Cyber Essentials Accreditation is a government backed scheme helping protect against a range of the most common cyber-attacks, but is it worth it?
Cyber Essentials (CE) is a government-operated cyber security scheme that offers businesses a framework to help significantly reduce their risk against common internet-based attacks. Developed by the National Cyber Security Centre (NCSC), Cyber Essentials incorporates five fundamental technical controls that, if implemented, can reduce risk by up to 80%.
Delivering the scheme is The Information Assurance for Small and Medium Enterprises Consortium (IASME), who work through certification bodies across the UK to handle the process.
Cyber Essentials starts by achieving the basic certification and is fully complete when you gain the Plus Certificate.
The process at the basic level, requires the filling out of a questionnaire relating to the security processes, policies and controls used within the business, but is not verified by the assessor.
The Plus assessment requires an official auditor to scan the infrastructure in order to determine whether or not the business is complying with the standard.
On 24th January 2022, some significant changes came into force which has enhanced the certification standard and have been catching some organisations out, who had previously gained certification on the old standard.
What changed?
Home working is still very much a part of our lives and as such, has become an important aspect of the CE requirements.
The updated standard includes all home devices used to access company information.
What else is in scope
Other elements include: Thin clients/remote desktop (where a central server is used to process users computing requests); all servers, even if on a sub-net (separate network to the rest of the organisation,); Smart phones and tablets.
Cloud services fully incorporated
All cloud services utilised by a company will now have CE controls implemented. This is to encourage users to take full responsibility for security and not rely on their cloud service provider. Although some controls may be the cloud service providers duty to implement, companies should ensure they seek evidence that this has been done.
Access to cloud services must be protected by Multi Factor Authentication
We often hear of the importance of password security, but with credential theft and attacks on cloud services increasing, the standard is making stronger passwords and multi-factor authentication (MFA) a requirement.
Passwords will have to be at least eight characters, with a second authentication method activated for additional protection. This will now be tested as part of the CE Plus audit.
Other password requirements include: that password-protected areas should either have MFA, login throttling, or account locking after (up to) ten unsuccessful attempts, and that all passwords follow one of these policies: MFA and a password of at least eight characters; a password of at least twelve characters; a password of at least eight characters and automatic blocking of common passwords. Biometrics, or a password/pin of at least six characters, should be used to lock a device.
Patching
Any updates labelled by the vendor as ‘high’ or ‘critical’, should be applied within 14 days.
All software should be properly licensed and supported by the vendor and any end-of-life software, removed.
Account separation
There must be a separation between user and administrative accounts, with standard activities, like emailing and web browsing, removed on administration accounts.
New tiered pricing structure
The cost of Cyber Essentials will be another major change to the scheme. IASME have introduced tiered pricing, whereby the costs of certification will depend upon organisational size. This is due to assessments becoming increasingly complex and requiring greater technical input from assessors.
Is Cyber essentials still worth having?
To sell into some market sectors, it is mandated that CE certification is required, an obvious reason to have it, if you are in that area. However, many organisations are considering their supply chain and the data security they have. The CE certification is a recognised standard that proves the organisation takes data protection seriously and could help to win business. Furthermore, having the certification can reduce cyber insurance costs and help stop the risk from hackers, which could cost considerable money to resolve as well as preventing trading.
In my opinion, obtaining the Cyber Essentials certification is absolutely worth the time and effort needed and should be a standard cyber security requirement for all businesses, no matter what their size.
Colin Tankard is Managing Director of cyber security company Digital Pathways. He has over 30 years’ experience in the area of data protection and is a specialist in the design, implementation and management of systems that ensure the security of all data whether at rest within the network, mobile device or storage or data in transit across public or private networks. Digital Pathways boasts a global client base of blue-chip companies and government departments.
