The Cyber Essentials standard continues to be the leading security baseline for many small and medium sized businesses in the UK. In fact, the controls are both effective and simple to implement, so much so that even the US are starting to take notice of the program.
Many of you may be aware that the Cyber Essentials scheme underwent a significant update in January this year, the biggest since it's introduction a number of years ago. Officially bringing personal devices into scope and paying closer attention to cloud services were some of the key changes introduced. Although always an inevitable update, this was largely a move to counteract the threats of the substantial rise in home working during the COVID-19 pandemic.
It was always intended that the scheme would undergo further changes in January 2023 where the rules on unsupported software, thin clients and MFA were to be tightened, but the NCSC have announced that this change has now been delayed until April 2023.
In addition to those key elements mentioned above, the new release will coincide with the new technical requirements guidance below:
Clarification on firmware – An unfortunate backward step as a result of poor and untimely information provided by vendors, currently all firmware is included in the definition of ‘software’ and must therefore be kept up to date and supported. This will be changing to just router and firewall firmware.
Third party devices – Expect some changes to the requirements for third-party devices in use by individuals such as students and contractors.
Device unlocking – Bringing more devices into scope is expected to cause some concerns about what is and what isn’t an acceptable unlocking method therefore a change is being considered to mitigate issues whereby some default settings in devices may be unconfigurable.
Malware protection – As the solutions evolve, it is accepted that Anti-malware software will no longer need to be signature-based. Sandboxing is being removed as an option.
Guidance on zero trust architecture is to be included in the context of achieving Cyber Essentials, and we can expect some guidance on the importance of asset management.
We expect that there could be some more changes with this iteration and wouldn’t count the NCSC out from introducing new information-only questions to the April 2023 release, to start planting the seed for future changes to the standard. Will backups make an appearance? No doubt that both IASME and the NCSC will release further updates closer to the time.
Get in touch if you’d like to know more about the changes or even if you’d just like to know more about the certification itself. If you’re not already familiar with the government-backed, UK baseline cyber security standard, where have you been? Give us a call, it could be easier than you think to secure your business and get yourself certified.
