’ For example, ‘servers’ are now defined as ‘specific devices that provide organizational data or services to other devices as part of the business of the applicant.’

The new pricing structure

One of the biggest changes to the new Cyber Essentials is a new tiered pricing structure. Prior to January 2022, the cost of certification was £300 for all businesses. From February onwards the cost will increase, depending on the size of the business. The bigger the business, the longer it can take to review the security of all the software and hardware, which is reflected in the price.

Micro businesses - those with nine or less employees - will continue to pay £300, while larger organizations of less than 250 staff will pay the highest fee of £500. Those in-between with a workforce ranging 10-49 or 50-249 will pay between £400 - £450.

But the price of an attack on your business will be a much higher one to pay making Cyber Essentials worth the investment. It may be a little tougher to comply but that’s not a bad thing. If you meet all of the new certification requirements, your business will be more secure than ever, also making you a much safer option for other businesses to partner with, and grow.

At TechRadar Pro, we've featured the best antivirus software.

Dave Woodfine is Co-founder and Managing Director of Cyber Security Associates (CSA).