Please note: all guidance and information contained in this post was correct at the time of publishing, but may now be out of date.

The January changes to the Cyber Essentials scheme reflect the changing cyber threats in today’s digital environment

Nov 29, 2021 | Cyber Essentials

The Government approved Cyber Essentials scheme includes five technical controls that help protect organisations from the majority of cyber attacks. A team of experts review the scheme at regular intervals to ensure it stays effective in the ever-evolving threat landscape.

The scheme was introduced by the UK Government in 2014 as a way to help make the UK the safest place to do business. On January 24th 2022, some of the technical control requirements will change in line with recommended security updates. The evolution of Cyber Essentials allows UK businesses to continue raising the bar for their cyber security.

What are the changes?

Home working devices are in scope, but most home routers are not.

Anyone working from home for any amount of time is classified as a ‘home worker’. The devices that home workers use to access organisational information, whether they are owned by the organisation or the user, are in scope for Cyber Essentials.

Home routers that are provided by Internet Service Providers or by the home worker are now out of scope and the Cyber Essentials firewall controls are now transferred to the home worker’s device (computer, laptop, tablet and/or phone). However, a router supplied by the applicant company is in scope and must have the Cyber Essentials controls applied to it.

The use of a corporate (single tunnel) Virtual Private Network (VPN) transfers the boundary to the corporate firewall or virtual cloud firewall.

All cloud services are in scope

Cloud services are to be fully integrated into the scheme.

If an organisation’s data or services are hosted on cloud services, then the organisation is responsible for ensuring that all the Cyber Essentials controls are implemented. Definitions of cloud services have been added for Infrastructure as a Service, Platform as a Service and Software as a Service. Whether  the cloud service provider or the user implements the control, depends on the type of cloud service.

Why?

People commonly assume that cloud services are secure out of the box, but this is not the case. It is necessary for users to take responsibility for the services they use and spend time reading up and checking their cloud services and applying the Cyber Essentials controls where possible. Previously, Platform as a Service (PaaS) and Software as a Service (SaaS) were not in scope for Cyber Essentials, but the new requirements now insist that organisations take responsibility for user access control and the secure configuration of their services which would include securely managing access to the different administration accounts and blocking accounts that they do not need. Where the cloud service is in charge of implementing one or more of the controls ( eg security update management or anti-malware), the applicant organisation has the responsibility to seek evidence that this is done to the required standard.

Multi Factor Authentication must be used for access to cloud services

As well as providing extra protection for passwords that are not protected by other technical controls, multi factor authentication should always be used to provide additional protection to administrator accounts and accounts when connecting to cloud services.

The password element of the multi-factor authentication approach must have a password length of at least 8 characters with no maximum length restrictions.

Why?

There has been an increasing number of attacks on cloud services, using techniques to steal users passwords to access their accounts.

Multi-factor Authentication requires the user to have two or more types of credentials before being able to access an account.  There are four types of additional factor that may be considered:

  • A managed enterprise device
  • An app on a trusted device
  • A physically separate token
  • A known or trusted account

Thin clients are in scope when they connect to organisational information or services

A thin client is a ‘dumb terminal’ that gives you access to a remote desktop. It doesn’t hold much data, but it can connect to the internet.

All servers including virtual servers on a sub-set or a whole organisation assessment are in scope

Servers are specific devices that provide organisational data or services to other devices as part of the business of the applicant.

Definition of a ‘sub-set’ and its impact on scope

A sub-set is defined as a part of the organisation whose network is segregated from the rest of the organisation by a firewall or VLAN. A sub-set can be used to define what is in scope or what is out of scope of Cyber Essentials. Use of individual firewall rules per device are no longer acceptable.

Definition of ‘licensed and supported’

Licensed and supported software is software that you have a legal right to use and that a vendor has committed to support by providing regular patches or updates. The vendor must provide the future date when they will stop providing updates. The vendor does not have to be the original creator of the software, but they must have the ability to modify the original software to create updates.

All smart phones and tablets connecting to organisational data and services are confirmed in scope when connecting to corporate network or mobile internet such as 4G and 5G.

