As threat actors are becoming increasingly more sophisticated and cyberattacks are more commonplace than ever before, the need for organisations to have robust cybersecurity strategies in place has never been more crucial.
So, to ensure that it continues to keep UK organisations safe from these threats as they evolve, the UK’s National Cyber Security Centre (NCSC) and its delivery partner IASME have introduced further updates to the technical requirements for the government-backed Cyber Essentials (CE) scheme.
The most recent updates, which came into force this month, were part of a regular review of the scheme’s technical controls and comes following a much bigger update to the scheme, which was introduced in January 2022. This update was the largest since the scheme began in 2014 and brought it up to speed with modern working practices including home working, increased use of personal devices and cloud adoption. Due to the magnitude of this update, organisations had been allowed a grace period to implement the 2022 updates, which has now come to an end. As both updates have now taken effect, it’s important that organisations looking to gain or maintain accreditation are clued up on the latest changes.
What are the updates?
Beginning with the larger of the two updates, January 2022 saw major changes to the scope of the scheme. The key updates being:
- Inclusion of all home working devices, regardless of whether they are owned by the organisation or the user
- Multi-factor authentication must be used to access cloud services
- Thin clients being in scope and added to the ‘devices’ definition
- Biometrics or a minimum password or pin length of six characters must be used to unlock a device
- Inclusion of all servers, including virtual servers on a subset or a whole organisation assessment
- Employees are now required to use separate accounts for office work and avoid using those accounts for standard user activities that may expose administrative privileges to avoidable risks
The most recent update is much smaller and seems to reverse some of the changes made last year, most notably those around device unlocking. Whilst this makes it easier to comply with CE and does remove some administrative burdens, it also somewhat counters the scheme’s aim to help businesses strengthen their cyber security strategy.
The April 2023 update also includes clarification that firmware is currently included in the definition of ‘software’, more information that clarifies how third-party devices should be treated in your application, updates on malware protection and new guidance on zero trust architecture and asset management – some of which we’ll cover in more detail below.
The latest version of the technical controls has removed the requirement that businesses have to configure devices to lock after 10 unsuccessful password attempts due to limitations in configurability on some devices. You no longer need to meet this requirement if you’ve implemented MFA or have reasonable brute force throttling restrictions in place: e.g. no more than 10 guesses in five minutes.
Another key update to be aware of is that organisations must now make sure that a malware protection mechanism is active on all devices in scope. If using anti-malware software this will no longer need to be signature-based, but must be configured to:
- be updated in line with vendor recommendations
- prevent malware from running
- prevent the execution of malicious codes
- prevent connections to malicious websites over the internet.
To meet this requirement, businesses must ensure that all devices are officially maintained, avoiding “cracked” or “jailbroken” devices to run custom operating systems.
There are a number of solutions that businesses can implement to ensure protection against malware across all devices. To assist in the detection of malware Cyolo is also introducing device posture checking before allowing network connection, which will flag up whether the system has deviated from manufacturer good practice. For smartphones specifically, Jamf Mobile Threat Defense offers device security protection against malware and network-based attacks.
New guidance on zero trust
On top of these changes, new guidance on zero-trust architecture is included, although not mandated for CE certification. Instead, NCSC offers eight core principles for businesses that want to embed zero-trust – a good starting point for those interested, but considering data from Gartner (Jan 2023) suggests only 1% of businesses have implemented zero-trust architecture there’s still a long way to go and this guidance won’t be enough to make any significant changes on this front.
What do the changes mean for businesses?
Any businesses hoping to gain accreditation will need to quickly adopt the new required controls as these updates took effect immediately on 24 April 2023. The recent update has not been given a grace period due to being much smaller than the previous update, so it’s important for any organisation thinking about getting, or remaining, accredited to make sure they have the right controls in place as soon as possible to ensure they meet the updated requirements.
Although CE accreditation is a must-have for any UK organisation, it is worth bearing in mind that, as the name suggests, the scheme only covers the most basic of cybersecurity controls and so compliance will provide organisations with the bare minimum protection. IT leaders should be viewing compliance as a starting point for their cybersecurity strategies, rather than the whole package. Meeting the CE requirements alone provides the amount of protection needed for personal internet devices, rather than those of a business and will not protect organisations from some of the most basic cyber threats around today.
Businesses looking to advance beyond CE should look to ISO 27001, the international standard for information security. Whilst achieving the information security standard isn’t required, aligning any business to the standard will help it develop a more robust approach to information security. It is also worth noting that a SOC 2 is needed for any UK businesses working in, or looking to work in the USA.
With that being said, the scheme provides the foundations for a solid security strategy and being accredited can have a number of other benefits too. For businesses tendering for government contracts, it may be a requirement that they have CE accreditation. Accreditation can also assist organisations when taking out cyber insurance policies.
Whilst it’s clear that CE is not watertight, it’s still worthwhile to be certified and a great starting point for organisations that are just beginning to explore cybersecurity certification. As threat actors continue to become more advanced by the day, it’s likely that the scheme will continue to develop and the requirements may become more stringent over time to reflect this. Until then, IT leaders should continue to strengthen their cybersecurity strategies beyond the requirements of CE to minimise the risk to their organisation..