Changes to the Cyber Essentials scheme coming on the 24th January 2022

Since its inception in 2014, Cyber Essentials has arguably become the leading Cyber Security certification for small and medium sized businesses in the UK. The 5 technical controls addressed by the scheme have helped to protect thousands of businesses from the majority of cyber-attacks, however, with the recent changes to the way we work as a result of the pandemic and with the instant reaction by cyber criminals to exploit the new vulnerabilities remote working has uncovered, this has highlighted the need for some essential adjustments to negate the changing threats.

Whilst the technical controls remain the same (Firewalls, Secure Configuration, User Access Control, Malware Protection & Security Update Management), some key changes are being made to reflect the move to home or hybrid working and to cater for the ever-increasing reliance on cloud services and web-based applications.

According to the scheme, you will now be classed as a home-worker if you spend any amount of time working from home – not only if you are contracted to do so. All end user devices are now classed as in scope, including personal laptops and thin clients, although your home router may not be. There is a strong reliance on in-built software firewalls on end user devices and a stern recommendation to extend the boundary to the company firewall with use of a VPN.

Another important change is that all cloud services are now considered in scope, be it ‘Infrastructure as a Service’ (IaaS), ‘Platform as a Service’ (PaaS) or ‘Software as a Service’ (SaaS). There is an expectation that applicants take more responsibility for the controls implemented by providers of these systems. This extends to other externally managed services and generic web applications too. It is now the responsibility of applicants to ensure that these services are being supported and updated by the vendors and that they are tested by the provider for vulnerabilities.

Emphasis is being placed on password requirements too. Complex passwords with special characters and combinations of letters, cases and numbers are being phased out for a password constructed by joining three completely random words. This makes it easier to remember but more difficult to guess. Password Managers are being recommended as is the removal of restrictions on character limits and the use of multi-factor authentication (MFA) wherever possible. A clear separation and control of standard accounts and administrator accounts must be evident.

Unfortunately, there is also a notable change to the pricing structure for the certifications as follows:

- micro businesses £300 + VAT  (unchanged)

- businesses with 10 or more employees £400 - £500 + VAT

With the rise in hybrid working, the reliance on cloud technologies, and the improved capabilities of cyber criminals it’s more important now than ever before to protect your business, your customers and your reputation from such threats.

Give us a call today if you’d like to know any more about the upcoming changes and how we can help you stay protected.

Back to Blog