The evolution of Cyber Essentials - what you need to know

Image of padlock against circuit board/cybersecurity background
(Image credit: Future)

Since 2014, Cyber Essentials has provided certification for organizations that meet the minimum level of protection in cyber security. Using Cyber Essentials, organizations can check that their processes adhere to the national guidelines, while annual assessments ensure they maintain standards as the company evolves over time.

About the author

Karl Alderton, Technical Account Manager, Qualys.

In January 2022, the National Cyber Security Centre (NCSC) introduced the largest overhaul of the scheme since it was launched. This is taking place due to the significant changes in the way we all work over the last two years because of COVID-19, digital transformation projects that companies have implemented, and the adoption of cloud services.

What are the changes and why are the changes needed?

The biggest change in Cyber Essentials is around remote working. The number of people globally has gone up massively due to the pandemic. In the UK, almost half of the workforce (46.6%) worked from home in April 2020 according to the Office for National Statistics, and of that group 86% did so due to the pandemic. Since then, employees have been working at home for the last two years. 

Cyber Essentials has updated its approach to ensure that companies check their employees are secure. Work machines such as business laptops used at home and employee-owned devices used for work are now in scope, while other devices like routers supplied by Internet Service Providers (ISPs) are not covered. To comply with Cyber Essentials, companies will need to accurately check that these assets are kept secure and up to date. To achieve this, they will have to look at an agent-based approach to assets and software inventory as well as vulnerability management. 

Mobile devices like smartphones and tablets are covered by Cyber Essentials, whether they are connecting over mobile networks or directly to the corporate network. Any device used to connect to corporate data is now in scope, while devices only used for native voice or text applications can be considered out of scope. In practice, this means that organizations are going to need visibility of any software installed on mobile devices that use corporate applications, and build up information on applicable software lifecycles and vulnerabilities over time. 

Similarly, all Cloud Services are now in scope for Cyber Essentials. People wrongly assume that cloud services are secure, yet many successful attacks are due to vulnerabilities and misconfigurations in the cloud. Organizations are responsible for how their cloud services are set up and deployed, so Cyber Essentials now demands that companies look at their security around these cloud services. This requires that companies understand their responsibilities and ensure that all accounts are protected with multi-factor authentication. 

In larger organizations, there can be separate teams responsible for cloud services compared to the traditional on-premise servers, which can make managing and reporting on a single framework difficult. To make compliance easier, organizations will need to evaluate the tools currently in place and look for solutions that enable end to end standardized reporting across all their environments.

Software updates and priorities

Businesses will also need to see and understand all software within their environment. The updated Cyber Essentials calls for visibility and support across all software, whether this is open-source or licensed software. Companies will need to ensure they have complete oversight of all software used, whether that is cloud based or running on a server. A crucial element here is forward planning, understanding what software is going to end of life or end of support, allowing the organization to plan for the future. 

As part of Cyber Essentials, organizations must manage their software assets over time to deal with potential vulnerabilities. This includes promptly deploying software updates, particularly when they have serious implications for security. Cyber Essentials defines this as being rated as Critical or High Severity by the company publishing the patch or scoring more than 7.0 on the CVSS security scale. These issues should be deployed within 14 days of release. 

This is a big step up for many organizations to achieve, as only a few companies are truly doing it correctly. According to the Ponemon Institute, it currently takes an average of 43 days to deploy updates. For many of the most common attacks, patches are already available, they require deployment. Cyber Essentials helps more organizations get the basics right and make it more difficult for attackers to gain entry. 

However, whilst the changes to Cyber Essentials are positive, there are still some concerns. According to both private and public sector organizations, Cyber Essentials does not provide much flexibility for individual organizations to manage risk based on their own needs and goals. This is something that more mature security teams should be able to process based on their priorities - for example, they may want to take action around preventing specific ransomware attacks that might affect them due to their business vertical or applications used, compared to working on those issues that are rated Critical or scoring more than 7.0 on the CVSS scale within the 14-day time limit.

Simplifying Cyber Essentials compliance

Complying with the proposed changes will be a challenge for some organizations that do not have effective processes in place or have multiple overlapping tools in place. Reducing the management overhead for security can help improve compliance efforts and ensure that measures like Cyber Essentials deliver on their aims. Where there is value in achieving the certification as it ensures many of the basics are done correctly to secure your business, the main thing to remember here is that achieving compliance alone is not the end game. 

For organizations that don’t have the time or resources, simplifying the approach can help. Rather than using multiple vendors, manually cross-referencing data and monitoring remediation in multiple places, teams can reduce the workload through automation and working with the right partners. Similarly, reducing the number tools used and consolidating approaches can make it easier to report on how processes and best practices are being applied in the real world. 

Using a single platform approach should help create a unified view of security that not only shows vulnerability information, asset inventory, software support and cloud security posture, but provides that information in a way that should be actionable for small teams. This can also help prioritize changes and updates as they come in.

We've featured the best identity management software.

Karl Alderton, Technical Account Manager, Qualys.