However, mobile or remote devices used only for voice calls, text messages or multi-factor authentication applications are out of scope.

Device locking

Biometrics or a minimum password or pin length of 6 characters must be used to unlock a device.

Password-based and multi-factor authentication requirements

When using passwords, one of the following protections should be used to protect against brute-force password guessing:

  • Using multi-factor authentication
  • Throttling the rate of unsuccessful or guessed attempts.
  • Locking accounts after no more than 10 unsuccessful attempts.

Technical controls are used to manage the quality of passwords. This will include one of the following:

  • Using multi-factor authentication in conjunction with a password of at least 8 characters, with no maximum length restrictions.
  • A minimum password length of at least 12 characters, with no maximum length restrictions.
  • A minimum password length of at least 8 characters, with no maximum length restrictions and use automatic blocking of common passwords using a deny list

People are supported to choose unique passwords for their work accounts.

New guidance has been created on how to form passwords. It is now recommended that three random words are used to create a password that is long, difficult to guess and unique.

There is an established process to change passwords promptly if the applicant knows or suspects the password or account has been compromised.

Account separation

Use separate accounts to perform administrative activities only (no emailing, web browsing or other standard user activities that may expose administrative privileges to avoidable risks)

The scope of an organisation must include end-user devices

Why?

If an organisation certifies their server systems only, they ignore the threats that come from their administrators who administered those server systems. The change to this requirement closes the loop-hole where organisations were able to certify their company without including any end user devices. Cyber Essentials must now include end point devices.

All high and critical updates must be applied within 14 days and remove unsupported software

All software on in scope devices must be:

  • Licensed and supported
  • Removed from devices when it becomes un-supported or removed from scope by using a defined ‘sub-set’ that prevents all traffic to/from the internet.
  • Have automatic updates enabled where possible
  • Updated, including applying any manual configuration changes required to make the update effective, within 14 days of an update being released, where:

– The update fixes vulnerabilities described by the vendor as ‘critical’ or ‘high risk’

– The update addresses vulnerabilities with a CVSS v3 score of 7 or above

– There are no details of the level of vulnerabilities the update fixes provide by the vendor

Why?

Previously, there was a set criteria that the vulnerabilities which had to be applied had to meet which were laid out in the requirements. These criteria have now been dropped and organisations need to apply all high and critical updates on all their systems. This is raising the bar because organisations can no longer be selective about which patches they apply and leave themselves weak and vulnerable.The reason for these changes can be illustrated by a high profile example this year. A vulnerability in the Microsoft Exchange System came out very publicly and was reported by numerous news outlets. That attack went from being a complex state actor attack to a commodity attack within seven days. It was commoditised into a ransomware attack only 12 hours later. This proves that a high complexity attack can be commoditised in hours and for this reason, all high and critical updates, need to be applied within 14 days, both for Cyber Essentials and Cyber Essentials Plus.

Guidance on backing up

Backing up your data is not a technical requirement of Cyber Essentials, however there is now guidance on backing up important data and implementing an appropriate backup solution is highly recommended.

Two additional tests have been added to the Cyber Essentials Plus audit

Test to confirm account separation between user and administration accounts

Test to confirm MFA is required for access to cloud services.

How the changes will work

There will be a grace period of one year to allow organisations to make the changes for the following requirements:

MFA for cloud services

The requirement will apply for administrator accounts from January 2022

The MFA for users requirement will be marked for compliance from January 2023

Thin Clients

Thin Clients need to be supported and receiving security updates, the requirement will be marked for compliance from January 2023

The new question will be for information only for first 12 months.

Security update management

Unsupported software remove from scope will be marked for compliance from January 2023

The new question will be for information only for first 12 months.

If your organisation registers and pays for Cyber Essentials certification before 24th January 2022, you will be assessed on the old Cyber Essentials question set and have up to six months to complete your self-assessment. Please be aware that the Cyber Essentials Readiness Tool will be updated with the new requirements for the 5 technical controls on 24th January 2022. If you would like to use the tool for guidance on the old question set, please access the guidance before 24th January 2022.

Additional guidance will be made available on these changes shortly – follow us on on social media for notification.

The new requirements for infrastructure and question set can be found here.